The pgAdmin team has been receiving requests from users to support Kerberos Authentication for quite some time and as a result, we have decided to implement it.
The work has been divided into 2 phases. The first phase adds pluggable Kerberos authentication in the pgAdmin Server (multi user) mode using GSSAPI and SPNEGO, similar to the existing LDAP support. The web browser and the pgAdmin web server negotiate Kerberos as a security mechanism through SPNEGO and exchange tickets as SPNEGO tokens over HTTPS and which will bypass the pgAdmin login page entirely if the Kerberos authentication succeeds.
The first phase has been released in pgAdmin 4 v4.30 and the work is in progress for the second phase which will connect to PostgreSQL servers using Kerberos Delegated Credentials.
The configuration for Kerberos in pgAdmin is not tough and I have put together this guide to help you to configure pgAdmin with Kerberos in your environment.
The following instructions assume that the Kerberos Server is already set up and the ticket generation for the pgAdmin login user is done. pgAdmin uses the ticket from the client machine’s credential cache. The pgAdmin installers have taken care of installing the appropriate libraries for Kerberos but you need to create a krb5.conf file with the appropriate settings as per your environment.
Configure pgAdmin to Support Kerberos
The first step is to configure pgAdmin to support Kerberos authentication in Server (multi user) mode.
To enable it in pgAdmin, set the parameters below in config_local.py or config_system.py (see the config.py documentation) on the system where pgAdmin server is installed.
AUTHENTICATION_SOURCES
To enable Kerberos support, you need to add the 'kerberos' in the list.
KRB_AUTO_CREATE_USER
Set it to True if you want to automatically create a pgAdmin user corresponding to the Kerberos user once authentication succeeds.
KRB_APP_HOST_NAME
Specify the pgAdmin server host name. It is an optional parameter; if it’s not set then it will take the same value as DEFAULT_SERVER pgAdmin parameter.
KRB_KTNAME
Keytab file location for HTTP Service, an optional parameter.
Below is the sample code snippet from config_local.py:
###########################################
# Kerberos Configurations
###########################################
AUTHENTICATION_SOURCES = ['kerberos']
KRB_AUTO_CREATE_USER = True
KRB_APP_HOST_NAME = 'pgadmin.domain.org'
KRB_KTNAME = '/etc/pgadmin4/pgadmin.keytab'
Throughout the document let’s assume your pgAdmin server hostname is pgadmin.domain.org and your Kerberos realm is DOMAIN.ORG
Keytab File for HTTP Service Principal
The second step is to generate the keytab file for the HTTP service principal for the pgAdmin web server. After creating HTTP principal HTTP/<host-name>@realm
ktadd -k pgadmin.keytab HTTP/pgadmin.domain.org@DOMAIN.ORG
This command should create the keytab file named pgadmin.keytab, copy this file to the machine where pgAdmin web server is running. Ensure that the operating system user owning the pgAdmin web server is the owner of this file and the file is accessible to that user. For example, if your pgAdmin is running under apache on Ubuntu with www-data user, the owner of the keytab file should be www-data.
The next thing is to set the location of the keytab file, so the pgAdmin server can use that while the authentication process.
You can choose any of the following ways to set the Keytab file location:
- Set the default_keytab_name parameter in krb5.conf file
- Set the environment variable KRB5_KTNAME
- Explicitly set KRB_KTNAME in the pgAdmin config_local.py or config_system.py
Note that if more than one option is set then the key tab will be used in the descending order of priority.
Configure the Browser to support SPNEGO
The next step is to configure the browser to support SPNEGO, which is responsible for forwarding the Kerberos ticket to the pgAdmin web server over HTTPS.
Below are the steps to configure Mozilla Firefox:
- Open the low level Firefox configuration page by loading the about:config page.
- In the Search text box, enter: network.negotiate-auth.trusted-uris
- Double-click the network.negotiate-auth.trusted-uris preference and enter the hostname or the domain of the pgAdmin web server
- Click OK.
Check the documentation for the equivalent process for your browser if you're not using Firefox.
Configure Apache
If the pgAdmin server is running under the Apache Server, then you need to add the following parameters in Directory directive of Apache HTTPD Configuration:
- WSGIScriptReloading On
- WSGIPassAuthorization On
For example:
<virtualhost>
<directory>
WSGIScriptReloading On
WSGIPassAuthorization On
</directory>
</virtualhost>
Conclusion
Having configured pgAdmin as described, you should now be able to login to a remote pgAdmin server without having to supply a username and password; your authentication information will be provided by the browser automatically.
Look out for the second phase of this project in a future release which will allow authentication to the PostgreSQL servers you manage with pgAdmin to be handled using Kerberos as well.