Greetings, * Stephen Frost (sfr...@snowman.net) wrote: > * Khushboo Vashi (khushboo.va...@enterprisedb.com) wrote: > > On Wed, Dec 13, 2017 at 3:05 AM, Duffey, Blake <blake.duf...@noblis.org> > > wrote: > > > > > Will pgAdmin 4 as a python wheel application support Kerberos > > > authentication? > > > > > > We are evaluating running pgAdmin 4 as a web service (vs a Windows > > > application) in a shared Citrix environment. Kerberos auth would make > > > this use case viable. > > > > Ref #1952 <https://redmine.postgresql.org/issues/1952> : > > Kerberos authentication is supported by the underlying libpq, and pgAdmin 4 > > exposes both the host and hostaddr connection options that are typically > > used in Kerberos environments. > > This does not appear to contemplate Kerberos credential proxying, which > is what is really needed here when talking about running pgAdmin4 as a > web service.
That said, reminding myself that pgAdmin4 can be run under Apache, it should be possible to have an Apache system set up with mod_auth_kerb (to handle the incoming Kerberos authentication and the credential delegation) and have pgAdmin4 pick up on the user as having been authenticated via Kerberos thanks to environment variables provided by Apache and, further, be able to connect to a downstream PostgreSQL database using the delegated credentials thanks to mod_auth_kerb setting up the KRB5CCACHE environment variable. I'm not completely sure about the mod_wsgi bit of things or if there's anything further that would need to be done to make this all work, but it might not require that much effort if Apache and libpq are able to handle all of the complexity of Kerberos authentication. The big question when it comes to mod_wsgi and the way that works is if the environment variables are passed through somehow because that's required to make this work- and, more importantly, the environment variables need to be per-connection. It might require some kind of proxying from the environment variables passed in by Apache to the various processes doing the work in pgAdmin4 (this clearly must be done already to some extent- each part of pgAdmin4 knows which *user* is logged in, after all). In short, Blake, if it were me, I'd probably build out a system which uses Apache, mod_auth_kerb, and mod_wsgi, and then make sure that Kerberos is being used to authenticate to Apache, and then set up a downstream PG server to use gssapi for the auth type from the pgAdmin4 server and see if things don't 'just work'. I don't think pgAdmin4 currently is able to work with Apache's auth system and, instead, has its own, so until that's fixed you'd have to have user accounts for everyone in the pgAdmin4 user management system that they'd have to use to 'log into' pgAdmin4 after the Kerberos authentication has been done and they can hit the app itself. The question after that is if pgAdmin4 will pick up on the KRB5CCACHE location for the current session and be able to use it to do GSSAPI authentication via libpq to PG. Thanks! Stephen
signature.asc
Description: Digital signature
