Re: pgAdmin 4 + python wheel + kerberos - Mailing list pgadmin-support
| From | Peter |
|---|---|
| Subject | Re: pgAdmin 4 + python wheel + kerberos |
| Date | |
| Msg-id | 20200112165851.GA98464@gate.oper.dinoex.org Whole thread Raw |
| In response to | pgAdmin 4 + python wheel + kerberos ("Duffey, Blake" <Blake.Duffey@noblis.org>) |
| Responses |
[SOLVED] Re: pgAdmin 4 + python wheel + kerberos
(Peter <pmc@citylink.dinoex.sub.org>)
|
| List | pgadmin-support |
Stephen Frost (sfrost@snowman.net) wrote: ! That said, reminding myself that pgAdmin4 can be run under Apache, it ! should be possible to have an Apache system set up with mod_auth_kerb ! (to handle the incoming Kerberos authentication and the credential ! delegation) and have pgAdmin4 pick up on the user as having been ! authenticated via Kerberos thanks to environment variables provided by ! Apache and, further, be able to connect to a downstream PostgreSQL ! database using the delegated credentials thanks to mod_auth_kerb setting ! up the KRB5CCACHE environment variable. ! I'm not completely sure about the mod_wsgi bit of things or if there's ! anything further that would need to be done to make this all work, but ! it might not require that much effort if Apache and libpq are able to ! handle all of the complexity of Kerberos authentication. The big ! question when it comes to mod_wsgi and the way that works is if the ! environment variables are passed through somehow because that's required ! to make this work- and, more importantly, the environment variables need ! to be per-connection. It might require some kind of proxying from the ! environment variables passed in by Apache to the various processes doing ! the work in pgAdmin4 (this clearly must be done already to some extent- ! each part of pgAdmin4 knows which *user* is logged in, after all). ! In short, Blake, if it were me, I'd probably build out a system which ! uses Apache, mod_auth_kerb, and mod_wsgi, and then make sure that ! Kerberos is being used to authenticate to Apache, and then set up a ! downstream PG server to use gssapi for the auth type from the pgAdmin4 ! server and see if things don't 'just work'. ! I don't think pgAdmin4 currently is able to work with Apache's auth ! system and, instead, has its own, so until that's fixed you'd have to ! have user accounts for everyone in the pgAdmin4 user management system ! that they'd have to use to 'log into' pgAdmin4 after the Kerberos ! authentication has been done and they can hit the app itself. The ! question after that is if pgAdmin4 will pick up on the KRB5CCACHE ! location for the current session and be able to use it to do GSSAPI ! authentication via libpq to PG. Hello, being in the process of upgrading from pgadmin3 (and taking the opportunity to move the new pgadmin4 onto a proper app-server), I found this article, written some 2 years ago, being the only resource I could find all over the Internet, which, in a sensible way, describes the task of logging into the postgres server, in the case when this happens to be purely Kerberos5-driven. I couldn't find any mentioning of this task in the pgadmin4 documentation. :( So, since this quoted article is from quite a time back, may I kindly ask for an update on the status of this matter, how it may have proceeded in the meantime and what is currently considered best practices in such a case of pure Krb5 operations? thanks and best regards, PMc
pgadmin-support by date: