PR#2141: kojiweb: update for mod_auth_gssapi configuration - koji

koji

#2141 kojiweb: update for mod_auth_gssapi configuration

Merged 2 years ago by tkopecek. Opened 2 years ago by ktdreyer.

ktdreyer/koji kojiweb-gssapi into master

kojiweb: update for mod_auth_gssapi configuration

Ken Dreyer • 2 years ago

50879c1

www/conf/kojiweb.conf

file modified

+3 -7

		`@@ -24,15 +24,11 @@`

		`# uncomment this to enable authentication via Kerberos`
		`# <Location /koji/login>`
		`- # AuthType Kerberos`
		`+ # AuthType GSSAPI`
		`# AuthName "Koji Web UI"`
		`- # KrbMethodNegotiate on`
		`- # KrbMethodK5Passwd off`
		`- # KrbServiceName HTTP`
		`- # KrbAuthRealm EXAMPLE.COM`
		`- # Krb5Keytab /etc/httpd.keytab`
		`- # KrbSaveCredentials off`
		`+ # GssapiCredStore keytab:/etc/koji.keytab`
		`# Require valid-user`
		`+ # GssapiLocalName Off`
		`# ErrorDocument 401 /koji-static/errors/unauthorized.html`
		`# </Location>`

ktdreyer commented 2 years ago

Delete the mod_auth_kerb configuration settings from the sample kojiweb.conf file. Add the mod_auth_gssapi settings instead.

ktdreyer commented 2 years ago

I tested a config almost identical to this with mod_auth_gssapi-1.5.1-5.el7 and it works.

ignatenkobrain commented on line 16 of www/conf/kojiweb.conf 2 years ago

Would be nice to have consistency in option values. In ssllogin, there is Off (note uppper case O). Also would be nice to have here GssapiSSLonly Off also for consistency reasons.

ignatenkobrain commented 2 years ago

However, I have tested this on my installation and it works just fine.

tkopecek commented 2 years ago

Issue #2144

rebased onto 79e1de40612f9a341913d4eb32065c69d9c8bda0

2 years ago

ktdreyer commented 2 years ago

Thanks for the review and testing @ignatenkobrain!

I've changed "off" to "Off" for consistency with the rest of the configuration in the tree.

Regarding GssapiSSLonly, I did not realize that we actually recommended turn that off on the hub. That is dangerous. We should actually set Require ssl for all login URLs (/koji/login and /kojihub/ssllogin). I can file a separate PR for that.

ktdreyer commented 2 years ago

https://pagure.io/koji/pull-request/2162 removes GssapiSSLonly Off from the Koij hub Apache configuration.

I investigated at Require ssl and it gets complicated because we have to wrap it in a <RequireAll> section. We can use the older SSLRequireSSL setting for simplicity. Let's add that in a separate PR, though.

rebased onto b906c760ed6db5dafa15cd678c036eb1ce79fe0a

2 years ago

rebased onto b9c513274dea2b380dd7c360bea701dd401dc701

2 years ago

tkopecek commented 2 years ago

:thumbsup: