koji

Clone

#408 Support proxyuser=username in krbLogin
Merged 6 years ago by mikem. Opened 6 years ago by puiterwijk.
puiterwijk/koji krb-proxyuser  into  master

file modified
+23 -12 
@@ -328,10 +328,14 @@ 
 

              login_principal = cprinc.name
 

          user_id = self.getUserIdFromKerberos(login_principal)
 

          if not user_id:
 

-             if context.opts.get('LoginCreatesUser'):
 

-                 user_id = self.createUserFromKerberos(login_principal)
 

-             else:
 

-                 raise koji.AuthError('Unknown Kerberos principal: %s' % login_principal)
 

+             user_id = self.getUserId(login_principal)
 

+             if not user_id:
 

+                 # Only do autocreate if we also couldn't find by username AND the proxyuser
 

+                 # looks like a krb5 principal
 

+                 if context.opts.get('LoginCreatesUser') and '@' in login_principal:
 

+                     user_id = self.createUserFromKerberos(login_principal)
 

+                 else:
 

+                     raise koji.AuthError('Unknown Kerberos principal: %s' % login_principal)
 

  

          self.checkLoginAllowed(user_id)
 

  
@@ -397,14 +401,8 @@ 
 

              else:
 

                  raise koji.AuthError('%s is not authorized to login other users' % client_dn)
 

  

-         cursor = context.cnx.cursor()
 

-         query = """SELECT id FROM users
 

-         WHERE name = %(username)s"""
 

-         cursor.execute(query, locals())
 

-         result = cursor.fetchone()
 

-         if result:
 

-             user_id = result[0]
 

-         else:
 

+         user_id = self.getUserId(username)
 

+         if not user_id:
 

              if context.opts.get('LoginCreatesUser'):
 

                  user_id = self.createUser(username)
 

              else:
 
@@ -575,6 +573,19 @@ 
 

          #for compatibility
 

          return self.host_id
 

  

+     def getUserId(self, username):
 

+         """Return the user ID associated with a particular username. If no user
 

+         with the given username if found, return None."""
 

+         c = context.cnx.cursor()
 

+         q = """SELECT id FROM users WHERE name = %(username)s"""
 

+         c.execute(q, locals())
 

+         r = c.fetchone()
 

+         c.close()
 

+         if r:
 

+             return r[0]
 

+         else:
 

+             return None
 

+ 

      def getUserIdFromKerberos(self, krb_principal):
 

          """Return the user ID associated with a particular Kerberos principal.
 

          If no user with the given princpal if found, return None."""

Currently, krb would expect a krb principal where ssl expects a username.
This makes krb use the username, but also accept the krb_principal for
backwards compatibility.

Reopen of #236.

Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com

One piece of information that had not been taken into account in the original PR, which also involves clients using krbv-based login is that to provide the proxyuser, you must know the users kerberos principal.
While for users the principal is reproducible from their username as $username@$REALM, this is NOT the case if you want to proxyuser as a service account.
Those have a format of $servicename/$hostname@$REALM.

So koji clients like sigul that don't use krb auth themselves but that want to use proxyuser would then need to have a mapping between username and krb-principal.
One of which is already maintained: in the koji users table.

All original objections still apply. We can't take this as-is. I recognize the the issue needs to be fixed, but not with this patch

@mikem can you then propose a path forward, this must be fixed

Is there a pagure issue associated with this?

rebased
6 years ago

I have filled issue #410 for this

rebased
6 years ago

Thanks, Mike. Sometimes when a change comes in straight as a PR I find it challenging to see what the underlying issue is. Plus, it's easier to plan/prioritize Issues vs PRs. Now if only we could explicitly link PRs and Issues. :)

:thumbsup:

Works for me. I'll let this sit overnight to give others a chance to look.
Unless there is a problem, I'll merge tomorrow

Works for me.

Commit ee624d6 fixes this pull-request

Pull-Request has been merged by mikem@redhat.com
6 years ago
Changes Summary 1
+23 -12
file changed
koji/auth.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.