Re: Does psycopg2 support Kerberos for Postgres?

From: Yang Gao <Yang(dot)Gao(at)twosigma(dot)com>
To: 'Adrian Klaver' <adrian(dot)klaver(at)aklaver(dot)com>, "'psycopg(at)postgresql(dot)org'" <psycopg(at)postgresql(dot)org>
Subject: Re: Does psycopg2 support Kerberos for Postgres?
Date: 2016-12-06 16:28:33
Message-ID: d9a13d25e828458a9a796c3c644f3b54@exmbdft5.ad.twosigma.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: psycopg

That's a very good question. I pulled out the 2 libqp libraries. One in the default python installation that my psycopg2 uses and the other used in my pyodbc experiment where Kerberos works.
They are of the same name, but different builds. Looks like I was using a lib without Kerberos support!

If I replace the lib with the Kerberos supporting one, everything starts to work.

Thank you very much!

A further question, does psycopg2 respect the unixODBC's odbcinst.ini and odbc.ini (didn't find it in documentation)? Is there way to explicitly specify the driver library?

Yang

yangg(at)home:/proc/24196$ ldd /home/yangg/.conda/envs/py2/lib/libpq.so.5.8
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
linux-vdso.so.1 => (0x00007ffd38db5000)
libssl.so.1.0.0 => /home/yangg/.conda/envs/py2/lib/./libssl.so.1.0.0 (0x00007fcecf7e7000)
libcrypto.so.1.0.0 => /home/yangg/.conda/envs/py2/lib/./libcrypto.so.1.0.0 (0x00007fcecf3b0000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fcecf178000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcecedeb000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcecebe7000)
/lib64/ld-linux-x86-64.so.2 (0x0000559f3b33b000)
yangg(at)home:/proc/24196$ ldd /home/yangg/vats_code/.base_universe/current-architecture/ext/public/psqlodbc/09/05/0100/dist/lib/libpq.so.5.8
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
linux-vdso.so.1 => (0x00007ffee39e1000)
libssl-opt.so.1.0.0 => /opt/openssl/1.0/lib/libssl-opt.so.1.0.0 (0x00007f0b7e1e9000)
libcrypto-opt.so.1.0.0 => /opt/openssl/1.0/lib/libcrypto-opt.so.1.0.0 (0x00007f0b7dda7000)
libgssapi_krb5.so.2 => /opt/mitkrb5/lib/libgssapi_krb5.so.2 (0x00007f0b7db61000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f0b7d92a000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f0b7d59d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f0b7d398000)
libkrb5.so.3 => /opt/mitkrb5/lib/libkrb5.so.3 (0x00007f0b7d0d6000)
libk5crypto.so.3 => /opt/mitkrb5/lib/libk5crypto.so.3 (0x00007f0b7cea7000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f0b7cca2000)
libkrb5support.so.0 => /opt/mitkrb5/lib/libkrb5support.so.0 (0x00007f0b7ca97000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f0b7c881000)
/lib64/ld-linux-x86-64.so.2 (0x000055ec0f899000)

-----Original Message-----
From: Adrian Klaver [mailto:adrian(dot)klaver(at)aklaver(dot)com]
Sent: Tuesday, December 06, 2016 10:59 AM
To: Yang Gao; 'psycopg(at)postgresql(dot)org'
Subject: Re: [psycopg] Does psycopg2 support Kerberos for Postgres?

On 12/06/2016 07:41 AM, Yang Gao wrote:
> Yes, we are trying to use sqlAlchemy over psycopg2. However, my experiments have been on standalone psycopg2. Because I was working back and forth, I took the wrong connection string.

I have to apologize. I was going back over the thread to see if I missed anything and I found you did mention using SLQAlchemy in your first post.

> Here's the exact string that I'm using in stand-alone psycopg2:
>
> 1. conn_string = "host=fqdn_hostname' dbname='dbname' krbsrvname='postgres'"
> or
> 2. conn_string = "host=fqdn_hostname' dbname='dbname'"
>
> The 1 gives the error of: psycopg2.OperationalError: invalid connection option "krbsrvname"
> The 2 gives the error of: psycopg2.OperationalError: GSSAPI
> authentication not supported

This is to the remote host, correct?

Also what are the pg_hba.conf entries for the local and remote hosts?

Where does your libpq come from?

>
> Sorry for the earlier confusion.
>
> Thanks.
>
> Yang
>
>
>
> -----Original Message-----
> From: Adrian Klaver [mailto:adrian(dot)klaver(at)aklaver(dot)com]
> Sent: Tuesday, December 06, 2016 10:32 AM
> To: Yang Gao; 'psycopg(at)postgresql(dot)org'
> Subject: Re: [psycopg] Does psycopg2 support Kerberos for Postgres?
>
> On 12/06/2016 07:20 AM, Yang Gao wrote:
>> You are most likely correct about local log in.
>>
>> This is the string that I'm using:
>>
>> sqlalchemy.create_engine("postgresql+psycopg2://fqdn_of_host/db_name"
>> ) I tried adding "? krbsrvname=postgres" at the end as well, but got
>> the error aforementioned.
>
> It would have been nice to know you where using SQLAlchemy above
> psycopg2 at the beginning of this conversation.
>
> So again can you show the actual complete string you are using?
>
> Not sure if this a cut and paste error but you have:
>
> ? krbsrvname=postgres
>
> Pretty sure the space between ? and krbsrvname is not good.
>
> Also what happens if you bypass SQLAlchemy and try to connect using
> psycopg2 directly?
>
>
>>
>> Thanks.
>>
>> Yang
>>
>>
>
>
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com

In response to

Responses

Browse psycopg by date

  From Date Subject
Next Message Adrian Klaver 2016-12-06 17:15:10 Re: Does psycopg2 support Kerberos for Postgres?
Previous Message Adrian Klaver 2016-12-06 15:58:34 Re: Does psycopg2 support Kerberos for Postgres?