Re: JDBC and GSSAPI/Krb5

On Jan 28, 2008, at 2:32 AM, Kris Jurka wrote:

> On Thu, 24 Jan 2008, Peter Koczan wrote:
>
>> Hello again, has there been progress on this? As I said before I'm
>> willing to be a beta tester for this.

As would I. I have fewer bureaucratic restrictions on fixing bugs
than I do on delivering code for new capabilities.

> I've hacked together a prototype and can successfully authenticate
> against a gssapi configured server. It needs a fair amount of
> cleanup, but there are some more fundamental questions about what
> configuration options we need:
>
> 1) Do we need a way for the user to uniquely name the application
> for the JAAS LoginContext or can we get away with something generic
> like pgjdbc? The application name is needed for the JAAS login
> configuration file which is needed to enable the krb5 ticket
> cache. I'm not sure what else would need to be configured or why
> you might want to do it differently for different applications.

I bow to people with more Java experience on this, but I will make
two observations:

1) I've run into a lot of example code that will not properly fall
back to system defaults when the defaults in the JAAS config file are
omitted.

2) I expect a number of users to want to run different applications
which in turn connect to different databases. It's desirable that
the user not need to change their configuration files in order to
change applications/databases, particularly if they run in the same
Kerberos realm (or cross-realm trust network).

> 2) Do we need to allow the user to configure their own LoginContext
> CallbackHandler to enter a username/password if they don't have an
> existing entry in their ticket cache? Should we by default just
> try to use the username and password provided in the connection
> parameters?

In practice you may run a Java program on a Windows machine which has
its own (AD based) idea of what the Kerberos configuration and
tickets are supposed to be. Imagine a database hosted in one Windows
Domain, but being run from a workstation joined to a different one
with no cross-realm trust. (You can have the same problem with non-
Windows machines, but they have non-obscure ways of getting tickets
from foreign realms, so it's not as big a deal.)

> 3) Do we need a way for the user to specify the server's service
> name (what libpq calls PGKRBSRVNAME)? I think this is useful if
> you're running two pg servers on the same machine and want to have
> different rules for each one, but I'm not entirely sure about that.

I think so, and it ought to default to the same value that configure
defaults to on the server side.

> Kris Jurka

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu