#184 Fix service name used for krb.
Closed 2 years ago by ralph. Opened 2 years ago by ralph.
ralph/waiverdb service-name  into  master

file modified
+4 -4
@@ -16,7 +16,7 @@ 

      else:

          hostname = gethostname()

  

-     service_name = gssapi.Name("HTTP@%s" % hostname,

+     service_name = gssapi.Name("HTTP/%s" % hostname,

                                 gssapi.NameType.hostbased_service)

  

      try:
@@ -41,9 +41,9 @@ 

          user = str(sc.initiator_name)

          return user, token

      except gssapi.exceptions.GSSError as e:

-         current_app.logger.error(

-             'Unable to authenticate: failed to %s: %s' %

-             (stage, e.gen_message()))

+         current_app.logger.exception(

+             'Unable to authenticate (%s): failed to %s: %s' %

+             (hostname, stage, e.gen_message()))

          raise Forbidden("Authentication failed")

  

  

no initial comment

FWIW, it doesn't seem to work quite yet. See the traceback in the elsewhere tls-and-kerberos PR on our openshift templates.

Okay so it seems like GSSAPI names are not the same as Kerberos names. Who knew.

https://pythonhosted.org/gssapi/basic-tutorial.html#names-and-credentials

The docs are bit obtuse about how exactly you can construct just a normal Kerberos principal name. This is what I found:

>>> gssapi.Name('HTTP', gssapi.NameType.hostbased_service).canonicalize(gssapi.MechType.kerberos)
Name(b'HTTP/galangal.usersys.redhat.com@REDHAT.COM', <OID 1.2.840.113554.1.2.2.1>)
>>> gssapi.Name('HTTP@waiverdb.asdf', gssapi.NameType.hostbased_service).canonicalize(gssapi.MechType.kerberos)
Name(b'HTTP/waiverdb.asdf@', <OID 1.2.840.113554.1.2.2.1>)
>>> gssapi.Name('HTTP/waiverdb.asdf').canonicalize(gssapi.MechType.kerberos)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.6/site-packages/gssapi/names.py", line 231, in canonicalize
    return type(self)(rname.canonicalize_name(self, mech))
  File "gssapi/raw/names.pyx", line 286, in gssapi.raw.names.canonicalize_name
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639136): Configuration file does not specify default realm
>>> gssapi.Name('HTTP/waiverdb.asdf@REDHAT.COM').canonicalize(gssapi.MechType.kerberos)
Name(b'HTTP/waiverdb.asdf@REDHAT.COM', <OID 1.2.840.113554.1.2.2.1>)

So, still not sure what the right thing here is...

FYI, @rharwood is having a look. :)

Pull-Request has been closed by ralph

2 years ago
Metadata