Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lavQJ-0007kE-5t for pgadmin-hackers@arkaria.postgresql.org; Mon, 26 Apr 2021 07:12:51 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1lavQI-0001mT-0D for pgadmin-hackers@arkaria.postgresql.org; Mon, 26 Apr 2021 07:12:50 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lavQH-0001jh-MC for pgadmin-hackers@lists.postgresql.org; Mon, 26 Apr 2021 07:12:49 +0000 Received: from mail-il1-x136.google.com ([2607:f8b0:4864:20::136]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1lavQD-0003IN-TP for pgadmin-hackers@postgresql.org; Mon, 26 Apr 2021 07:12:48 +0000 Received: by mail-il1-x136.google.com with SMTP id e14so22078924ils.12 for ; Mon, 26 Apr 2021 00:12:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AisKhvSoVO8ukJ4ZTMfBX4vwxx5d9D2rlxlovyjpOsg=; b=cBc2++CRar5PO1AienzogtzssVJLM8eeiu5RcdUrdAkFbHuqXzaTJhScvFuXi/TaDj fyn/kH1dWxO0oDTVEARg+xgcPig6GswNk4PDY64XUYowV+AgSLZv2PXiHWS74sMwiO4t 5fKKDgmVn2ELbOCqTl96CFiRIOX7mmd5gclQKjptlkoVZkKA82Qh2bcoGk4DnT/98xKa J6PKDSzcHGKURBXhtzW3T4MqO5RPkz/jbMvlvpDIHcBhZQtlr13pyHdd2d9TST9BEXIw Dj0AAb17e7sV2kro1TKOIS1sheFvKwxKcVLpD9IEWvHb/Ds262yisXOufd1nK2GrQz0k X95g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AisKhvSoVO8ukJ4ZTMfBX4vwxx5d9D2rlxlovyjpOsg=; b=rNx0fOZrC2GpRACO8vyf2Rqq1kYsl6YBa53PE88Dyb+/BhPzwB6D9xSmbJKaDdHx45 Q2DRWWv1iZ/mndw5NGSoME3am1nrTWc0I3LJXUgknkH/3wcTG706W49xaNyIy+Ke0G2a T1m0/V1WukY6zSNDjlSKDiYufq6mwYRtsMjBnlXBCWqpDzTsQhXDJFZgMpxQVhRrIq6J B5xxtRaGvO9EP6eZfrc/ZKwXcoRBtiaQdMGPcfgshhy6SpGyxiGFOhVzkyt7ALaV87ox npQFCrMiLzswjB7voiWYaLsAiTdAn+qPXD5KSt0tO9scxghjvzddLGeladiNESfjml05 ovTA== X-Gm-Message-State: AOAM532dqErhROXCfWPGBNpDp08vijjKVoE+xbOU57c76iXsi2q/DkyP VETzj8uI/aF4uwkWPw8OwJ/vkw6ssYKUpgDDdw4Ott7X9LS2YirxzOI0hBIdq3Mj0PvqAQbAHgR cJIjw3zgDsc4gyNOmR3XEZRio8ip2JrnRtKErMoxKXrlX1+ZtnAfxfcO6jJz5Ejwd5RkhC7T8PN yUyaMUtAuXQ+E6Y3fhX4eQa834hBPlubrXwfkQ5DsyOZE0gbZEnL4Gk1ZX6dXklxhkKQ== X-Google-Smtp-Source: ABdhPJzxn0WWSSePxPI9WCrHrlkGvu2CDRwmnjtOGxhSQqtAy0Bv0OTQeoXhsqo+IXLA69HS9P2dWVHOeAP1DngIgac= X-Received: by 2002:a92:c0d0:: with SMTP id t16mr12667141ilf.257.1619421163195; Mon, 26 Apr 2021 00:12:43 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Akshay Joshi Date: Mon, 26 Apr 2021 12:42:32 +0530 Message-ID: Subject: Re: [pgAdmin4][Patch] - RM 6158 - Logging into PostgreSQL servers with Kerberos Authentication To: Khushboo Vashi Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="0000000000002ca7b305c0dadf43" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000002ca7b305c0dadf43 Content-Type: text/plain; charset="UTF-8" Hi Khushboo I have applied your patch and started testing it in different scenarios. Following are the GUI review comments: - Update the comments about Kerberos support for AUTHENTICATION_SOURCES in config.py. - You will have to create a migration file again. Getting "Error: Multiple head revisions are present for given argument" - Increase the height of the server dialog as after adding "Kerberos Authentication?" switch Connection tab showing scroll bars. - Desktop/Server mode Getting No such file or directory: '/var/lib/pgadmin/krbccache'. KERBEROS_CCACHE_DIR should only be created in Server Mode and AUTHENTICATION_SOURCES is 'kerberos'. - Server Dialog "Kerberos Authentication?" switch control should be enabled only in Server Mode and AUTHENTICATION_SOURCES is 'kerberos'. - "Kerberos Authentication?" switch should be disabled when the server is connected. - In Desktop mode AUTHENTICATION_SOURCES must be '*internal*' doesn't matter what mode is provided in *config.py *or* config_local.py*. In fact, we should create a flag '*authentication_mode*' which will be set after the valid authentication source has been detected/connected. *For example,* the user has provided AUTHENTICATION_SOURCES = ['kerberos', 'internal'], it is unable to connect using kerberos and then the user has provided a valid email and password so we will set '*authentication_mode*' to 'internal' and the rest of the logic will be based on that flag. - Connect to any database server and check backend logs following error is visible: - KeyError: 'KRB5CCNAME' *Solution*: It should not call "kerberos_validate_ticket()" function until AUTHENTICATION_SOURCES is 'kerberos' and Server Mode is true. *AUTHENTICATION_SOURCES = ['kerberos']:* - Kerberos is not set up: Open pgAdmin page, enter email and password two message box popped up one with valid Kerberos error and the second one with "None" as a string. - Similarly, if AUTHENTICATION_SOURCES = ['kerberos', 'internal'] and it is failed to connect using kerberos, then provide an email, and the wrong password two message boxes popped up one with Kerberos error and another with Password error. - In the User Management dialog 'kerberos' should not be visible in the authentication source dropdown. As there is no point creating kerberos user from there. - Add local server(without kerberos) to the browser tree, set "Kerberos Authentication?" to True, try to connect by providing the password it always returns "fe_sendauth: no password supplied" error. If possible can we identify and change the error message? - Add database server where kerberos authentication is ON, make changes in pg_hba.conf with the wrong user name, then try to connect to the database server. The server tries to connect and the spinner is visible and never stops. It should raise a proper error message. There are some other scenarios where entries in pg_hba.conf is wrong. - *Suggestion 1*: As per current implementation even if "Kerberos Authentication?" is set to false the user can connect to the database server by providing any password or blank password. It is difficult for the user to identify it is connected using GSSAPI. I would suggest providing the control in the properties dialog which tells the database server is connected using GSSAPI. - *Suggestion 2*: If it is possible to detect that the database server is connected using Kerberos then we should disable the 'Username' control as for Kerberos both the users (pgadmin user and database user ) must be the same. *Note:- *pgAdmin on OSX not working with Kerberos authentication. Failed with error "Your GSSAPI implementation does not have support for manipulating credential stores directly" Need to document this behavior. *Code review still remains, which I'll be started after the above fixes.* On Wed, Apr 14, 2021 at 2:06 PM Khushboo Vashi < khushboo.vashi@enterprisedb.com> wrote: > Hi, > > Please find the attached patch with some minor improvements. > > Thanks, > Khushboo > > On Wed, Apr 7, 2021 at 11:50 PM Khushboo Vashi < > khushboo.vashi@enterprisedb.com> wrote: > >> Hi, >> >> Please find the attached patch for RM 6158: Support Kerberos >> Authentication - Phase 2. >> This patch includes the support for logging into PostgreSQL servers with >> Kerberos authentication. >> >> Thanks, >> Khushboo >> >> -- *Thanks & Regards* *Akshay Joshi* *pgAdmin Hacker | Principal Software Architect* *EDB Postgres * *Mobile: +91 976-788-8246* --0000000000002ca7b305c0dadf43 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Khushboo

