Windows: change kerberos service name to postgres (#8060)

The kerberos service name of gpdb and psql must match to allow proper kerberos authentication. For linux platform this is controlled by --with-krb-srvnam. For Windows platform it's hardcoded in template pg_config.h.win32. We currently build gpdb server without specifying --with-krb-srvnam, and the default value is "postgres". Change the correspond value that hardcoded Windows config template to "postgres" also. - Package necessary kerberos utility with windows installer - Add Kerberos auth test for Windows client

Windows: change kerberos service name to postgres (#8060)
The kerberos service name of gpdb and psql must match to allow proper kerberos authentication. For linux platform this is controlled by --with-krb-srvnam. For Windows platform it's hardcoded in template pg_config.h.win32. We currently build gpdb server without specifying --with-krb-srvnam, and the default value is "postgres". Change the correspond value that hardcoded Windows config template to "postgres" also. - Package necessary kerberos utility with windows installer - Add Kerberos auth test for Windows client
903cb91c · Peifeng Qiu · GitHub · e580dab8 · 903cb91c · 903cb91c
6 changed file
--- a/concourse/scripts/ic_gpdb_remote_windows.bash
+++ b/concourse/scripts/ic_gpdb_remote_windows.bash
@@ -6,11 +6,13 @@ set -eo pipefail
 CWDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 source "${CWDIR}/common.bash"
+export DEFAULT_REALM=GPDB.KRB
 function setup_gpadmin_user() {
    ./gpdb_src/concourse/scripts/setup_gpadmin_user.bash "${TEST_OS}"
 }
-function configure_gpdb_ssl() {
+function configure_gpdb_ssl_kerberos() {
    cp ./gpdb_src/src/test/ssl/ssl/server.crt "${MASTER_DATA_DIRECTORY}"
    cp ./gpdb_src/src/test/ssl/ssl/server.key "${MASTER_DATA_DIRECTORY}"
    cp ./gpdb_src/src/test/ssl/ssl/root+server_ca.crt "${MASTER_DATA_DIRECTORY}"
@@ -22,9 +24,58 @@ function configure_gpdb_ssl() {
    echo "ssl_cert_file='server.crt'">> "${PG_CONF}"
    echo "ssl_key_file='server.key'">> "${PG_CONF}"
+    gpconfig -c krb_server_keyfile -v  '/home/gpadmin/gpdb-server-krb5.keytab'
    PG_HBA="${MASTER_DATA_DIRECTORY}/pg_hba.conf"
    echo "hostssl   all gpadmin 0.0.0.0/0   trust">> "${PG_HBA}"
+    echo "host all all 0.0.0.0/0 gss include_realm=0 krb_realm=${DEFAULT_REALM}" >> "${PG_HBA}"
    gpstop -ar
+    psql postgres -c 'create role "user1/127.0.0.1" superuser login'
+}
+function setup_kerberos() {
+# Setup krb5.conf
+cat > /etc/krb5.conf <<EOF
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+[libdefaults]
+ default_realm = ${DEFAULT_REALM}
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+[realms]
+ ${DEFAULT_REALM} = {
+  kdc = 127.0.0.1
+  admin_server = 127.0.0.1
+ }
+[domain_realm]
+ .gpdb.krb = ${DEFAULT_REALM}
+ gpdb.krb = ${DEFAULT_REALM}
+EOF
+# Start KDC on master node
+kdb5_util create -s -r ${DEFAULT_REALM} -P changeme
+kadmin.local -q "addprinc -pw changeme root/admin"
+krb5kdc
+kadmin.local -q "addprinc -randkey user1/127.0.0.1@${DEFAULT_REALM}"
+kadmin.local -q "addprinc -randkey postgres/127.0.0.1@${DEFAULT_REALM}"
+# Gernerate keys
+rm -rf /home/gpadmin/gpdb-krb5.keytab
+kadmin.local -q "xst -norandkey -k /home/gpadmin/gpdb-client-krb5.keytab user1/127.0.0.1@${DEFAULT_REALM}"
+kadmin.local -q "xst -norandkey -k /home/gpadmin/gpdb-server-krb5.keytab postgres/127.0.0.1@${DEFAULT_REALM}"
+chown gpadmin:gpadmin /home/gpadmin/gpdb-*-krb5.keytab
+chmod 400 /home/gpadmin/gpdb-*-krb5.keytab
 }
 # Get ssh private key from REMOTE_KEY, which is assumed to
@@ -60,7 +111,10 @@ function run_remote_test() {
    scp -P "${REMOTE_PORT}" ./gpdb_src/src/test/regress/*.pm "${REMOTE_USER}@${REMOTE_HOST}:./gpload2"
    scp -P "${REMOTE_PORT}" ./gpdb_src/concourse/scripts/ic_gpdb_remote_windows.bat "${REMOTE_USER}@${REMOTE_HOST}:"
-    ssh -T -R"${PGPORT}:127.0.0.1:${PGPORT}" -L8081:127.0.0.1:8081 -L8082:127.0.0.1:8082 -p "${REMOTE_PORT}" "${REMOTE_USER}@${REMOTE_HOST}" "ic_gpdb_remote_windows.bat ${PGPORT}"
+    scp -P "${REMOTE_PORT}" /home/gpadmin/gpdb-client-krb5.keytab "${REMOTE_USER}@${REMOTE_HOST}:./gpdb-krb5.keytab"
+    scp -P "${REMOTE_PORT}" /etc/krb5.conf "${REMOTE_USER}@${REMOTE_HOST}:./krb5.ini"
+    ssh -T -R"${PGPORT}:127.0.0.1:${PGPORT}" -R88:127.0.0.1:88 -L8081:127.0.0.1:8081 -L8082:127.0.0.1:8082 -p "${REMOTE_PORT}" "${REMOTE_USER}@${REMOTE_HOST}" "ic_gpdb_remote_windows.bat ${PGPORT}"
    # run gpfdist test
    pushd gpdb_src/src/test/regress
    make pg_regress
@@ -74,11 +128,13 @@ function run_remote_test() {
    popd
 }
+function install_packages {
+    yum install -y jq openssl-devel krb5-server krb5-libs krb5-auth-dialog krb5-workstation
+}
 function create_cluster() {
    export CONFIGURE_FLAGS="--enable-gpfdist --with-openssl"
-    yum install -y openssl-devel
    time install_and_configure_gpdb
-    time setup_gpadmin_user
    export WITH_MIRRORS=false
    time make_cluster
 }
@@ -96,17 +152,16 @@ function gpadmin_run_tests(){
    export REMOTE_USER
    source ./gpdb_src/gpAux/gpdemo/gpdemo-env.sh
    source /usr/local/greenplum-db-devel/greenplum_path.sh
-    configure_gpdb_ssl
+    configure_gpdb_ssl_kerberos
    time import_remote_key
    time run_remote_test
 }
 function _main() {
-    export -f configure_gpdb_ssl
+    export -f configure_gpdb_ssl_kerberos 
    export -f import_remote_key
    export -f run_remote_test
    export -f gpadmin_run_tests
-    yum install -y jq
    pushd bin_gpdb
        mv *.tar.gz bin_gpdb.tar.gz
    popd
@@ -115,6 +170,9 @@ function _main() {
        tar xzvf *.tar.gz
    popd
+    time install_packages
+    time setup_gpadmin_user
+    time setup_kerberos
    time create_cluster
    su gpadmin -c 'gpadmin_run_tests $(pwd) "${REMOTE_PORT}" "${REMOTE_USER}"'
    cp bin_gpdb_clients_windows/*.msi bin_gpdb_clients_windows_rc/

