Hi Stephen,
On 21/04/2021 18:40, Stephen Frost wrote:
> I surely hope that the intent here is to use Negotiate / SPNEGO to
> authenticate the user who is connecting to the webserver and then have
> credentials delegated (ideally through constrained credential
> delegation..) to the web server by the user for the web application to
> use to connect to the PG server.
>
> I certainly don't think we should be targetting a solution where the
> application is acquiring credentials from the KDC directly using a
> user's username/password, that's very strongly discouraged for the very
> good reason that it means the user's password is being passed around.
Indeed -- that's certainly not the intended aim of this patch!
>> There may well be a better way of going about this -- it's just that I can't
>> currently see an obvious way to get this kind of setup working using only
>> the environment variable.
>
> Perhaps you could provide a bit more information about what you're
> specifically doing here? Again, with something like apache's
> mod_auth_gssapi, it's a matter of just installing that module and then
> the user will be authenticated by the web server itself, including
> managing of delegated credentials, setting of the environment variables,
> and the web application shouldn't have to do anything but use libpq to
> request a connection and if PG's configured with gssapi auth, it'll all
> 'just work'. Only thing I can think of offhand is that you might have
> to take AUTH_USER and pass that to libpq as the user's username to
> connect with and maybe get from the user what database to request the
> connection to..
Hmm, yes -- something like that is definitely a neater way of doing
things in the web app scenario (I'd been working on the principle that
the username and credential cache were "provided" from the same place,
i.e. the web app, but as you point out that's not actually necessary).
However, it seems like there might be some interest in this for other
scenarios (e.g. with relation to multi-threaded applications where more
precise control of which thread uses which credential cache is useful),
so possibly this may still be worth continuing with even if it has a
slightly different intended purpose to what was originally planned?
Many thanks,
Daniel