I have applied your patch and started testing it in = different scenarios.=C2=A0Following are the GUI review comments:
  • Update the comments about Kerberos support for=C2= =A0AUTHENTICATION_SOURCES in=C2=A0c= onfig.py.
  • You will have to = create a migration=C2=A0file again. Getting "Error: Multiple he= ad revisions are present for given argument"
  • Increase the heig= ht of the server dialog as after adding=C2=A0"Kerberos Authentication?= " switch Connection tab showing scroll bars.
  • Desktop/Server mode Gettin= g No such file or directory: '/var/lib/pgadmin/krbccache'.=C2=A0KERBEROS_CCACHE_DIR should only be cre= ated in Server Mode and AUTHENTICATION_SOURCES is 'kerberos'.
  • Server Dialog "Kerberos Authentication?" switch contr= ol should be enabled only in Server Mode and=C2=A0AUTHENTICAT= ION_SOURCES is 'kerberos'.
  • "Kerberos Authentication?&q= uot; switch should be disabled when the server is connected.
  • In Desktop mode=C2= =A0AUTHENTICATION_SOURCES must be 'internal' doesn= 9;t matter what mode is provided in config.py or config_local.py<= /b>. In fact, we should create a flag 'authentication_mode' = which will be set after the valid authentication source has been detected/c= onnected. For example,=C2=A0the user has provided=C2=A0 AUTHENTICATI= ON_SOURCES =3D ['kerberos', 'internal'], it is unable to co= nnect using kerberos and then the user has provided a valid email and passw= ord so we will set 'authentication_mode'=C2=A0to 'intern= al' and the rest of the logic will be based on that flag.
=
  • Connect to any database server and check backend logs following error = is visible:
    • KeyError: &= #39;KRB5CCNAME'=C2=A0=C2=A0Solution:=C2=A0It should not c= all "kerberos_v= alidate_ticket()" function until=C2=A0AUTHENTICATION_SOURCES is 'k= erberos' and Server Mode is true.
A= UTHENTICATION_SOURCES =3D ['kerberos']:
    =
  • Kerberos is not set up: Open pgAdmin page, enter email and password two= message box popped up one with valid Kerberos error and the second one wit= h "None" as a string.
  • Similarly, if=C2=A0AUTHENTICATION_S= OURCES =3D ['kerberos', 'internal'] and it is failed to con= nect using kerberos, then provide an email, and the wrong password two mess= age boxes popped up one with Kerberos error and another with Password error= .
  • In the User Management dialog 'kerberos' should not be vi= sible in the authentication source dropdown. As there is no point creating = kerberos user from there.
  • Add local server(without kerberos) to the= browser tree, set "Kerberos Authentication?" to True, try to con= nect by providing the password it always returns "fe_sendauth: no pass= word supplied" error. If possible can we identify and change the error= message?
  • Add database server where kerberos authentication is ON, = make changes in pg_hba.conf with the wrong user name, then try to connect t= o the database server. The server tries to connect and the spinner is visib= le and never stops. It should raise a proper error message. There=C2=A0are = some other scenarios where entries in pg_hba.conf is wrong.
  • Sugg= estion 1: As per current implementation even if=C2=A0=C2=A0"Kerber= os Authentication?" is set to false the user can connect to the databa= se server by providing any password or blank password. It is difficult for = the user to identify it is connected using GSSAPI. I would suggest providin= g the control in the properties dialog which=C2=A0tells the database server= is connected using GSSAPI.
  • Suggestion 2: If it is possible = to detect that the database server is connected using Kerberos then we shou= ld disable the 'Username' control as for Kerberos both the users (p= gadmin user and database user ) must be the same.=C2=A0

Note:- pgAdmin on=C2=A0OSX not working with Kerberos= authentication. Failed with error "Your GSSAPI implementation does no= t have support for manipulating credential stores directly" Need to do= cument this behavior.

Code review still r= emains, which I'll be started after the above fixes.

On We= d, Apr 14, 2021 at 2:06 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:
= Hi,

Please find the attached patch with some minor= improvements.

Thanks,
Khushboo

On Wed, Apr 7, 2021 at 11:50 PM Khushboo Vashi <khushboo.vashi@enterprisedb.c= om> wrote:
Hi,

Please find the attached=C2=A0pat= ch for RM 6158: Support Kerberos Authentication - Phase 2.
This p= atch includes the support for logging into PostgreSQL servers with Kerberos= authentication.

Thanks,
Khushboo
<= div>


--
Thanks & Regards
Akshay Joshi
pgAdmi= n Hacker | Principal Software Architect
EDB Postgres
Mobile: +91 976-788-8246

--0000000000002ca7b305c0dadf43--