waiverdb

Clone

#346 Add krb_principal option for waiverdb-cli
Merged 4 years ago by lholecek. Opened 4 years ago by lholecek.
lholecek/waiverdb krb_dns_canonicalize_hostname  into  master

file modified
+2 
@@ -2,6 +2,8 @@ 
 

  # Specify OIDC or Kerberos for authentication
 

  auth_method=OIDC
 

  api_url=https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0
 

+ # Try overriding Kerberos principal if authentication fails
 

+ #krb_principal=HTTP/waiverdb.example.com@EXAMPLE.COM

should we change also our internal conf once this is merged with this parameter?

 
  oidc_id_provider=https://id.fedoraproject.org/openidc/
 

  oidc_client_id=waiverdb-authorizer
 

  oidc_client_secret=notsecret

file modified
+32 -18 
@@ -34,6 +34,37 @@ 
 

          return subject
 

  

  

+ def _krb_auth(url, config, request_arguments):
 

+     # Try to import this now so the user gets immediate feedback if
 

+     # it isn't installed
 

+     try:
 

+         import gssapi  # noqa: F401
 

+         import requests_gssapi  # noqa: F401
 

+     except ImportError:
 

+         raise click.ClickException(
 

+             'python-requests-gssapi needs to be installed')
 

+ 

+     auth_kwargs = {}
 

+     krb_principal = config.get('waiverdb', 'krb_principal', fallback=None)
 

+     if krb_principal:
 

+         auth_kwargs['target_name'] = gssapi.Name(
 

+             krb_principal, gssapi.NameType.kerberos_principal)
 

+     auth = requests_gssapi.HTTPSPNEGOAuth(
 

+         mutual_authentication=requests_gssapi.OPTIONAL, **auth_kwargs)
 

+ 

+     resp = requests.request(
 

+         'POST', url, auth=auth, **request_arguments)
 

+     if resp.status_code == 401:
 

+         msg = resp.json().get(
 

+             'message', ('WaiverDB authentication using GSSAPI failed. Make sure you have a '
 

+                         'valid Kerberos ticket or that you correctly configured your Kerberos '
 

+                         'configuration file. Please check the doc for troubleshooting '
 

+                         'information.'))
 

+         raise click.ClickException(msg)
 

+ 

+     return resp
 

+ 

+ 

  def validate_config(config):
 

      """
 

      Validates the configuration needed for WaiverDB
 
@@ -274,24 +305,7 @@ 
 

              **common_request_arguments)
 

          check_response(resp, result_ids)
 

      elif auth_method == 'Kerberos':
 

-         # Try to import this now so the user gets immediate feedback if
 

-         # it isn't installed
 

-         try:
 

-             import requests_gssapi  # noqa: F401
 

-         except ImportError:
 

-             raise click.ClickException(
 

-                 'python-requests-gssapi needs to be installed')
 

-         auth = requests_gssapi.HTTPKerberosAuth(
 

-             mutual_authentication=requests_gssapi.OPTIONAL)
 

-         resp = requests.request(
 

-             'POST', url, auth=auth, **common_request_arguments)
 

-         if resp.status_code == 401:
 

-             msg = resp.json().get(
 

-                 'message', ('WaiverDB authentication using GSSAPI failed. Make sure you have a '
 

-                             'valid Kerberos ticket or that you correctly configured your Kerberos '
 

-                             'configuration file. Please check the doc for troubleshooting '
 

-                             'information.'))
 

-             raise click.ClickException(msg)
 

+         resp = _krb_auth(url, config, common_request_arguments)
 

          check_response(resp, result_ids)
 

      elif auth_method == 'dummy':
 

          resp = requests.request(

By default Kerberos tries to use FQDN of the server. E.g. if client.conf
contains:

[waiverdb]
auth_method=Kerberos
api_url=https://waiverdb.example.com/api/v1.0

And FQDN of "waiverdb.example.com" is "web-waiverdb.app.os.example.com"
the Kerberos principal will be
"HTTP/web-waiverdb.app.os.example.com@EXAMPLE.COM" which may not match
the principal in server's keytab.

This can be changed by using different configuration file with
dns_canonicalize_hostname=false setting and setting path to the file
using KRB5_CONFIG environment variable.

The new option krb_principal allows to override the Kerberos principal
in waiverdb-cli configuration file instead. E.g:

[waiverdb]
auth_method=Kerberos
api_url=https://waiverdb.example.com/api/v1.0
krb_principal=HTTP/waiverdb.example.com@EXAMPLE.COM

Signed-off-by: Lukas Holecek hluk@email.cz

Hmm, I need to get rid of the REDHAT.COM.

rebased onto beea54df9238d5c824cc671de35505624c64948c
4 years ago

Hmm, I need to get rid of the REDHAT.COM.

Done. :)

There is probably a better way to do all this automatically - i.e. if krb authentication fails, retry with krb principal constructed from the original host name (constructed the same way as if we had dns_canonicalize_hostname=false in krb5.conf).

should we change also our internal conf once this is merged with this parameter?

Looks good! +1

should we change also our internal conf once this is merged with this parameter?

I don't know if we have any. But we should update internal documentation for the kerberos setup for waiverdb-cli.

should we change also our internal conf once this is merged with this parameter?

I don't know if we have any. But we should update internal documentation for the kerberos setup for waiverdb-cli.

We already have that: https://mojo.redhat.com/docs/DOC-1166445

I'll update the documentation after this is merged. I can mention the new option and that the kerberos setup won't be needed after waiverdb-cli version 1.1.2.

sounds good!

@mprahl, @yashn Can you help review this?

rebased onto 5ca2b79
4 years ago

Pull-Request has been merged by lholecek
4 years ago
Metadata
None
No Tags
Flags
c3i-jenkins
success (100%)
Build passed.
4 years ago
Changes Summary 2
+2 -0
file changed
conf/client.conf.example
+32 -18
file changed
waiverdb/cli.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.