Changes between Initial Version and Version 1 of Ticket #3185


Ignore:
Timestamp:
Oct 13, 2009, 1:38:42 PM (15 years ago)
Author:
warmerdam
Comment:

Ivan,

Would you be interested in reworking the session setup to allow OS authentication?

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #3185

    • Property Cc Mateusz Łoskot ilucena added
    • Property Keywords OCI Oracle added
    • Property Component defaultOGR_SF

  • Ticket #3185 – Description

    initial v1  
    11The summary pretty much says it all. Below is an IRC discussion about this subject.  Sorry for adding an extra lines. Without them this ticket would be all garbled up:
    22
     3{{{
    34<cgs_bob> Hello all.  Is there a way to use ogr with an Oracle database that uses OS validation?
    4 
    55<mloskot> cgs_bob:  I would expect it's something transparent, not required to implement by proxy-client as OGR OCI driver is
    6 
    76<mloskot> cgs_bob:  [http://www.oracle-base.com/articles/misc/OsAuthentication.php]
    8 
    97<sigq> Title: ORACLE-BASE - OS Authentication (at www.oracle-base.com)
    10 
    118<cgs_bob> mloskot: I'm afraid I do not understand :)  are you saying that I would not need to supply a login and password?  in all of the ogr examples I've seen, you need to supply the login and password.
    12 
    139<mloskot> cgs_bob:  now, what I'm saying is chances are you can supply all necessary credentials in connection string and OGR OCI driver will forward it to oracle correctly
    14 
    1510<mloskot> AFAIK, OGR never interfers in things like authentication, but it just transparently passes this responsibility to another tier
    16 
    1711<cgs_bob> mloskot: gotcha.  I'll take a look at the link above and experiment more.  thanks for the info
    18 
    1912<mloskot> cgs_bob:  actually, it's very easy to check what OGR OCI does:
    20 
    2113<mloskot> [http://trac.osgeo.org/gdal/browser/trunk/gdal/ogr/ogrsf_frmts/oci/ogrocidatasource.cpp#L169]
    22 
    2314<sigq> Title: /trunk/gdal/ogr/ogrsf_frmts/oci/ogrocidatasource.cpp - GDAL - Trac (at trac.osgeo.org)
    24 
    2515<mloskot> connection string -> tokenize to retrieve user/pass, etc. -> pass to OCI library
    26 
    2716<mloskot> [http://trac.osgeo.org/gdal/browser/trunk/gdal/ogr/ogrsf_frmts/oci/ogrocisession.cpp#L107]
    28 
    2917<sigq> Title: /trunk/gdal/ogr/ogrsf_frmts/oci/ogrocisession.cpp - GDAL - Trac (at trac.osgeo.org)
    30 
    3118<mloskot> and this
    32 
    3319<mloskot> [http://trac.osgeo.org/gdal/browser/trunk/gdal/ogr/ogrsf_frmts/oci/ogrocisession.cpp#L137]
    34 
    3520<sigq> Title: /trunk/gdal/ogr/ogrsf_frmts/oci/ogrocisession.cpp - GDAL - Trac (at trac.osgeo.org)
    36 
    3721<cgs_bob> so how does OS validation fits into that scheme?  I thought there is no password.  in any case, I'll take a look at these links...thanks
    38 
    3922<FrankW> cgs_bob:  I don't know how os validation works either, but OGR does nothing special with regard to it.
    40 
    4123<mloskot> cgs_bob:  learn about Oracle and its API and having what OGR does, you will know
    42 
    4324<FrankW> And then consider adding some wisdom at: [http://trac.osgeo.org/gdal/wiki/Oracle]
    44 
    4525<sigq> Title: Oracle - GDAL - Trac (at trac.osgeo.org)
    46 
    4726<cgs_bob> mloskot and FrankW, thanks for the help.  I see I have lots of studying to do :) if I get any ifo worthy of the wiki I'll add it.
    48 
    4927<mloskot> OK, I think I found it
    50 
    5128<mloskot> The external authentication in Oracle can be achieved by call of OCISessionBegin function (from OCI) with proper flag OCI_CRED_EXT
    52 
    5329<mloskot> [http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96584/oci15r13.htm]
    54 
    5530<sigq> Title: OCI Relational Functions, 13 of 38 (at download.oracle.com)
    56 
    5731<mloskot> As I see, unfortunately, OGR OCI does not use this mode to establish connection/session
    58 
    5932<FrankW> So we would need to do something special in the driver?
    60 
    6133<FrankW> cgs_bob:  if you are really keen on doing this, file a ticket, and we might be able to incorporate it for testing in trunk.
    62 
    6334<mloskot> after 5 minutes research, yes
    64 
    6535<mloskot> we would need to use different API calls, different more advanced session construction
    66 
    6736<mloskot> but as I said, deeper investigation is needed.
    68 
    6937<FrankW> Perhaps I can talk Ivan into it!
    70 
    7138<mloskot> What I'm sure about is the flag OCI_CRED_EXT, it is used for so called OS Authentication even in PHP
    72 
    7339<FrankW> He is keen on all things oracle.
    74 
    7540<cgs_bob> FrankW: it is very important for use to use OS authentication, so I'll file a ticket
    76 
    7741<mloskot> We use OCILogon
    78 
    7942<mloskot> [http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96584/oci15re9.htm]
    80 
    8143<FrankW> cgs_bob:  a mandate from the IT police?
    82 
    8344<sigq> Title: OCI Relational Functions, 9 of 38 (at download.oracle.com)
    84 
    8545<mloskot> "to create a simple logon session."
    86 
    8746<mloskot> what would confirm what my suppositions
    88 
    8947<FrankW> Please include mloskot's notes and links in the ticket.
    90 
    9148<FrankW> mloskot:  I'm assuming you don't have a deep desire to work on the oracle driver?
    92 
    9349<mloskot> FrankW: it's not that I don't have desire, but I'm very short with time now
    94 
    9550<mloskot> not earlier than in 5-6 days
    96 
    9751<mloskot> but I will participate in the ticket and jump in if I can
    98 
    9952<cgs_bob> FrankW: yup.  and if we can't get ogr to work with OS authentication, they will have another reason to reject foss4g
    100 
    10153<FrankW> Oh, when you put it like that you motivate me!
    102 
    10354* mloskot has no idea who those they are, so can't get very motivated ;-)
    104 
    10555<cgs_bob> FrankW: we have done a lot of good stuff with foss4g, so our project is still alive
    106 
    10756<mloskot> What I've just learned, OCILogon is a simple single-user-session per connection mode, OCISessionBegin provides more advanced features
    108 
    10957<mloskot> [http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96584/oci02bas.htm]
    110 
    11158<sigq> Title: OCI Programming Basics (at download.oracle.com)
    112 
    11359<mloskot> Given that, I'm quite sure OGR OCI does not use API required to support Oracle OS Authentication
    114 
    11560--> chaitanyach has joined this channel (n=chaitany@117.204.64.167).
    116 
    11761<FrankW> I wonder if I could get oracle running on my new linux server.
    118 
    11962<mloskot> As I see, it should be sufficient to dig ogrocisession.cpp only and replace OCILogon with OCIServerAttach + some OCIHandleAlloc calls + OCISessionBegin as shown in this section
    120 
    12163<mloskot> OCIHandleAlloc
    122 
    12364<mloskot> [http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96584/oci02bas.htm#423550]
    124 
    12565<sigq> Title: OCI Programming Basics (at download.oracle.com)
     66}}}