Re: JDBC and GSSAPI/Krb5

["Henry B. Hotz" <hotz(at)jpl(dot)nasa(dot)gov>]

On Jan 28, 2008, at 2:32 AM, Kris Jurka wrote:

> On Thu, 24 Jan 2008, Peter Koczan wrote:
>
> > Hello again, has there been progress on this? As I said before I'm
> > willing to be a beta tester for this.

As would I.  I have fewer bureaucratic restrictions on fixing bugs  
than I do on delivering code for new capabilities.

> I've hacked together a prototype and can successfully authenticate  
> against a gssapi configured server.  It needs a fair amount of  
> cleanup, but there are some more fundamental questions about what  
> configuration options we need:
>
> 1) Do we need a way for the user to uniquely name the application  
> for the JAAS LoginContext or can we get away with something generic  
> like pgjdbc? The application name is needed for the JAAS login  
> configuration file which is needed to enable the krb5 ticket  
> cache.  I'm not sure what else would need to be configured or why  
> you might want to do it differently for different applications.

I bow to people with more Java experience on this, but I will make  
two observations:

1)  I've run into a lot of example code that will not properly fall  
back to system defaults when the defaults in the JAAS config file are  
omitted.

2)  I expect a number of users to want to run different applications  
which in turn connect to different databases.  It's desirable that  
the user not need to change their configuration files in order to  
change applications/databases, particularly if they run in the same  
Kerberos realm (or cross-realm trust network).

> 2) Do we need to allow the user to configure their own LoginContext  
> CallbackHandler to enter a username/password if they don't have an  
> existing entry in their ticket cache?  Should we by default just  
> try to use the username and password provided in the connection  
> parameters?

In practice you may run a Java program on a Windows machine which has  
its own (AD based) idea of what the Kerberos configuration and  
tickets are supposed to be.  Imagine a database hosted in one Windows  
Domain, but being run from a workstation joined to a different one  
with no cross-realm trust.  (You can have the same problem with non- 
Windows machines, but they have non-obscure ways of getting tickets  
from foreign realms, so it's not as big a deal.)

> 3) Do we need a way for the user to specify the server's service  
> name (what libpq calls PGKRBSRVNAME)?  I think this is useful if  
> you're running two pg servers on the same machine and want to have  
> different rules for each one, but I'm not entirely sure about that.

I think so, and it ought to default to the same value that configure  
defaults to on the server side.

> Kris Jurka

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu