add Kerberos auth support #702
Conversation
|
Thank you for doing this. Is there a reason not to use the latest version "v8" with a module import address of "github.com/jcmturner/gokrb5/v8" ? I have not done a full review yet, and a few things jump out to me, for which I'll send a review for in a bit. -Daniel |
There was a problem hiding this comment.
There are currently many items that prevent this from being merged in. I need to look into the design a little closer as well. We might need to talk a bit about how the Connection structure should be represented; is it possible to have a single unified *Kerberos field in the connection structure that contains the data used to connect? Then on connection string parse, that information would be pulled from either the krbCache or keytabfile which I think would simplify some of the logic in the actual connection.
As mentioned in a prior comment, I would like to know why "github.com/jcmturner/gokrb5/v8" isn't used, and if it just relates to when you started using it, we should change it to use v8 before being merged.
I do appreciate that you have submitted this.
@kardianos Working on migrating this code to v8. Will push the changes along with other code review comments. |
|
@kardianos could you please review this PR again? have made the changes as per the review comments |
Or maybe @denisenkom could help us get this merged? |
@denisenkom - This is a good feature which we are also looking for. Can this be merged asap? |
@shueybubbles could you please review this PR, as this has been pending for about 2 months now? |
|
@chandanjainn I can look but I don't have merge privileges. |
| } | ||
| } | ||
| if c["krbcache"] == "" && c["keytabfile"] == "" { | ||
| missingParam = "atleast krbcache or keytab is required" |
| @@ -37,6 +43,21 @@ const ( | |||
| LogRetries Log = 128 | |||
| ) | |||
|
|
|||
| type Kerberos struct { | |||
There was a problem hiding this comment.
What is the value of coupling msdsn to gokrb5 types? Can the config store some standard types and have kerbauth do the conversion to gokrb5 at auth time?
There was a problem hiding this comment.
and will Windows apps using SSPI still pull in these krb packages in their compilation? Might it be useful to have the krb code be non-Windows-only?
| } | ||
|
|
||
| _, err := krbObj.InitialBytes() | ||
| if err == nil { |
There was a problem hiding this comment.
If the test is expecting a nil err please change the t.ErrorF messages to indicate that. Otherwise the code reads like err == nil should be changed to err != nil
| } | ||
| } | ||
|
|
||
| func TestFree(t *testing.T) { |
There was a problem hiding this comment.
a test should have at least one assertion
| @@ -0,0 +1,123 @@ | |||
| package mssql | |||
There was a problem hiding this comment.
I agree 1.13 is probably a reasonable minimum requirement at this point.
That said - it may be worthwhile to decouple specific auth implementations like this one from msdsn in general and instead have each auth implementation inject itself into a discovery mechanism such as with some visitor pattern on the connection properties. I'm new enough to Go not to know the best way to have such dependency injection.
With such dependency injection you could mark the kerbauth files for 1.13+ only.
There was a problem hiding this comment.
How could this PR align with #718 ?
There was a problem hiding this comment.
@shueybubbles with 718, anyone using go-mssql driver for kerberos will have to implement their own custom logic and/or maintain their own repos to handle the entire kerberos authN process.
Moreover my PR provides with flexibility to use either krb cache or keytab file which I believe is missing from 718?
There was a problem hiding this comment.
My other comment re: coupling the config to the specific krb implementation is my main concern. The other PR at least avoids such coupling. I think there should be a way for the backend of the driver to manage krb more transparently than having the client use krb-specific packages to even define the connection.
| auth, authOk := getAuth(p.User, p.Password, p.ServerSPN, p.Workstation) | ||
| var auth auth | ||
| var authOk bool | ||
| if p.Kerberos != nil && p.Kerberos.Config != nil { |
There was a problem hiding this comment.
This is where I think having a generic way to discover an auth implementation from the config properties could be useful to make it simpler to add new ones in the future. The msdsn could have simple types and this code could call registered delegates from each auth provider until it finds one that handles it.
You should absolutly do this. I have been waiting few years for this feature. golang-reddit is a good place to have such ideas. |
Yes please. |
It kinda seems like this repo has become stale / unsupported... @chandanjainn any further thoughts or timeline on forking the repo? I know multiple teams & companies who rely on this so the lack of support is blocking them at the moment. It would be great to get some enterprise-level backing for it. |
@bmanosh-salesforce i believe your comment was directed at @shueybubbles |
Oops, yes. Thank you :) |
|
@bmanosh-salesforce I am making the pitch to create this fork this week. There aren't many precedents for such an "adoption" at Microsoft so I don't have a good time estimate. I think if our open source folks agree it's a good idea I'll need to put together some standard stuff like a code of conduct and contribution guidelines. We'll also need to create a set of Github actions or ADO pipelines to replace the appveyor-based test suite for PR validation. We can readily replace some of the SQL VMs with Linux containers for SQL 2017+ but testing against Windows instances of SQL 2012+ will need a fair amount of investment. |
Hi. |
|
@keith6014 if by "them" you mean "Microsoft", it's my team that manages most in-house driver and client application development for SQL Server. We have seen steady growth in Go usage with SQL both inside and outside Microsoft, so we started participating in changes for this repo last year. Go looks like a great open source foundation for creating more command line tools for cross platform CI/CD infrastructure so we plan some investment in that area too, starting with github.com/microsoft/go-sqlcmd, which is built using go-mssqldb |
Understood. I hope you get the funding and attention it deserves. 🤞 |
|
bump @kardianos @denisenkom could you please merge this? |
|
I opened #729 to solicit input on a Microsoft fork. We very much appreciate your insights! |
|
@dimdin, could you help us get this merged? |
|
the microsoft fork is open now, you can clone the issue and the PR there. |
|
A modular approach can be applied to load authentication providers (e.g. kerberos) Each authentication provider should be able to extend the configuration parameters parsing and read the parsed parameter values when getAuth is called. Using this approach allows authentication providers to be implemented without modifying go-mssqldb and reduces dependencies imported by these providers when not in use. @kardianos @denisenkom Do you have any concerns about the modular loading of authentication providers? |
@shueybubbles @chandanjainn would we want to move this PR work over to the Microsoft fork? |
|
@bmanosh-sf @keith6014 have moved this PR to the MS repo here microsoft#35 |
|
Moved to microsoft#35 |
Have added support for kerberos authentication for go-mssqldb using the GOKRB5 package.
To enable the support for krb the users need to pass the connection string as the following
server=server;user id=user;port=1345;realm=domain;trustservercertificate=true;krb5conffile=/etc/krb5.conf;keytabfile=/path/to/keytabFile.keytab"server=server;port=1345;realm=domain;trustservercertificate=true;krb5conffile=/etc/krb5.conf;krbcache=/tmp/krb5cc_1000"