Thread: multiple Kerberos Server Principals from 1 instance of pgadmin

Greetings,

* Ivan Novick (inovick@pivotal.io) wrote:
> We have a user that is working with postgres and greenplum and they said
> that pgadmin4 only allows one Kerberos Server Principal per pgAdmin
> instance because it takes the value of the environment variable
> PGKRBSRVNAME. Kerberos Server Principal value is the name of the user
> running Greenplum or Postgres database.
>
> The user is trying to connect to multiple databases and they have different
> user names in the installation like gpadmin. pgqa pgprod, etc. So they can
> not connect to both from one PGADMIN because the environment variable would
> need to be reset when starting pgadmin.

PGKRBSRVNAME is typically either 'postgres' or 'POSTGRES', depending on
if you are dealing with Active Directory clients or not.  I agree that
it's theoretically possible that you might need to be able to configure
PGKRBSRVNAME on a per-server/cluster basis, but you definitely don't
need to be able to do so on a per-database basis and the PGKRBSRVNAME
has absolutely nothing to do with the user's username, nor the unix user
that the server actually runs as.

What, exactly, are you thinking that value would be set to?

Can you show what klist -k /path/to/keytab on the PG server returns?

Thanks,

Stephen

Greetings,

* Ivan Novick (inovick@pivotal.io) wrote:
> For greenplum database it would be gpadmin instead of postgres

I see...  I find that pretty odd- why would you change that?  I suppose
it's baked in at this point though, which is unfortunate.  If it talks
the PG protocol and is expected to be the only service on a given host,
it really should be 'postgres' imv.

> > PGKRBSRVNAME is typically either 'postgres' or 'POSTGRES', depending on
> > if you are dealing with Active Directory clients or not.  I agree that
> > it's theoretically possible that you might need to be able to configure
> > PGKRBSRVNAME on a per-server/cluster basis, but you definitely don't
> > need to be able to do so on a per-database basis and the PGKRBSRVNAME
> > has absolutely nothing to do with the user's username, nor the unix user
> > that the server actually runs as.
> >
> > What, exactly, are you thinking that value would be set to?
> >
> > Can you show what klist -k /path/to/keytab on the PG server returns?
>
> You can see here a sample output that gpadmin is referenced.
> klist -k /var/spool/keytabs/gpadmin
>
> Keytab name: FILE:/var/spool/keytabs/gpadmin
>
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    2 04/09/15 06:56:33 gpadmin/srv101.prd21.acme.com@is1.acme
>    2 04/09/15 06:56:33 gpadmin/srv101.prd21.acme.com@is1.acme
>    2 04/09/15 06:56:33 gpadmin/srv101.prd21.acme.com@is1.acme
>    2 04/09/15 06:56:33 gpadmin/srv101.prd21.acme.com@is1.acme

Thanks, that helps clarify what you're going for here.

> What would help a lot is when setting up the Server properties in pgadmin4
> if we could add a PGKRBSRVNAME variable so it can be different for each
> server.
>
> Does that make sense?

Yes, having it configurable in the Server properties makes sense.

> If the idea makes sense and is agreed, i could probably find a developer
> that would be interested to help code it up and submit.

I can't speak to how it should be exactly implemented in pgAdmin, but I
would think having it configurable as a Server property and then passed
into the connection string as a parameter would make the most sense.
Going the environment variable route seems like it would be odd to me,
but I don't hack pgAdmin much. :)

Great!

Thanks,

Stephen