Hello - Does Django have any support for the web application itself being
able to connect to MySQL using Kerberos Authentication / GSSAPI rather than
a hard coded database user name and password?
I have searched around the web for a while and am still trying to find a
way to get a Django web app itself to authenticate to a MySQL DB equipped
with GSSAPI plugin via Kerberos. The Django app runs off Apache started in
this way:
k5start -u user/server@domain -f /etc/krb5.keytab -- /usr/sbin/httpd
-DFOREGROUND
The user/server user exists on the DB with adequate permissions. Moreover,
on the command line this works and connects up fine:
k5start -u user/server@domain -f /etc/krb5.keytab -- mysql -u user/server
However, I've tried getting the web app to connect to the DB (the app
itself, not worrying about the user authentication yet) about a million
different ways. I verified the user running the web app is apache even when
run started up the k5start way. Nonetheless any requests are met with this
error:
(1105, 'Client GSSAPI error (major 851968, minor 0) : gss_init_sec_context -
Unspecified GSS failure. Minor code may provide more information. ')
The settings.py configuration for the database is as follows:
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'my_database',
'USER': 'user/server@domain',
#'PASSWORD' : '',
'HOST': 'localhost', # Or an IP Address that your DB is hosted on
'PORT': '3306',
}
}
Server Specs:
Django version: 2.2.8
Python version: 3.6.8
OS version: RHEL 7.8 (Maipo)
MySQL version: 10.1.45-MariaDB MariaDB Server
I am thinking perhaps Django is just not designed to work this way? I did
trace some of the code in the packages Django uses to connect to MySQL and
it appears to be something along the lines of mysql_connect / the MySQL
Connector C libraries or whatnot. And from what I saw a lot of the
parameters the code uses following the MySQL website documentation but
there was one parameter 'auth_plugin' or something like that, which did not
seem to be implemented. Yet at the same time it would seem like getting
Django to connect to the DB via kerberos would be a common problem? Again,
this is a separate problem I'm trying to solve besides authenticating users
to the website, rather I'm hoping to allow the app itself to authenticate
to the database with kerb ticket, and had been hoping starting up apache in
a kerberized way might let that happen.
Any suggestions from people more Kerberos knowledgeable than I?
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/7b12fcab-37e1-4bc9-b6e5-0c73a4437540%40googlegroups.com.
