Greetings Peter,
* Peter (pmc@citylink.dinoex.sub.org) wrote:
> On Sun, Jan 12, 2020 at 05:58:56PM +0100, Peter wrote:
> ! Stephen Frost (sfrost@snowman.net) wrote:
> !
> ! ! That said, reminding myself that pgAdmin4 can be run under Apache, it
> ! ! should be possible to have an Apache system set up with mod_auth_kerb
> ! ! (to handle the incoming Kerberos authentication and the credential
> ! ! delegation) and have pgAdmin4 pick up on the user as having been
> ! ! authenticated via Kerberos thanks to environment variables provided by
> ! ! Apache and, further, be able to connect to a downstream PostgreSQL
> ! ! database using the delegated credentials thanks to mod_auth_kerb setting
> ! ! up the KRB5CCACHE environment variable.
> ! ! [...]
>
> ! So, since this quoted article is from quite a time back, may I kindly
> ! ask for an update on the status of this matter, how it may have
> ! proceeded in the meantime and what is currently considered best
> ! practices in such a case of pure Krb5 operations?
>
> No answer, well then, it seems nobody interested whatsoever in this
> matter. :(
Interested, sure, but..
> Anyway, I made it working, so it works now. Multiuser, multithreading,
> freestanding process behind a rig.
Following the hints above, sounds like you were able to sort it out.
Glad to hear it! Would love to have the specific details of what you
did to make it work posted to this list or otherwise publicized, for
others who are interested.
> Difficult part was to get it safe. As there can be many users using the
> pgadmin4 simultaneously with different credentials and connecting as
> different roles to different postgres servers at the same time, care
> must be taken that they will only use their own creds for that.
So.. what did you do to ensure that? Generally speaking, mod_auth_kerb
has the issue that it needs to make sure that credentials and http
connections are properly associated with each other, so I'm curious as
to what you had to do extra (if anything).
Thanks,
Stephen
