Support for Kerberos Authentication

[flcong]

I've found this webpage and this example, but is there any more in-depth example and guide, particularly for Kerberos authentication?

[smklimenko]

I'm afraid Kerberos supporting is not a part of my plans at all as I don't need in my work. Even more, there are many implementations of the protocol and in most cases, you need own implementation.

The example is the full and I'm afraid I have nothing to add. It contains both parts: how to create UI form and how to process credentials from the form.

We may consider developing a plugin for your company, but your company will have to enter into a development contract to do so. You can contact us by support@kdbinsidebrains.dev with initial requirements to discuss the terms of the contract.

Otherwise, just use the examples to build your own implementation. If you wish to make it public and it doesn't have any native implementation, we can add it into the main project.

[flcong]

Thanks. I am trying to implement Kerberos authentication based on some of our internal libraries. Yet, I do have one question. It seems that the Host name (String in the Host text box) is not directly exposed to CredentialEditor, right? I am wondering if it is possible to get the host name inside the CredentialEditor or CredentialProvider class. Otherwise, I'll have to add another Host textbox in the CredentialEditor for users to fill in the Host name again. Thanks.

[smklimenko]

Yes, you are right, you need targetHost here for Kerberos. It's not part of CredentialEditor as this one contains only Kerberos parameters, like Kerberos hostname but it must be part of CredentialProvider.
I have update CredentialProvider (https://github.com/kdbinsidebrains/plugin/blob/main/src/main/java/org/kdb/inside/brains/core/credentials/CredentialProvider.java) and added a few comments how to use it. There is new method here:
default String resolveCredentials(String host, int port, String credentials) throws CredentialsResolvingException
you can use the host and port, if required.

The method will be used from the plugin version 4.6.0. It's published to the marketplace but takes about 2 days to be approved by JetBrains team. If you need, you can download and install it manually: https://plugins.jetbrains.com/plugin/16746-kdbinsidebrains/edit/versions/stable/444098

[flcong]

Thanks a lot for the update! I came across an additional question about the UI.

If I understand correctly, CredentialEditor.setCredentials(String credentials) is used to populate textboxes in the Auth plugin UI after each use (e.g. after successful connection and clicking on "OK" or "Update", if I edit this instance again, I can see these textboxes populated with previously filled info). Since the input is credentials, i.e. "username:password", only these two pieces of info can be populated.

Yet, in my usecase, to obtain Authentication, (other than host name), I need a user id which is used to obtain authentication token and could be different from the user name used for connection. In this case, I cannot parse and get this user id from credentials since it includes the user name for connection. Hence, I need somewhere to store this information for each kdb instance created. I am wondering if it is possible to implement this?

A possible workaround is to squeeze the user id in the credentials in some parse-able way. Then, in CredentialProvider.resolveCredentials() method, I can remove this part so that the returned value is the true credentials to be sent to kdb server; in CredentialEditor.setCredentials(), I can obtain this user Id and populate the textbox in the UI. Is this idea feasible?

Thanks a lot!

[smklimenko]

Noy sure I get your idea here but credentials is just a string and can take any format and as many tokens as you like but you should remember one thing here. KDB uses the following format for connections: :<host>:<port>:<username>:<password>. The plugin follows the same pattern, but you store any value and as many tokens in the password as you wish.
Actually, you can use the whole credential string (that is :) as you wish but you just should remember one thing here. In UI the plugin shows :<host>:<port>:<username> part but masks so if you have :<host>:<port>:<credentials> as one string, it will be short in the Instances Tree.

To be more concrete here, in UI you can have:
Field1
Field2
Field3

you can encode that into credentials as: <pluginId>:<Field1>:<Field2>:<Field3>. You are responsible to encode and decode that string in Editor to show parameters and in Provider, to decode parameters to build correct one (in format username:password as required for your KDB instance).

you are free to use any encoding and delimiter here if semicolon doesn't work. You even can encode/decode each field value into BASE64 if required, like: <username>:<Base64_Field1>:<Base64_Field2>...

If you look at SystemVarCredentialsProvider example: https://github.com/kdbinsidebrains/credentials/blob/main/src/main/java/org/kdb/inside/brains/credentials/SystemVarCredentialsProvider.java

The Provide and Editor encode credentials into string: :env:. So, once again, you are responsible to encoding/decoding your credentials but just keep in mind that in format :<host>:<port>:<username>:<password> username is visiable and if you have only 3 tokens, like :<host>:<port>:<credentials>, all credentials will be visible.

Another remark here:

I can obtain this user Id and populate the textbox in the UI
If you can obtain user Id from OS, like use current user Id, there is no any reason to store it in credentials and show in UI. You can just get the UserID in Provider and send to KDB directly.

[flcong]

Thanks for the detailed explanation! This method should be ok for my implementation.