Обсуждение: kerberos pg_ident different behavior in psql vs. jdbc

Поиск
Список
Период
Сортировка

kerberos pg_ident different behavior in psql vs. jdbc

От
Bear Giles
Дата:
I have installed PostgreSQL 9.4 and MIT Kerberos 5 on an Ubuntu 15.10 system.

I have added the following entries:

pg_hba.conf:

  1. # TYPE  DATABASE        USER            ADDRESS                 METHOD       OPTIONS
  2. host    all             all             52.34.69.195/32         gss          include_realm=1 map=gss krb_realm=INVARIANTPROPERTIES.COM

pg_ident.conf:

  1. # MAPNAME    SYSTEM-USERNAME                                    PG-USERNAME
  2. gss           /^([^/]+)\/postgres@INVARIANTPROPERTIES\.COM$     \1

If I kinit the principal 'bgiles/postgres@INVARIANTPROPERTIES.COM' I can successfully connect to the database as the 'bgiles' user. I have confidence is the PostgreSQL configuration.

I can take the keytab file containing the key, add a JAAS configuration file, and successfully authenticate to the KDC. I have confidence that that's correct although there might be small tweaks possible. (E.g., should the JAAS principal field include @REALM?)

However when I try to connect via JDBC (using JAAS and a keytab file) I seem to fail at the pg_ident.conf step.

2016-04-21 19:36:22 UTC [10992-2] bgiles/postgres@SNAPLOGIC.COM@bgiles LOG:  no match in usermap "gss" for user "bgiles/postgres" authenticated as "bgiles/postgres@SNAPLOGIC.COM"
2016-04-21 19:36:22 UTC [10992-3] bgiles/postgres@SNAPLOGIC.COM@bgiles FATAL:  GSSAPI authentication failed for user "bgiles/postgres@SNAPLOGIC.COM"
2016-04-21 19:36:22 UTC [10992-4] bgiles/postgres@SNAPLOGIC.COM@bgiles DETAIL:  Connection matched pg_hba.conf line 100: "host all all 75.144.16.201/32 gss include_realm=1 map=gss krb_realm=SNAPLOGIC.COM"

​That happens with a jdbc username of 'bgiles', 'bgiles/postgres', or 'bgiles/postgres@SNAPLOGIC.COM'.

Have other people looked at Kerberos + JDBC? I'm also looking at the JDBC driver code and I might have noticed something that would cause problems but I wanted to check with others before I tried hacking on it.

Thanks,

Bear

Re: kerberos pg_ident different behavior in psql vs. jdbc

От
Bear Giles
Дата:
I've finally tracked down the code in question. Kerberos authentication currently only supports (username, password) authentication and not keytab authentication. The username can't be a compound name (e.g., bob/postgres) either.

I'll pencil in some time to work on a patch to the PostgreSQL JDBC driver.

Bear

On Thu, Apr 21, 2016 at 1:27 PM, Bear Giles <bgiles@coyotesong.com> wrote:
I have installed PostgreSQL 9.4 and MIT Kerberos 5 on an Ubuntu 15.10 system.

I have added the following entries:

pg_hba.conf:

  1. # TYPE  DATABASE        USER            ADDRESS                 METHOD       OPTIONS
  2. host    all             all             52.34.69.195/32         gss          include_realm=1 map=gss krb_realm=INVARIANTPROPERTIES.COM

pg_ident.conf:

  1. # MAPNAME    SYSTEM-USERNAME                                    PG-USERNAME
  2. gss           /^([^/]+)\/postgres@INVARIANTPROPERTIES\.COM$     \1

If I kinit the principal 'bgiles/postgres@INVARIANTPROPERTIES.COM' I can successfully connect to the database as the 'bgiles' user. I have confidence is the PostgreSQL configuration.

I can take the keytab file containing the key, add a JAAS configuration file, and successfully authenticate to the KDC. I have confidence that that's correct although there might be small tweaks possible. (E.g., should the JAAS principal field include @REALM?)

However when I try to connect via JDBC (using JAAS and a keytab file) I seem to fail at the pg_ident.conf step.

2016-04-21 19:36:22 UTC [10992-2] bgiles/postgres@SNAPLOGIC.COM@bgiles LOG:  no match in usermap "gss" for user "bgiles/postgres" authenticated as "bgiles/postgres@SNAPLOGIC.COM"
2016-04-21 19:36:22 UTC [10992-3] bgiles/postgres@SNAPLOGIC.COM@bgiles FATAL:  GSSAPI authentication failed for user "bgiles/postgres@SNAPLOGIC.COM"
2016-04-21 19:36:22 UTC [10992-4] bgiles/postgres@SNAPLOGIC.COM@bgiles DETAIL:  Connection matched pg_hba.conf line 100: "host all all 75.144.16.201/32 gss include_realm=1 map=gss krb_realm=SNAPLOGIC.COM"

​That happens with a jdbc username of 'bgiles', 'bgiles/postgres', or 'bgiles/postgres@SNAPLOGIC.COM'.

Have other people looked at Kerberos + JDBC? I'm also looking at the JDBC driver code and I might have noticed something that would cause problems but I wanted to check with others before I tried hacking on it.

Thanks,

Bear