Extract Kerberos functionality from SQL Server engine #51352
Conversation
|
|
||
| type clientProvider struct { | ||
| AuthClient windows.AuthInterface | ||
| DataDir string |
There was a problem hiding this comment.
We had some offline discussion on the cache dir. we can look into that afterwards. Here are just some notes but they should not block this PR:
kinit does refresh the output every connection, but there could be a race that two connections trying to output to the same file then read it.
On the other hand, it seems credentials.LoadCCache finishes reading that file immediately and has no use of it afterwards. We could experiment if we could just use tmp dir instead of data-dir.
Another consideration is if we want to add real caching to avoid kinit on every connection.
There was a problem hiding this comment.
Another possibility is to reimplement the the protocol internally, without shelling out to kinit. Not only we would drop the external dependency and the need to juggle various files. As @gabrielcorado points out, we would also benefit from much better control over the whole process and much better diagnostic information.
There was a problem hiding this comment.
For reference here is the outstanding issue in gokrb5:
The RFC in question is not super long either: https://datatracker.ietf.org/doc/html/rfc4556.html
|
Gentle ping @gabrielcorado @probakowski |
Changes:
kinitintodb/commonkerberos.ClientProvider.kerberos.ClientProviderI've tried very hard to keep this change minimal. There is a number of things I'd like to change in the current code, but those changes can happen in future PRs while keeping this one as small as possible.
This is a prerequisite to using Kerberos in other db engines, in particular Oracle.