From: | Jason Breitman <jbreitman(at)tildenparkcapital(dot)com> |
---|---|
To: | Dave Cramer <davecramer(at)postgres(dot)rocks> |
Cc: | pgsql-jdbc(at)lists(dot)postgresql(dot)org |
Subject: | Re: GSSAPI Authentication using a CNAME |
Date: | 2020-08-27 13:05:56 |
Message-ID: | 323EF041-CA6D-4C8A-B1BB-E01B448A30EB@tildenparkcapital.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
Thank you for replying.
I do not believe this is the case for two reasons.
Using the CNAME with a fully qualified domain name does work as shown below which suggests that CNAME Records are ok.
The error code received when using the CNAME with a short name, 08006, is a connection failure.
I ran the same command with a dummy host that could not be resolved and receive the error code 08001 which means sqlclient unable to establish sqlconnection.
This suggests that the Java resolver is working and when the hostname cannot be resolved, we receive a different error code.
Please let me know if I am missing your point.
Reference
https://www.postgresql.org/docs/9.2/errcodes-appendix.html <https://www.postgresql.org/docs/9.2/errcodes-appendix.html>
Jason Breitman
On Aug 27, 2020, at 7:24 AM, Dave Cramer <davecramer(at)postgres(dot)rocks> wrote:
HI Jason,
Top posting because I don't want to delete below. I am wondering if this is a java thing. The docs for GSSAPI for java are pretty horrible.
Is there a setting to deal with CNAME's ?
Dave
On Wed, 26 Aug 2020 at 19:00, Jason Breitman <jbreitman(at)tildenparkcapital(dot)com <mailto:jbreitman(at)tildenparkcapital(dot)com>> wrote:
Description
I am not able to connect to my PostgreSQL Server using the PostgreSQL JDBC Driver with GSSAPI when using the short name if the short name is a CNAME Record.
The fully qualified domain name does work when it is a CNAME.
For comparison, the psql client is able to connect using the short name when it is a CNAME.
JDBC Version
postgresql-42.2.16.jar
Dependancies
commons-cli-1.4
$ cat /opt/pgsql/conf/jaas.conf
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
renewTGT=true
debug=false
client=true;
};
Code Snippet
$ cat JDBCExample.java
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
public class JDBCExample {
public static void main(String[] args) throws ParseException {
Options options = new Options();
Option host = Option.builder()
.longOpt("host")
.argName("host")
.hasArg()
.desc("Name of the PostgreSQL Server.")
.build();
options.addOption(host);
Option db = Option.builder()
.longOpt("db")
.argName("db")
.hasArg()
.desc("Name of the PostgreSQL Database.")
.build();
options.addOption(db);
CommandLineParser parser = new DefaultParser();
CommandLine cmd = parser.parse( options, args);
String jdbcUrl = "jdbc:postgresql://" + cmd.getOptionValue("host") + ":5432/" + cmd.getOptionValue("db");
try (Connection conn = DriverManager.getConnection(jdbcUrl)) {
if (conn != null) {
System.out.println("Connected to the database!");
} else {
System.out.println("Failed to make connection!");
}
} catch (SQLException e) {
System.err.format("SQL State: %s\n%s", e.getSQLState(), e.getMessage());
} catch (Exception e) {
e.printStackTrace();
}
}
}
Compilation Steps
javac -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample.java
Results
$ java -Djava.security.krb5.realm=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.krb5.kdc=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host cname-hostname --db mydb
SQL State: 08006
GSS Authentication failed
$ java -Djava.security.krb5.realm=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.krb5.kdc=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host cname-hostname.example.com <http://cname-hostname.example.com> --db mydb
Connected to the database!
$ java -Djava.security.krb5.realm=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.krb5.kdc=EXAMPLE.COM <http://EXAMPLE.COM> -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host hostname --db mydb
Connected to the database!
Jason Breitman
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2020-08-27 13:56:47 | Re: Support for OUT parameters in procedures |
Previous Message | Dave Cramer | 2020-08-27 11:26:00 | Re: Allow sslrootcert to accept more than one certificate |