#4995 GSSAPI auth for git push/pull over HTTP(S)
Opened 7 months ago by ngompa. Modified 7 months ago

The user authentication experience for packagers is pretty close to being fully unified. Today, we're split between SSH and GSSAPI for packager workflow from the CLI. It'd be great to get this fully consolidated to GSSAPI, allowing session single-sign-on to work basically everywhere and eliminating the overhead required to make tools work properly across the board.

Perhaps @simo may have some ideas here of how we could do that.

(This was mentioned in the Nest with Fedora talk on Pagure this year, but it seems to not be captured here as an RFE, so here it is!)

You can easily use mod_auth_gssapi on the server side and requests_gssapi in client tools, and you'll have full GSSAPI support across all footprints.

@simo if we wanted to do this in a webserver agnostic way (e.g. supporting it in OpenShift-ish environments or when nginx is used as the web server), how would we support this in Pagure itself?

You can do it with python-gssapi, the tricky part with something like openshift is naming, as you need the name the client see to be the name of the principal you use, but that's regardless of how the server is implemented.

Of course if you do implement it yourself than you'll need to make sure all pages are properly authenticated as you can't use things like <location /> statements in apache config to do it for you. But it is doable. You also want to have a single login page and then use cookies for performance (that is all implemented in mod_auth_gssapi already, which is why I suggested that in preference.

We do need to do some stuff at the pagure git auth level to accept gssapi (and that may require python-gssapi), but that may wind up living in pagure-dist-git.

Depending on the difficulty on supporting gssapi auth across the board, we may want to shortcut for dist-git to use Apache and slightly extend pagure-dist-git (since it has a custom git auth plugin anyway).

We could then later double back to add it properly across the board natively...

@pingou what do you think?

Metadata Update from @ngompa:
- Issue tagged with: pkgs.fp

7 months ago

Let me know if you need any help, I can consult and review code for it.

Let me know if you need any help, I can consult and review code for it.

We will definitely take you up on that offer :)

Login to comment on this ticket.