Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement GSSAPI authentication #1122

Merged
merged 2 commits into from Mar 4, 2024
Merged

Implement GSSAPI authentication #1122

merged 2 commits into from Mar 4, 2024

Conversation

eltoder
Copy link
Contributor

@eltoder eltoder commented Feb 25, 2024

Most commonly used with Kerberos.

Closes: #769

@eltoder
Copy link
Contributor Author

eltoder commented Feb 25, 2024

@elprans appreciate if you could take a look!

elprans
elprans approved these changes Feb 25, 2024
View reviewed changes
Copy link
Member

@elprans elprans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, thanks for contributing! One thing I'm wondering about is if there's a straightforward way to test this, e.g a Kerberos-enabled Postgres image that we can use in a test workflow?

asyncpg/connect_utils.py
if 'krbsrvname' in query:
val = query.pop('krbsrvname')
if krbsrvname is None:
krbsrvname = val
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add handling of the PGKRBSRVNAME environment variable as well to stay compatible with libpq.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

asyncpg/connection.py
@@ -2235,6 +2236,10 @@ async def connect(dsn=None, *,
or the value of the ``PGTARGETSESSIONATTRS`` environment variable,
or ``"any"`` if neither is specified.

:param str krbsrvname:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mention the new parameter in a .. versionadded:: block below please.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@eltoder
Copy link
Contributor Author

eltoder commented Feb 25, 2024

@elprans I was wondering about testing as well, but did not look very carefully. First, I don't know if the version of postgres used in CI (https://github.com/MagicStack/asyncpg/blob/master/.github/workflows/install-postgres.sh) is even compiled with gssapi support. If not, this will be the first thing to fix. Once this is solved, we can use something like k5test (https://github.com/pythongssapi/k5test) to set up a kerberos environment, start a server and test that auth works.

@eltoder
Implement GSSAPI authentication
0b29765 
Most commonly used with Kerberos.

Closes: MagicStack#769
@eltoder
Copy link
Contributor Author

eltoder commented Feb 26, 2024

@elprans I fixed the test.

@eltoder
Copy link
Contributor Author

eltoder commented Feb 27, 2024

@elprans I added unit tests using k5test. From my testing so far it appears that Ubuntu builds of postgres have kerberos support of out the box, so this is fairly straightforward. There is a good chance this will not work in CI on the first try, so I would appreciate if you could help.

@eltoder eltoder force-pushed the feature/auth-gss branch 2 times, most recently from 469aab2 to cfd647a Compare February 28, 2024 01:47
@awakeinagi
Copy link

@eltoder Thanks for your work on this! I would like to use asyncpg at work but we require kerberos auth for Postgres.

@elprans Any ETA on when this might be available? Is there anything I can do to help?

@elprans
Copy link
Member

elprans commented Mar 4, 2024

I think this is good to go. Thanks @eltoder!

@elprans elprans merged commit 1d4e568 into MagicStack:master Mar 4, 2024
33 checks passed
@eltoder eltoder deleted the feature/auth-gss branch March 4, 2024 20:19
bryanforbes added a commit to bryanforbes/asyncpg-stubs that referenced this pull request Mar 4, 2024
@bryanforbes
Update API for GSSAPI authentication
ffd43bb 
(see MagicStack/asyncpg#1122)
@awakeinagi
Copy link

@elprans Any chance of a patch release (0.29.1) in the near future?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elprans elprans elprans approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kerberos auth
3 participants
@eltoder @awakeinagi @elprans