#6582 Adding Kerberos authentication
Closed 3 years ago by mohanboddu. Opened 3 years ago by mohanboddu.
mohanboddu/releng krb_auth  into  master

file modified
+2 -7
@@ -26,11 +26,6 @@ 

  PRODUCTION_KOJI = "https://koji.fedoraproject.org/kojihub"

  STAGING_KOJI = "https://koji.stg.fedoraproject.org/kojihub"

  

- # Should probably set these from a koji config file

- SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

- CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')

- CLIENTCERT = os.path.expanduser('~/.fedora.cert')

- 

  

  class ReleaseMapper(object):

      BRANCHNAME = 0
@@ -84,8 +79,8 @@ 

      Get a list of all blocked and unblocked packages in a branch.

      """

      url = PRODUCTION_KOJI if not staging else STAGING_KOJI

-     kojisession = koji.ClientSession(url)

-     kojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

+     kojisession = koji.ClientSession(url, {'krb_rdns': False})

+     kojisession.krb_login()

      pkglist = kojisession.listPackages(tagID=tag, inherited=True)

      blocked = []

      unblocked = []

file modified
+2 -7
@@ -19,11 +19,6 @@ 

  REMOTEKOJIHUB = 'http://koji.fedoraproject.org/kojihub'

  PACKAGEURL = 'http://kojipkgs.fedoraproject.org/'

  

- # Should probably set these from a koji config file

- SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

- CLIENTCA = os.path.expanduser('~/.fedora-server-ca.cert')

- CLIENTCERT = os.path.expanduser('~/.fedora.cert')

- 

  workpath = '/tmp/build-recent'

  

  loglevel = logging.DEBUG
@@ -139,9 +134,9 @@ 

  

  # setup the koji session

  logging.info('Setting up koji session')

- localkojisession = koji.ClientSession(LOCALKOJIHUB)

+ localkojisession = koji.ClientSession(LOCALKOJIHUB, {'krb_rdns': False})

  remotekojisession = koji.ClientSession(REMOTEKOJIHUB)

- localkojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

+ localkojisession.krb_login()

  

  tag = 'f18-rebuild'

  

file modified
+2 -7
@@ -20,11 +20,6 @@ 

  REMOTEKOJIHUB = 'http://koji.fedoraproject.org/kojihub'

  PACKAGEURL = 'http://kojipkgs.fedoraproject.org/'

  

- # Should probably set these from a koji config file

- SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

- CLIENTCA = os.path.expanduser('~/.fedora-server-ca.cert')

- CLIENTCERT = os.path.expanduser('~/.fedora.cert')

- 

  workpath = '/tmp/build-recent'

  

  loglevel = logging.DEBUG
@@ -130,9 +125,9 @@ 

  

  # setup the koji session

  logging.info('Setting up koji session')

- localkojisession = koji.ClientSession(LOCALKOJIHUB)

+ localkojisession = koji.ClientSession(LOCALKOJIHUB, {'krb_rdns': False})

  remotekojisession = koji.ClientSession(REMOTEKOJIHUB)

- localkojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

+ localkojisession.krb_login()

  

  tag = 'dist-f16'

  

@@ -39,10 +39,6 @@ 

  else:

      KOJIHUB = 'http://%s.koji.fedoraproject.org/kojihub' % (args.arch)

  

- # Should probably set these from a koji config file

- SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

- CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')

- CLIENTCERT = os.path.expanduser('~/.fedora.cert')

  

  def _rpmvercmp((e1, v1, r1), (e2, v2, r2)):

      """find out which build is newer"""
@@ -62,8 +58,8 @@ 

          return -1

  

  

- kojisession = koji.ClientSession(KOJIHUB)

- kojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

+ kojisession = koji.ClientSession(KOJIHUB, {'krb_rdns': False})

+ kojisession.krb_login()

  

  if args.package == []:

      latest_builds = sorted(kojisession.listTagged(args.tag, latest=True),

file modified
+2 -5
@@ -16,13 +16,10 @@ 

  tag = 'f25'

  oldtag = 'f24'

  # Create a koji session

- kojisession = koji.ClientSession('http://ppc.koji.fedoraproject.org/kojihub')

+ kojisession = koji.ClientSession('http://ppc.koji.fedoraproject.org/kojihub', {'krb_rdns': False})

  

  # Log into koji

- clientcert = os.path.expanduser('~/.fedora.cert')

- clientca = os.path.expanduser('~/.fedora-upload-ca.cert')

- serverca = os.path.expanduser('~/.fedora-server-ca.cert')

- kojisession.ssl_login(clientcert, clientca, serverca)

+ kojisession.krb_login()

  

  # Get all builds tagged into the tag w/o inherited builds

  builds = kojisession.listTagged(tag, latest=True)

file modified
+2 -2
@@ -35,7 +35,7 @@ 

  REMOTEKOJIHUB = 'https://koji.fedoraproject.org/kojihub'

  PACKAGEURL = 'http://kojipkgs.fedoraproject.org/'

  

- # Should probably set these from a koji config file

+ # Should only be used for ssl login

  SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

  CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')

  CLIENTCERT = os.path.expanduser('~/.fedora.cert')
@@ -71,7 +71,7 @@ 

  localkojisession = koji.ClientSession(LOCALKOJIHUB, session_opts)

  remotekojisession = koji.ClientSession(REMOTEKOJIHUB)

  if os.path.isfile(CLIENTCERT):

-     localckojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

+     localkojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

  else:

      if args.keytab and args.principal:

          localkojisession.krb_login(principal=args.principal, keytab=args.keytab)

file modified
+2 -2
@@ -33,7 +33,7 @@ 

  REMOTEKOJIHUB = 'https://koji.fedoraproject.org/kojihub'

  PACKAGEURL = 'http://kojipkgs.fedoraproject.org/'

  

- # Should probably set these from a koji config file

+ # Should only be used for ssl login

  SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

  CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')

  CLIENTCERT = os.path.expanduser('~/.fedora.cert')
@@ -150,7 +150,7 @@ 

  localkojisession = koji.ClientSession(LOCALKOJIHUB, session_opts)

  remotekojisession = koji.ClientSession(REMOTEKOJIHUB)

  if os.path.isfile(CLIENTCERT):

-     localckojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

+     localkojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

  else:

      if args.keytab and args.principal:

          localkojisession.krb_login(principal=args.principal, keytab=args.keytab)

file modified
+2 -5
@@ -23,14 +23,11 @@ 

  tag = ''

  

  # setup koji sessions: 

- serverca = os.path.expanduser('~/.fedora-server-ca.cert')

- clientca = os.path.expanduser('~/.fedora-upload-ca.cert')

- clientcrt = os.path.expanduser('~/.fedora.cert')

  primarykoji = 'https://koji.fedoraproject.org/kojihub'

  secondarykoji = 'https://ppc.koji.fedoraproject.org/kojihub' 

  primary = koji.ClientSession(primarykoji)

- secondary = koji.ClientSession(secondarykoji)

- secondary.ssl_login(clientcrt, clientca, serverca) 

+ secondary = koji.ClientSession(secondarykoji, {'krb_rdns': False})

+ secondary.krb_login()

  

  # do the thing: 

  

file modified
+2 -5
@@ -45,9 +45,6 @@ 

  rawhide = 'f23'

  

  # koji setup

- auth_cert = os.path.expanduser('~/.fedora.cert')

- auth_ca = os.path.expanduser('~/.fedora-server-ca.cert')

- serverca = os.path.expanduser('~/.fedora-server-ca.cert')

  remote = koji.ClientSession('http://koji.fedoraproject.org/kojihub')

  

  # Configuration options below have been converted to use options. 
@@ -95,8 +92,8 @@ 

  # parse the koji-shadow config file, login to our koji:

  ks_config = ConfigParser.ConfigParser()

  ks_config.read(shadowconfig)

- local = koji.ClientSession(ks_config.get("main", "server"))

- local.ssl_login(auth_cert, auth_ca, serverca)

+ local = koji.ClientSession(ks_config.get("main", "server"), {'krb_rdns': False})

+ local.krb_login()

  

  # set up the queues

  buildqueue = deque()

file modified
+2 -5
@@ -21,13 +21,10 @@ 

  tasks = {} # dict of new build task info

  

  # Create a koji session

- kojisession = koji.ClientSession('https://koji.fedoraproject.org/kojihub')

+ kojisession = koji.ClientSession('https://koji.fedoraproject.org/kojihub', {'krb_rdns': False})

  

  # Log into koji

- clientcert = os.path.expanduser('~/.fedora.cert')

- clientca = os.path.expanduser('~/.fedora-upload-ca.cert')

- serverca = os.path.expanduser('~/.fedora-server-ca.cert')

- kojisession.ssl_login(clientcert, clientca, serverca)

+ kojisession.krb_login()

  

  # Generate a list of builds to iterate over, sorted by package name

  builds = sorted(kojisession.listTagged(holdingtag, latest=True),

file modified
+2 -6
@@ -21,10 +21,6 @@ 

  untag = []

  loglevel = ''

  KOJIHUB = 'https://koji.fedoraproject.org/kojihub'

- # Should probably set these from a koji config file

- SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

- CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')

- CLIENTCERT = os.path.expanduser('~/.fedora.cert')

  # Setup a dict of our key names as sigul knows them to the actual key ID

  # that koji would use.  We should get this from sigul somehow.

  
@@ -60,8 +56,8 @@ 

  

  # setup the koji session

  logging.info('Setting up koji session')

- kojisession = koji.ClientSession(KOJIHUB)

- if not kojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA):

+ kojisession = koji.ClientSession(KOJIHUB, {'krb_rdns': False})

+ if not kojisession.krb_login():

      logging.error('Unable to log into koji')

      sys.exit(1)

  

file modified
+2 -4
@@ -315,6 +315,7 @@ 

          self.options.kojihub = 'http://koji.fedoraproject.org/kojihub'

          self.options.regex = False

          self.options.ignore = []

+         self.options.krb_rdns = False

  

      def create_koji_session(self):

          # used options: debug, debug_xmlrpc, user, password
@@ -742,10 +743,7 @@ 

  

      def cmd_default(self):

          self.tweak_options()

-         clientcert = '/etc/pki/pkgsigner/pkgsigner.pem'

-         clientca = '/etc/pki/pkgsigner/fedora-upload-ca.cert'

-         serverca = '/etc/pki/pkgsigner/fedora-server-ca.cert'

-         self.koji_session.ssl_login(clientcert, clientca, serverca) # NEEDSWORK

+         self.koji_session.krb_login()

          self.print_msg("Getting rpm list from koji")

          if self.options.builds:

              rpms = self.get_build_rpms(self.options.builds)

@@ -184,9 +184,6 @@ 

                      arch=arch)

          else:

              self.kojihub = 'https://koji.fedoraproject.org/kojihub'

-         self.serverca = os.path.expanduser('~/.fedora-server-ca.cert')

-         self.clientca = os.path.expanduser('~/.fedora-upload-ca.cert')

-         self.clientcert = os.path.expanduser('~/.fedora.cert')

          self.kojisession = koji.ClientSession(self.kojihub, {'krb_rdns': False})

          self.kojisession.krb_login()

  

@@ -21,11 +21,6 @@ 

  

  arches = ['arm', 'ppc', 's390']

  

- # Should probably set these from a koji config file

- SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

- CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')

- CLIENTCERT = os.path.expanduser('~/.fedora.cert')

- 

  kojisession = koji.ClientSession('https://koji.fedoraproject.org/kojihub')

  

  def getBlocked(kojisession, tag):
@@ -51,8 +46,8 @@ 

  for arch in arches:

      print "== Working on Arch: %s" % arch

      # Create a koji session

-     seckojisession = koji.ClientSession('https://%s.koji.fedoraproject.org/kojihub' % arch )

-     seckojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA)

+     seckojisession = koji.ClientSession('https://%s.koji.fedoraproject.org/kojihub' % arch , {'krb_rdns': False})

+     seckojisession.krb_login()

  

      for tag in tags:

          print "=== Working on tag: %s" % tag

@@ -28,7 +28,7 @@ 

  parser.add_argument("tag", nargs="+", help="tag to sync")

  args = parser.parse_args()

  

- # Should probably set these from a koji config file

+ # Should only be used for ssl login

  SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert')

  CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert')

  CLIENTCERT = os.path.expanduser('~/.fedora.cert')