koji

Clone

#198 Implement realm checks for Kerberos authentication
Closed 4 years ago by tkopecek. Opened 7 years ago by puiterwijk.
puiterwijk/koji check-krb-realm  into  master

file modified
+4 
@@ -21,6 +21,10 @@ 
 

  # ProxyPrincipals = koji/kojiweb@EXAMPLE.COM
 

  ## format string for host principals (%s = hostname)
 

  # HostPrincipalFormat = compile/%s@EXAMPLE.COM
 

+ ## Whether to allow anonymous tickets (principal WELLKNOWN/ANONYMOUS or realm WELLKNOWN:ANONYMOUS)
 

+ # AllowAnonymousKrb = False
 

+ ## Which realms to allow access (this is ignored if explicitly set on a user)
 

+ # AllowedKrbRealms = EXAMPLE.COM|MYDOMAIN.COM
 

  

  ## end Kerberos auth configuration

file modified
+13 -4 
@@ -638,10 +638,19 @@ 
 

          """Create a new user, based on the Kerberos principal.  Their
 

          username will be everything before the "@" in the principal.
 

          Return the ID of the newly created user."""
 

-         atidx = krb_principal.find('@')
 

-         if atidx == -1:
 

-             raise koji.AuthError, 'invalid Kerberos principal: %s' % krb_principal
 

-         user_name = krb_principal[:atidx]
 

+         principal = krb_principal.rsplit('@', 1)
 

+         if len(principal) != 2 or len(principal[1]) < 1:
 

+             # We didn't have a realm
 

+             raise koji.AuthError, 'Unparseable principal'
mikem commented 7 years ago

koji.AuthError('Unparseable principal')

 
+         user_name, realm = principal
 

+         if user_name == 'WELLKNOWN/ANONYMOUS' and not context.opts.get('AllowAnonymousKrb', False):
 

+             raise koji.AuthError, 'Anonymous tickets not allowed'
 

+         if realm == 'WELLKNOWN:ANONYMOUS' and not context.opts.get('AllowAnonymousKrb', False):
 

+             raise koji.AuthError, 'Anonymous realm not allowed'
 

+         allowed_realms = context.opts.get('AllowedKrbRealms', None)
 

+         if allowed_realms is not None:
 

+             if not realm in allowed_realms.split('|'):
 

+                 raise koji.AuthError, 'Realm %s is not allowed' %s % realm
 

  

          # check if user already exists
 

          c = context.cnx.cursor()

With this patch, we allow disabling accepting anonymous tickets at Koji, and
for admins to specify which realms are allowed to contact the system in the
case of a trust relationship.
These checks are ignored if a user is explicitly created with the particular
principal, since the checks only happen in the createUserFromKerberos call.

Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com

rebased
7 years ago

rebased
7 years ago

rebased
7 years ago

@puiterwijk Is this still needed with gssapi merged into koji?

Rebases to current HEAD just fine

Is there a use case for allowing user =WELLKNOWN/ANONYMOUS? It looks like this would allow anyone to use anon auth and create or log in as that singular user in Koji.

Do we need the allowed_realms enforcement? Seems like that would be something that happens at the httpd layer.

koji.AuthError('Unparseable principal')

Please use raise Exception('msg') rather than raise Exception, 'msg'

Is there a use case for allowing user =WELLKNOWN/ANONYMOUS? It looks like this would allow anyone to use anon auth and create or log in as that singular user in Koji.

This would be allowed indeed if the current realm allows anonymous connections.
I just didn't want to break anything if people do happen to use it for some crazy reason.

Do we need the allowed_realms enforcement? Seems like that would be something that happens at the httpd layer.

The httpd layer may also accept trusted realms, for example from partners, that you do not want to allow access to the koji installation.

@puiterwijk Is this still needed with gssapi merged into koji?

Not for people that switch to gssapi.
However, not everyone might want to do so.

This PR is over two years old and would only benefit users that haven't switched to gssapi. I haven't heard of anyone asking for this and suggest that we drop it. @mikem would you be ok with that?

I think it's risky to keep the non-gssapi code around, because it is security sensitive and it will get no attention with Python 2 going EOL. I think we should drop all the non-gssapi Kerberos paths.

FYI, we did a similar check in PR #1648 for both gssapi and non-gssapi auth

@julian8628 - so can we drop this one as #1648 obsoletes it?

@tkopecek, I think we can drop this unless the anonymous kerb is used in some instances.

Ok, let's drop this. I've also created #1906 for dropping krb code.

Pull-Request has been closed by tkopecek
4 years ago
Metadata
None
No Tags
Changes Summary 2
+4 -0
file changed
hub/hub.conf
+13 -4
file changed
koji/auth.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.