Re: [pgjdbc/pgjdbc] PR #3451: Support default GSS credentials in the Java Postgres client

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: nrhall (@nrhall) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: Re: [pgjdbc/pgjdbc] PR #3451: Support default GSS credentials in the Java Postgres client
Date: Fri, 24 Jan 2025 11:18:32 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

Java's support for Kerberos has always been...strained, not helped by enterprise vendors offering Kerberos support with clearly no understanding on how it really works.

JAAS in the JVM itself is one of the worst - all the docs make it sound like you basically have to use a keytab, and the set of options to just make it use the local ccache without any other magic are pretty baffling to a new user.  Enabling 'native' JGSS support in the JVM doesn't work for credential acquisition via JAAS on Linux (yet does on Mac/Windows) - so if you really need the system libraries/config to be used (e.g. to support KCM), you can't.  And nearly everything uses JAAS... :(

We have a corporate Kerberos environment where we ensure that users always have the right TGT/credentials wherever they need them - we nearly never want a user to obtain a fresh set of credentials from somewhere, because that's almost certainly not what they want.

That all said - I should say that pgjdbc was already good in that it supported a lot of the right things - e.g. auto mode for SSPI, and more straightforward Linux MIT/Heimdal setups probably just work out the box with a file based ccache and `jaasLogin=false`.  The extension here just means more esoteric setups work better.

It's possible that with a little more work a sensible `auto` mode could work on Linux too - e.g. it's actually possible that making the changes in this PR the default behaviour might actually work for nearly all cases where you've set `jaasLogin=false`.  It would also be nice to not need to set `jaasLogin=false` so that you need no arguments for integrated GSSAPI based logins to work but I'm not sure if there are other gotchas there.

view thread (15+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] PR #3451: Support default GSS credentials in the Java Postgres client
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox