From 903cb91c568705ef4a3142e62b09b7a9cdd85e20 Mon Sep 17 00:00:00 2001
From: Peifeng Qiu <pqiu@pivotal.io>
Date: Thu, 4 Jul 2019 12:06:22 +0900
Subject: [PATCH] Windows: change kerberos service name to postgres (#8060)

The kerberos service name of gpdb and psql must match to allow proper
kerberos authentication. For linux platform this is controlled by
--with-krb-srvnam. For Windows platform it's hardcoded in template
pg_config.h.win32. We currently build gpdb server without specifying
--with-krb-srvnam, and the default value is "postgres". Change the
correspond value that hardcoded Windows config template to "postgres"
also.

- Package necessary kerberos utility with windows installer
- Add Kerberos auth test for Windows client
---
 concourse/scripts/ic_gpdb_remote_windows.bash | 72 +++++++++++++++++--
 concourse/scripts/ic_gpdb_remote_windows.bat  |  8 +++
 concourse/scripts/windows_remote_test.ps1     |  1 +
 .../install/src/windows/CopyDependencies.bat  |  4 ++
 .../install/src/windows/greenplum-clients.wxs |  4 ++
 src/include/pg_config.h.win32                 |  2 +-
 6 files changed, 83 insertions(+), 8 deletions(-)

diff --git a/concourse/scripts/ic_gpdb_remote_windows.bash b/concourse/scripts/ic_gpdb_remote_windows.bash
index 91f4c778e3..0d750cc139 100755
--- a/concourse/scripts/ic_gpdb_remote_windows.bash
+++ b/concourse/scripts/ic_gpdb_remote_windows.bash
@@ -6,11 +6,13 @@ set -eo pipefail
 CWDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 source "${CWDIR}/common.bash"
 
+export DEFAULT_REALM=GPDB.KRB
+
 function setup_gpadmin_user() {
     ./gpdb_src/concourse/scripts/setup_gpadmin_user.bash "${TEST_OS}"
 }
 
-function configure_gpdb_ssl() {
+function configure_gpdb_ssl_kerberos() {
     cp ./gpdb_src/src/test/ssl/ssl/server.crt "${MASTER_DATA_DIRECTORY}"
     cp ./gpdb_src/src/test/ssl/ssl/server.key "${MASTER_DATA_DIRECTORY}"
     cp ./gpdb_src/src/test/ssl/ssl/root+server_ca.crt "${MASTER_DATA_DIRECTORY}"
@@ -22,9 +24,58 @@ function configure_gpdb_ssl() {
     echo "ssl_cert_file='server.crt'">> "${PG_CONF}"
     echo "ssl_key_file='server.key'">> "${PG_CONF}"
 
+    gpconfig -c krb_server_keyfile -v  '/home/gpadmin/gpdb-server-krb5.keytab'
+
     PG_HBA="${MASTER_DATA_DIRECTORY}/pg_hba.conf"
     echo "hostssl   all gpadmin 0.0.0.0/0   trust">> "${PG_HBA}"
+    echo "host all all 0.0.0.0/0 gss include_realm=0 krb_realm=${DEFAULT_REALM}" >> "${PG_HBA}"
     gpstop -ar
+
+    psql postgres -c 'create role "user1/127.0.0.1" superuser login'
+}
+
+function setup_kerberos() {
+
+# Setup krb5.conf
+cat > /etc/krb5.conf <<EOF
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+[libdefaults]
+ default_realm = ${DEFAULT_REALM}
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+[realms]
+ ${DEFAULT_REALM} = {
+  kdc = 127.0.0.1
+  admin_server = 127.0.0.1
+ }
+[domain_realm]
+ .gpdb.krb = ${DEFAULT_REALM}
+ gpdb.krb = ${DEFAULT_REALM}
+EOF
+
+# Start KDC on master node
+kdb5_util create -s -r ${DEFAULT_REALM} -P changeme
+
+kadmin.local -q "addprinc -pw changeme root/admin"
+
+krb5kdc
+
+kadmin.local -q "addprinc -randkey user1/127.0.0.1@${DEFAULT_REALM}"
+kadmin.local -q "addprinc -randkey postgres/127.0.0.1@${DEFAULT_REALM}"
+
+# Gernerate keys
+rm -rf /home/gpadmin/gpdb-krb5.keytab
+kadmin.local -q "xst -norandkey -k /home/gpadmin/gpdb-client-krb5.keytab user1/127.0.0.1@${DEFAULT_REALM}"
+kadmin.local -q "xst -norandkey -k /home/gpadmin/gpdb-server-krb5.keytab postgres/127.0.0.1@${DEFAULT_REALM}"
+chown gpadmin:gpadmin /home/gpadmin/gpdb-*-krb5.keytab
+chmod 400 /home/gpadmin/gpdb-*-krb5.keytab
 }
 
 # Get ssh private key from REMOTE_KEY, which is assumed to
@@ -60,7 +111,10 @@ function run_remote_test() {
     scp -P "${REMOTE_PORT}" ./gpdb_src/src/test/regress/*.pm "${REMOTE_USER}@${REMOTE_HOST}:./gpload2"
     scp -P "${REMOTE_PORT}" ./gpdb_src/concourse/scripts/ic_gpdb_remote_windows.bat "${REMOTE_USER}@${REMOTE_HOST}:"
 
-    ssh -T -R"${PGPORT}:127.0.0.1:${PGPORT}" -L8081:127.0.0.1:8081 -L8082:127.0.0.1:8082 -p "${REMOTE_PORT}" "${REMOTE_USER}@${REMOTE_HOST}" "ic_gpdb_remote_windows.bat ${PGPORT}"
+    scp -P "${REMOTE_PORT}" /home/gpadmin/gpdb-client-krb5.keytab "${REMOTE_USER}@${REMOTE_HOST}:./gpdb-krb5.keytab"
+    scp -P "${REMOTE_PORT}" /etc/krb5.conf "${REMOTE_USER}@${REMOTE_HOST}:./krb5.ini"
+
+    ssh -T -R"${PGPORT}:127.0.0.1:${PGPORT}" -R88:127.0.0.1:88 -L8081:127.0.0.1:8081 -L8082:127.0.0.1:8082 -p "${REMOTE_PORT}" "${REMOTE_USER}@${REMOTE_HOST}" "ic_gpdb_remote_windows.bat ${PGPORT}"
     # run gpfdist test
     pushd gpdb_src/src/test/regress
     make pg_regress
@@ -74,11 +128,13 @@ function run_remote_test() {
     popd
 }
 
+function install_packages {
+    yum install -y jq openssl-devel krb5-server krb5-libs krb5-auth-dialog krb5-workstation
+}
+
 function create_cluster() {
     export CONFIGURE_FLAGS="--enable-gpfdist --with-openssl"
-    yum install -y openssl-devel
     time install_and_configure_gpdb
-    time setup_gpadmin_user
     export WITH_MIRRORS=false
     time make_cluster
 }
@@ -96,17 +152,16 @@ function gpadmin_run_tests(){
     export REMOTE_USER
     source ./gpdb_src/gpAux/gpdemo/gpdemo-env.sh
     source /usr/local/greenplum-db-devel/greenplum_path.sh
-    configure_gpdb_ssl
+    configure_gpdb_ssl_kerberos
     time import_remote_key
     time run_remote_test
 }
 
 function _main() {
-    export -f configure_gpdb_ssl
+    export -f configure_gpdb_ssl_kerberos 
     export -f import_remote_key
     export -f run_remote_test
     export -f gpadmin_run_tests
-    yum install -y jq
     pushd bin_gpdb
         mv *.tar.gz bin_gpdb.tar.gz
     popd
@@ -115,6 +170,9 @@ function _main() {
         tar xzvf *.tar.gz
     popd
 
+    time install_packages
+    time setup_gpadmin_user
+    time setup_kerberos
     time create_cluster
     su gpadmin -c 'gpadmin_run_tests $(pwd) "${REMOTE_PORT}" "${REMOTE_USER}"'
     cp bin_gpdb_clients_windows/*.msi bin_gpdb_clients_windows_rc/
diff --git a/concourse/scripts/ic_gpdb_remote_windows.bat b/concourse/scripts/ic_gpdb_remote_windows.bat
index e7e8a8781d..bf393c057f 100644
--- a/concourse/scripts/ic_gpdb_remote_windows.bat
+++ b/concourse/scripts/ic_gpdb_remote_windows.bat
@@ -2,10 +2,18 @@ set PGPORT=%1
 set PGUSER=gpadmin
 set PGHOST=127.0.0.1
 
+mkdir C:\ProgramData\MIT\Kerberos5\
+move krb5.ini C:\ProgramData\MIT\Kerberos5\
+set KRB5CCNAME=%USERPROFILE%\krb5cache
+set PGGSSLIB=gssapi
+
 call "C:\Program Files\Greenplum\greenplum-clients\greenplum_clients_path.bat"
+kinit -k -t gpdb-krb5.keytab user1/127.0.0.1
+klist
 set path=%path%;C:\Program Files\curl-win64-mingw\bin
 psql -U gpadmin -p 15432 -h 127.0.0.1 -c "select version();" "dbname=postgres" || goto :error
 psql -U gpadmin -p 15432 -h 127.0.0.1 -c "select version();" "dbname=postgres sslmode=require" || goto :error
+psql -U "user1/127.0.0.1" -p 15432 -h 127.0.0.1 -c "select version();" "dbname=postgres sslmode=require" || goto :error
 start /B pipe_win10.exe
 start /B gpfdist.exe -d \\.\pipe\
 curl -H "X-GP-PROTO: 0" http://127.0.0.1:8080/public_test_0_pipe0 || goto :error
diff --git a/concourse/scripts/windows_remote_test.ps1 b/concourse/scripts/windows_remote_test.ps1
index 8538ff346d..8eade0fc92 100644
--- a/concourse/scripts/windows_remote_test.ps1
+++ b/concourse/scripts/windows_remote_test.ps1
@@ -1,3 +1,4 @@
+$progressPreference = 'silentlyContinue'
 Invoke-WebRequest -Uri https://aka.ms/vs/15/release/VC_redist.x64.exe -OutFile VC_redist.x64.exe
 Start-Process -FilePath "VC_redist.x64.exe" -ArgumentList "/passive" -Wait -Passthru
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
diff --git a/gpAux/client/install/src/windows/CopyDependencies.bat b/gpAux/client/install/src/windows/CopyDependencies.bat
index 7adae7cdb1..86b461702e 100644
--- a/gpAux/client/install/src/windows/CopyDependencies.bat
+++ b/gpAux/client/install/src/windows/CopyDependencies.bat
@@ -1,6 +1,10 @@
 set GPDB_DEPENDENCY_PATH=%1
 set GPDB_INSTALL_PATH=%2
 
+copy %GPDB_DEPENDENCY_PATH%\bin\kinit.exe %GPDB_INSTALL_PATH%\bin
+copy %GPDB_DEPENDENCY_PATH%\bin\klist.exe %GPDB_INSTALL_PATH%\bin
+copy %GPDB_DEPENDENCY_PATH%\bin\kdestroy.exe %GPDB_INSTALL_PATH%\bin
+copy %GPDB_DEPENDENCY_PATH%\bin\krbcc64.dll %GPDB_INSTALL_PATH%\bin
 copy %GPDB_DEPENDENCY_PATH%\bin\comerr64.dll %GPDB_INSTALL_PATH%\bin
 copy %GPDB_DEPENDENCY_PATH%\bin\gssapi64.dll %GPDB_INSTALL_PATH%\bin
 copy %GPDB_DEPENDENCY_PATH%\bin\k5sprt64.dll %GPDB_INSTALL_PATH%\bin
diff --git a/gpAux/client/install/src/windows/greenplum-clients.wxs b/gpAux/client/install/src/windows/greenplum-clients.wxs
index 38c37aa785..1b18302aac 100755
--- a/gpAux/client/install/src/windows/greenplum-clients.wxs
+++ b/gpAux/client/install/src/windows/greenplum-clients.wxs
@@ -1119,6 +1119,10 @@ If you want to review or change any of your installation settings, click Back. C
                 <File Id="dropuser.exe" Name="dropuser.exe" Source="$(var.SRCDIR)\bin\dropuser.exe" />
                 <File Id="libapr.dll" Name="libapr-1.dll" Source="$(var.SRCDIR)\bin\libapr-1.dll" />
                 <File Id="libpq.dll" Name="libpq.dll" Source="$(var.SRCDIR)\bin\libpq.dll" />
+                <File Id="krbcc64.dll" Name="krbcc64.dll" Source="$(var.SRCDIR)\bin\krbcc64.dll" />
+                <File Id="kinit.exe" Name="kinit.exe" Source="$(var.SRCDIR)\bin\kinit.exe" />
+                <File Id="klist.exe" Name="klist.exe" Source="$(var.SRCDIR)\bin\klist.exe" />
+                <File Id="kdestroy.exe" Name="kdestroy.exe" Source="$(var.SRCDIR)\bin\kdestroy.exe" />
                 <File Id="comerr64.dll" Name="comerr64.dll" Source="$(var.SRCDIR)\bin\comerr64.dll" />
                 <File Id="gssapi64.dll" Name="gssapi64.dll" Source="$(var.SRCDIR)\bin\gssapi64.dll" />
                 <File Id="k5sprt64.dll" Name="k5sprt64.dll" Source="$(var.SRCDIR)\bin\k5sprt64.dll" />
diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32
index 5ba9bef5a3..b30cff42d4 100755
--- a/src/include/pg_config.h.win32
+++ b/src/include/pg_config.h.win32
@@ -647,7 +647,7 @@
 
 /* Define to the name of the default PostgreSQL service principal in Kerberos.
    (--with-krb-srvnam=NAME) */
-#define PG_KRB_SRVNAM "greenplum"
+#define PG_KRB_SRVNAM "postgres"
 
 /* A string containing the version number, platform, and C compiler */
 #define PG_VERSION_STR "Uninitialized version string (win32)"
-- 
GitLab