Re: [pgAdmin4][Patch] - RM 6158 - Logging into PostgreSQL servers with Kerberos Authentication

Hi Khushboo

I have applied your patch and started testing it in different scenarios. Following are the GUI review comments:

• Update the comments about Kerberos support for AUTHENTICATION_SOURCES in config.py.

• You will have to create a migration file again. Getting "Error: Multiple head revisions are present for given argument"

• Increase the height of the server dialog as after adding "Kerberos Authentication?" switch Connection tab showing scroll bars.

• Desktop/Server mode Getting No such file or directory: '/var/lib/pgadmin/krbccache'. KERBEROS_CCACHE_DIR should only be created in Server Mode and AUTHENTICATION_SOURCES is 'kerberos'.

• Server Dialog "Kerberos Authentication?" switch control should be enabled only in Server Mode and AUTHENTICATION_SOURCES is 'kerberos'.

• "Kerberos Authentication?" switch should be disabled when the server is connected.

• In Desktop mode AUTHENTICATION_SOURCES must be 'internal' doesn't matter what mode is provided in config.py or config_local.py. In fact, we should create a flag 'authentication_mode' which will be set after the valid authentication source has been detected/connected. For example, the user has provided  AUTHENTICATION_SOURCES = ['kerberos', 'internal'], it is unable to connect using kerberos and then the user has provided a valid email and password so we will set 'authentication_mode' to 'internal' and the rest of the logic will be based on that flag.
  

• Connect to any database server and check backend logs following error is visible:
  • KeyError: 'KRB5CCNAME'  Solution: It should not call "kerberos_validate_ticket()" function until AUTHENTICATION_SOURCES is 'kerberos' and Server Mode is true.

AUTHENTICATION_SOURCES = ['kerberos']:

• Kerberos is not set up: Open pgAdmin page, enter email and password two message box popped up one with valid Kerberos error and the second one with "None" as a string.

• Similarly, if AUTHENTICATION_SOURCES = ['kerberos', 'internal'] and it is failed to connect using kerberos, then provide an email, and the wrong password two message boxes popped up one with Kerberos error and another with Password error.

• In the User Management dialog 'kerberos' should not be visible in the authentication source dropdown. As there is no point creating kerberos user from there.

• Add local server(without kerberos) to the browser tree, set "Kerberos Authentication?" to True, try to connect by providing the password it always returns "fe_sendauth: no password supplied" error. If possible can we identify and change the error message?

• Add database server where kerberos authentication is ON, make changes in pg_hba.conf with the wrong user name, then try to connect to the database server. The server tries to connect and the spinner is visible and never stops. It should raise a proper error message. There are some other scenarios where entries in pg_hba.conf is wrong.

• Suggestion 1: As per current implementation even if  "Kerberos Authentication?" is set to false the user can connect to the database server by providing any password or blank password. It is difficult for the user to identify it is connected using GSSAPI. I would suggest providing the control in the properties dialog which tells the database server is connected using GSSAPI.

• Suggestion 2: If it is possible to detect that the database server is connected using Kerberos then we should disable the 'Username' control as for Kerberos both the users (pgadmin user and database user ) must be the same. 

Note:- pgAdmin on OSX not working with Kerberos authentication. Failed with error "Your GSSAPI implementation does not have support for manipulating credential stores directly" Need to document this behavior.

Code review still remains, which I'll be started after the above fixes.

On Wed, Apr 14, 2021 at 2:06 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

Hi,

Please find the attached patch with some minor improvements.

Thanks,

Khushboo

On Wed, Apr 7, 2021 at 11:50 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

Hi,

Please find the attached patch for RM 6158: Support Kerberos Authentication - Phase 2.

This patch includes the support for logging into PostgreSQL servers with Kerberos authentication.

Thanks,

Khushboo

--

Thanks & Regards

Akshay Joshi

pgAdmin Hacker | Principal Software Architect

EDB Postgres

Mobile: +91 976-788-8246