Re: JDBC and GSSAPI/Krb5 - Mailing list pgsql-jdbc
| From | Henry B. Hotz |
|---|---|
| Subject | Re: JDBC and GSSAPI/Krb5 |
| Date | |
| Msg-id | B187744F-D057-4AFC-B730-26A496D72DFF@jpl.nasa.gov Whole thread Raw |
| In response to | Re: JDBC and GSSAPI/Krb5 (Kris Jurka <books@ejurka.com>) |
| Responses |
Re: JDBC and GSSAPI/Krb5
|
| List | pgsql-jdbc |
On Jan 28, 2008, at 2:32 AM, Kris Jurka wrote: > On Thu, 24 Jan 2008, Peter Koczan wrote: > >> Hello again, has there been progress on this? As I said before I'm >> willing to be a beta tester for this. As would I. I have fewer bureaucratic restrictions on fixing bugs than I do on delivering code for new capabilities. > I've hacked together a prototype and can successfully authenticate > against a gssapi configured server. It needs a fair amount of > cleanup, but there are some more fundamental questions about what > configuration options we need: > > 1) Do we need a way for the user to uniquely name the application > for the JAAS LoginContext or can we get away with something generic > like pgjdbc? The application name is needed for the JAAS login > configuration file which is needed to enable the krb5 ticket > cache. I'm not sure what else would need to be configured or why > you might want to do it differently for different applications. I bow to people with more Java experience on this, but I will make two observations: 1) I've run into a lot of example code that will not properly fall back to system defaults when the defaults in the JAAS config file are omitted. 2) I expect a number of users to want to run different applications which in turn connect to different databases. It's desirable that the user not need to change their configuration files in order to change applications/databases, particularly if they run in the same Kerberos realm (or cross-realm trust network). > 2) Do we need to allow the user to configure their own LoginContext > CallbackHandler to enter a username/password if they don't have an > existing entry in their ticket cache? Should we by default just > try to use the username and password provided in the connection > parameters? In practice you may run a Java program on a Windows machine which has its own (AD based) idea of what the Kerberos configuration and tickets are supposed to be. Imagine a database hosted in one Windows Domain, but being run from a workstation joined to a different one with no cross-realm trust. (You can have the same problem with non- Windows machines, but they have non-obscure ways of getting tickets from foreign realms, so it's not as big a deal.) > 3) Do we need a way for the user to specify the server's service > name (what libpq calls PGKRBSRVNAME)? I think this is useful if > you're running two pg servers on the same machine and want to have > different rules for each one, but I'm not entirely sure about that. I think so, and it ought to default to the same value that configure defaults to on the server side. > Kris Jurka ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
pgsql-jdbc by date: