kesmit13
commented
8 months ago Actually, the SingleStoreDB Python client does support Kerberos. It just hasn't made it into the documentation yet.
Closed davidmclennangs closed 8 months ago
kesmit13
commented
8 months ago Actually, the SingleStoreDB Python client does support Kerberos. It just hasn't made it into the documentation yet.
kesmit13
commented
8 months ago You do need to have the gssapi Python package installed for it to work.
davidmclennangs
commented
8 months ago Cool - should have looked at the source :)
Can you give me a hint as to the appropriate auth_plugin_map definition for gssapi?
kesmit13
commented
8 months ago I believe all you have to do is install the gssapi Python package, setup Kerberos on the machine you are logging on from, then set the user to be a authentication_gss user in SingleStoreDB as described here: https://docs.singlestore.com/db/v7.5/security/authentication/kerberos-authentication/configuring-singlestore-for-kerberos-authentication/. SingleStoreDB should request authentication through gssapi from the client when the connection is created. If this isn't doing it, I may have to consult one of my colleagues who does this more often than I do.
davidmclennangs
commented
8 months ago Good news - worked! This is the simplest example I could build which demonstrates this;
Singlestore Login Definition; grant usage on . to 'myuser'@'%' IDENTIFIED WITH 'authentication_gss' AS '/^myuser@MYDOMAIN.COM$' (Further non gssapi grants will be necessary)
Valid TGT on client;
Ticket cache: FILE:/tmp/krb5cc_
Valid starting Expires Service principal 03/15/24 16:13:22 03/15/24 18:13:22 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM renew until **
Python Script (post pip install singlestoredb and gssapi);
import singlestoredb as s2 import gssapi
cnx = s2.connect(host='my.mag.singlestorecluster.mydomain.com', port=3306, database='information_schema') sql = "select current_user"
cur = cnx.cursor() cur.execute(sql) for row in cur.fetchall(): print(row)
The above script successfully connects to Singlestore and emits;
('myuser@%',)
Thanks!
Hello, Can you please consider supporting GSSAPI auth? This is supported by singlestore itself (https://docs.singlestore.com/db/v8.5/security/authentication/kerberos-authentication/) as well as the JDBC driver (https://docs.singlestore.com/db/v8.5/developer-resources/connect-with-application-development-tools/connect-with-java-jdbc/jdbc-connector-setup-instructions-with-optional-gssapi/) but their doesn't appear to be an equivalent in the python DB API.
Currently we are working around this by using the MariaDB ODBC driver via pyodbc.
Thanks!