PR#63: Fix kerberos configuration checking issues - odcs

odcs

#63 Fix kerberos configuration checking issues

Closed 6 years ago by jkaluza. Opened 6 years ago by qwan.

qwan/odcs fix-kerberos-config-checking into master

Enable kerberos for authentication by default

Qixiang Wan • 6 years ago

ae0ff7e

Fix kerberos configuration checking issues

Qixiang Wan • 6 years ago

716ffa2

server/conf/config.py

file modified

+1 -1

		`@@ -58,7 +58,7 @@`
		`# noauth: no authentication is enabled. Useful for development particularly.`
		`# kerberos: Kerberos authentication is enabled.`
		`# openidc: OpenIDC authentication is enabled.`
		`- AUTH_BACKEND = ''`
		`+ # AUTH_BACKEND = ''`

		`# Used for Kerberos authentication and to query user's groups.`
		`# Format: ldap://hostname[:port]`

server/odcs/server/auth.py

file modified

+21 -8

		`@@ -38,6 +38,21 @@`
		`from odcs.server.models import commit_on_success`


		`+ def _validate_kerberos_config():`
		`+ errors = []`
		`+ if not conf.auth_ldap_server:`
		`+ errors.append("kerberos authentication enabled with no LDAP server configured, "`
		`+ "check AUTH_LDAP_SERVER in your config.")`
		`+`
		`+ if not conf.auth_ldap_group_base:`
		`+ errors.append("kerberos authentication enabled with no LDAP group base configured, "`
		`+ "check AUTH_LDAP_GROUP_BASE in your config.")`
		`+ if errors:`
		`+ for error in errors:`
		`+ log.exception(error)`
		`+ raise ValueError("Invalid configuration for kerberos authentication.")`
		`+`
		`+`
		`@commit_on_success`
		`def load_krb_user_from_request(request):`
		`"""Load Kerberos user from current request`
		`@@ -68,14 +83,8 @@`


		`def query_ldap_groups(uid):`
		`- ldap_server = conf.auth_ldap_server`
		`- assert ldap_server, 'LDAP server must be configured in advance.'`
		`-`
		`- group_base = conf.auth_ldap_group_base`
		`- assert group_base, 'Group base must be configured in advance.'`
		`-`
		`- client = ldap.initialize(ldap_server)`
		`- groups = client.search_s(group_base,`
		`+ client = ldap.initialize(conf.auth_ldap_server)`
		`+ groups = client.search_s(conf.auth_ldap_group_base,`
		`ldap.SCOPE_ONELEVEL,`
		`attrlist=['cn', 'gidNumber'],`
		`filterstr='memberUid={0}'.format(uid))`
		`@@ -146,12 +155,16 @@`
		`if backend == 'noauth':`
		`# Do not enable any authentication backend working with frontend`
		`# authentication module in Apache.`
		`+ log.info("Authentication is disabled.")`
		`return`
		`if backend == 'kerberos':`
		`+ log.info("Kerberos authentication is enabled.")`
		`+ _validate_kerberos_config()`
		`global load_krb_user_from_request`
		`load_krb_user_from_request = login_manager.request_loader(`
		`load_krb_user_from_request)`
		`elif backend == 'openidc':`
		`+ log.info("openIDC authentication is enabled.")`
		`global load_openidc_user`
		`load_openidc_user = login_manager.request_loader(load_openidc_user)`
		`else:`

server/odcs/server/config.py

file modified

+1 -1

		`@@ -172,7 +172,7 @@`
		`'desc': "Admin groups and users."},`
		`'auth_backend': {`
		`'type': str,`
		`- 'default': 'noauth',`
		`+ 'default': 'kerberos',`
		`'desc': "Select which authentication backend is enabled and work "`
		`"with frond-end authentication together."},`
		`'auth_openidc_userinfo_uri': {`

qwan commented 6 years ago

Remove assert statements.
Check kerberos authentication while starting service, rather than
checking that when the first request comes.
Enable kerberos authentication by default, 'noauth' is required to be specified explicitly.
FIXES: #61#59

rebased onto 716ffa2

6 years ago

cqi commented 6 years ago

LGTM

jkaluza commented 6 years ago

I did not check this PR before starting fixing the same issue as @qwan in this PR... I'm sorry for that, will try better next time... As we agreed in https://pagure.io/odcs/pull-request/70, I will close this PR without merging and we will merge PR#70 instead.