--- a/concourse/scripts/ic_gpdb_remote_windows.bat
+++ b/concourse/scripts/ic_gpdb_remote_windows.bat
@@ -2,10 +2,18 @@ set PGPORT=%1
 set PGUSER=gpadmin
 set PGHOST=127.0.0.1
+mkdir C:\ProgramData\MIT\Kerberos5\
+move krb5.ini C:\ProgramData\MIT\Kerberos5\
+set KRB5CCNAME=%USERPROFILE%\krb5cache
+set PGGSSLIB=gssapi
 call "C:\Program Files\Greenplum\greenplum-clients\greenplum_clients_path.bat"
+kinit -k -t gpdb-krb5.keytab user1/127.0.0.1
+klist
 set path=%path%;C:\Program Files\curl-win64-mingw\bin
 psql -U gpadmin -p 15432 -h 127.0.0.1 -c "select version();" "dbname=postgres" || goto :error
 psql -U gpadmin -p 15432 -h 127.0.0.1 -c "select version();" "dbname=postgres sslmode=require" || goto :error
+psql -U "user1/127.0.0.1" -p 15432 -h 127.0.0.1 -c "select version();" "dbname=postgres sslmode=require" || goto :error
 start /B pipe_win10.exe
 start /B gpfdist.exe -d \\.\pipe\
 curl -H "X-GP-PROTO: 0" http://127.0.0.1:8080/public_test_0_pipe0 || goto :error

--- a/concourse/scripts/windows_remote_test.ps1
+++ b/concourse/scripts/windows_remote_test.ps1
+$progressPreference = 'silentlyContinue'
 Invoke-WebRequest -Uri https://aka.ms/vs/15/release/VC_redist.x64.exe -OutFile VC_redist.x64.exe
 Start-Process -FilePath "VC_redist.x64.exe" -ArgumentList "/passive" -Wait -Passthru
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

--- a/gpAux/client/install/src/windows/CopyDependencies.bat
+++ b/gpAux/client/install/src/windows/CopyDependencies.bat
 set GPDB_DEPENDENCY_PATH=%1
 set GPDB_INSTALL_PATH=%2
+copy %GPDB_DEPENDENCY_PATH%\bin\kinit.exe %GPDB_INSTALL_PATH%\bin
+copy %GPDB_DEPENDENCY_PATH%\bin\klist.exe %GPDB_INSTALL_PATH%\bin
+copy %GPDB_DEPENDENCY_PATH%\bin\kdestroy.exe %GPDB_INSTALL_PATH%\bin
+copy %GPDB_DEPENDENCY_PATH%\bin\krbcc64.dll %GPDB_INSTALL_PATH%\bin
 copy %GPDB_DEPENDENCY_PATH%\bin\comerr64.dll %GPDB_INSTALL_PATH%\bin
 copy %GPDB_DEPENDENCY_PATH%\bin\gssapi64.dll %GPDB_INSTALL_PATH%\bin
 copy %GPDB_DEPENDENCY_PATH%\bin\k5sprt64.dll %GPDB_INSTALL_PATH%\bin

--- a/gpAux/client/install/src/windows/greenplum-clients.wxs
+++ b/gpAux/client/install/src/windows/greenplum-clients.wxs
@@ -1119,6 +1119,10 @@ If you want to review or change any of your installation settings, click Back. C
                <File Id="dropuser.exe" Name="dropuser.exe" Source="$(var.SRCDIR)\bin\dropuser.exe" />
                <File Id="libapr.dll" Name="libapr-1.dll" Source="$(var.SRCDIR)\bin\libapr-1.dll" />
                <File Id="libpq.dll" Name="libpq.dll" Source="$(var.SRCDIR)\bin\libpq.dll" />
+                <File Id="krbcc64.dll" Name="krbcc64.dll" Source="$(var.SRCDIR)\bin\krbcc64.dll" />
+                <File Id="kinit.exe" Name="kinit.exe" Source="$(var.SRCDIR)\bin\kinit.exe" />
+                <File Id="klist.exe" Name="klist.exe" Source="$(var.SRCDIR)\bin\klist.exe" />
+                <File Id="kdestroy.exe" Name="kdestroy.exe" Source="$(var.SRCDIR)\bin\kdestroy.exe" />
                <File Id="comerr64.dll" Name="comerr64.dll" Source="$(var.SRCDIR)\bin\comerr64.dll" />
                <File Id="gssapi64.dll" Name="gssapi64.dll" Source="$(var.SRCDIR)\bin\gssapi64.dll" />
                <File Id="k5sprt64.dll" Name="k5sprt64.dll" Source="$(var.SRCDIR)\bin\k5sprt64.dll" />

--- a/src/include/pg_config.h.win32
+++ b/src/include/pg_config.h.win32
@@ -647,7 +647,7 @@
 /* Define to the name of the default PostgreSQL service principal in Kerberos.
   (--with-krb-srvnam=NAME) */
-#define PG_KRB_SRVNAM "greenplum"
+#define PG_KRB_SRVNAM "postgres"
 /* A string containing the version number, platform, and C compiler */
 #define PG_VERSION_STR "Uninitialized version string (win32)"