-
Notifications
You must be signed in to change notification settings - Fork 402
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement SSPI authentication #1128
Conversation
c0219f1
to
72a5fda
Compare
@@ -45,6 +46,13 @@ | |||
CLIENT_SSL_KEY_FILE = os.path.join(CERTS, 'client.key.pem') | |||
CLIENT_SSL_PROTECTED_KEY_FILE = os.path.join(CERTS, 'client.key.protected.pem') | |||
|
|||
if _system == 'Windows': | |||
DEFAULT_GSSLIB = 'sspi' | |||
OTHER_GSSLIB = 'gssapi' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this makes it possible to use gssapi
on Windows also, should the gssapi
dependency be made unconditional of platform_system
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question. My idea here was to only install the default library which is the most likely to work. Using gssapi
on Windows requires installing Kerberos for Windows, so it probably needs manual steps anyway. We can install gssapi
and let the user deal with the error for missing KfW, or we can document this better somewhere. Happy to do either way.
Technically, sspilib can be used on non-Windows as well, so we can install both unconditionally, but this is even more experimental and exotic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In any case, we should update the installation page: https://magicstack.github.io/asyncpg/current/installation.html
SSPI is a Windows technology for secure authentication. SSPI and GSSAPI interoperate as clients and servers. Postgres documentation recommends using SSPI on Windows clients and servers and GSSAPI on non-Windows platforms[1]. Changes in this PR: * Support AUTH_REQUIRED_SSPI server request. This is the same as AUTH_REQUIRED_GSS, except it allows negotiation with SSPI clients. * Allow using SSPI on the client. Which library to use can be specified using the `gsslib` connection parameter. * Use SSPI instead of GSSAPI on Windows by default. The latter requires installing Kerberos for Windows and is unlikely to work out of the box. Closes MagicStack#142 [1] https://www.postgresql.org/docs/current/sspi-auth.html
72a5fda
to
69375b1
Compare
@elprans I updated documentation and renamed the extra to hopefully make it more clear. Please take another look. |
ae9023b
to
3ced615
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for contributing!
@elprans when are you planning to make the next release? |
@elprans friendly ping |
SSPI is a Windows technology for secure authentication. SSPI and GSSAPI interoperate as clients and servers. Postgres documentation recommends using SSPI on Windows clients and servers and GSSAPI on non-Windows platforms[1].
Changes in this PR:
Support AUTH_REQUIRED_SSPI server request. This is the same as AUTH_REQUIRED_GSS, except it allows negotiation with SSPI clients.
Allow using SSPI on the client. Which library to use can be specified using the
gsslib
connection parameter.Use SSPI instead of GSSAPI on Windows by default. The latter requires installing Kerberos for Windows and is unlikely to work out of the box.
Closes #142
[1] https://www.postgresql.org/docs/current/sspi-auth.html