Re: pgAdmin 4 + python wheel + kerberos

Stephen Frost (sfrost(at)snowman(dot)net) wrote:

! That said, reminding myself that pgAdmin4 can be run under Apache, it
! should be possible to have an Apache system set up with mod_auth_kerb
! (to handle the incoming Kerberos authentication and the credential
! delegation) and have pgAdmin4 pick up on the user as having been
! authenticated via Kerberos thanks to environment variables provided by
! Apache and, further, be able to connect to a downstream PostgreSQL
! database using the delegated credentials thanks to mod_auth_kerb setting
! up the KRB5CCACHE environment variable.

! I'm not completely sure about the mod_wsgi bit of things or if there's
! anything further that would need to be done to make this all work, but
! it might not require that much effort if Apache and libpq are able to
! handle all of the complexity of Kerberos authentication. The big
! question when it comes to mod_wsgi and the way that works is if the
! environment variables are passed through somehow because that's required
! to make this work- and, more importantly, the environment variables need
! to be per-connection. It might require some kind of proxying from the
! environment variables passed in by Apache to the various processes doing
! the work in pgAdmin4 (this clearly must be done already to some extent-
! each part of pgAdmin4 knows which *user* is logged in, after all).

! In short, Blake, if it were me, I'd probably build out a system which
! uses Apache, mod_auth_kerb, and mod_wsgi, and then make sure that
! Kerberos is being used to authenticate to Apache, and then set up a
! downstream PG server to use gssapi for the auth type from the pgAdmin4
! server and see if things don't 'just work'.

! I don't think pgAdmin4 currently is able to work with Apache's auth
! system and, instead, has its own, so until that's fixed you'd have to
! have user accounts for everyone in the pgAdmin4 user management system
! that they'd have to use to 'log into' pgAdmin4 after the Kerberos
! authentication has been done and they can hit the app itself. The
! question after that is if pgAdmin4 will pick up on the KRB5CCACHE
! location for the current session and be able to use it to do GSSAPI
! authentication via libpq to PG.

Hello,

being in the process of upgrading from pgadmin3 (and taking the
opportunity to move the new pgadmin4 onto a proper app-server), I
found this article, written some 2 years ago, being the only resource
I could find all over the Internet, which, in a sensible way,
describes the task of logging into the postgres server, in the case
when this happens to be purely Kerberos5-driven.

I couldn't find any mentioning of this task in the pgadmin4
documentation. :(

So, since this quoted article is from quite a time back, may I kindly
ask for an update on the status of this matter, how it may have
proceeded in the meantime and what is currently considered best
practices in such a case of pure Krb5 operations?

thanks and best regards,
PMc