GSSAPI #479
GSSAPI #479
Conversation
* A few fixes * downgrade logs * save
|
Could we also move the client gssapi stuff in its own module like the other auth algos |
| - name: Install CMake 3.31 | ||
| run: | | ||
| sudo apt update && sudo apt install mold -y | ||
| sudo apt update && sudo apt install -y mold clang pkg-config protobuf-compiler |
There was a problem hiding this comment.
We have protobuf! We are finally complete
| principal.replace(['@', '.', '/'], "_"), | ||
| std::process::id() | ||
| ); | ||
| std::env::set_var("KRB5CCNAME", format!("FILE:{}", cache_file)); |
There was a problem hiding this comment.
Doesn't look like access to this function is synchronized. set_var isn't thread-safe & if we have multiple creds (e.g., for multiple databases), this will race I think.
There was a problem hiding this comment.
Yes, there's a lot of issues like that here. Especially with the env variables but the KDC is kind of a synchronization point so we'll need to use ScopedEnv or something.
| std::env::set_var("KRB5CCNAME", format!("FILE:{}", cache_file)); | ||
|
|
||
| // Acquire credentials using the keytab | ||
| Cred::acquire( |
There was a problem hiding this comment.
This calls into gssapi right? How expensive is this call? We might want to offload this to spawn_blocking to avoid blocking Tokio.
There was a problem hiding this comment.
It's pretty heavy. There's a tension here, because Cred::acquire is blocking and times out if there's a problem (great api design), but shelling out to kinit or other command line tools is probably even more unreliable. in the v2 branch I'm trying to get either an async wrapper around it or a quicker failure through a proper timer in a different thread but it's tricky.
#468
Completely raw, but testing Works On My Machine(tm)
I suspect this will need a bunch of cleanup and rework but it's worth looking at to see the scale of the project.