#346 Add krb_principal option for waiverdb-cli
Merged a year ago by lholecek. Opened a year ago by lholecek.
lholecek/waiverdb krb_dns_canonicalize_hostname  into  master

@@ -2,6 +2,8 @@ 

  # Specify OIDC or Kerberos for authentication

  auth_method=OIDC

  api_url=https://waiverdb-web-waiverdb.app.os.fedoraproject.org/api/v1.0

+ # Try overriding Kerberos principal if authentication fails

+ #krb_principal=HTTP/waiverdb.example.com@EXAMPLE.COM

should we change also our internal conf once this is merged with this parameter?

  oidc_id_provider=https://id.fedoraproject.org/openidc/

  oidc_client_id=waiverdb-authorizer

  oidc_client_secret=notsecret

file modified
+32 -18
@@ -34,6 +34,37 @@ 

          return subject

  

  

+ def _krb_auth(url, config, request_arguments):

+     # Try to import this now so the user gets immediate feedback if

+     # it isn't installed

+     try:

+         import gssapi  # noqa: F401

+         import requests_gssapi  # noqa: F401

+     except ImportError:

+         raise click.ClickException(

+             'python-requests-gssapi needs to be installed')

+ 

+     auth_kwargs = {}

+     krb_principal = config.get('waiverdb', 'krb_principal', fallback=None)

+     if krb_principal:

+         auth_kwargs['target_name'] = gssapi.Name(

+             krb_principal, gssapi.NameType.kerberos_principal)

+     auth = requests_gssapi.HTTPSPNEGOAuth(

+         mutual_authentication=requests_gssapi.OPTIONAL, **auth_kwargs)

+ 

+     resp = requests.request(

+         'POST', url, auth=auth, **request_arguments)

+     if resp.status_code == 401:

+         msg = resp.json().get(

+             'message', ('WaiverDB authentication using GSSAPI failed. Make sure you have a '

+                         'valid Kerberos ticket or that you correctly configured your Kerberos '

+                         'configuration file. Please check the doc for troubleshooting '

+                         'information.'))

+         raise click.ClickException(msg)

+ 

+     return resp

+ 

+ 

  def validate_config(config):

      """

      Validates the configuration needed for WaiverDB
@@ -274,24 +305,7 @@ 

              **common_request_arguments)

          check_response(resp, result_ids)

      elif auth_method == 'Kerberos':

-         # Try to import this now so the user gets immediate feedback if

-         # it isn't installed

-         try:

-             import requests_gssapi  # noqa: F401

-         except ImportError:

-             raise click.ClickException(

-                 'python-requests-gssapi needs to be installed')

-         auth = requests_gssapi.HTTPKerberosAuth(

-             mutual_authentication=requests_gssapi.OPTIONAL)

-         resp = requests.request(

-             'POST', url, auth=auth, **common_request_arguments)

-         if resp.status_code == 401:

-             msg = resp.json().get(

-                 'message', ('WaiverDB authentication using GSSAPI failed. Make sure you have a '

-                             'valid Kerberos ticket or that you correctly configured your Kerberos '

-                             'configuration file. Please check the doc for troubleshooting '

-                             'information.'))

-             raise click.ClickException(msg)

+         resp = _krb_auth(url, config, common_request_arguments)

          check_response(resp, result_ids)

      elif auth_method == 'dummy':

          resp = requests.request(

By default Kerberos tries to use FQDN of the server. E.g. if client.conf
contains:

[waiverdb]
auth_method=Kerberos
api_url=https://waiverdb.example.com/api/v1.0

And FQDN of "waiverdb.example.com" is "web-waiverdb.app.os.example.com"
the Kerberos principal will be
"HTTP/web-waiverdb.app.os.example.com@EXAMPLE.COM" which may not match
the principal in server's keytab.

This can be changed by using different configuration file with
dns_canonicalize_hostname=false setting and setting path to the file
using KRB5_CONFIG environment variable.

The new option krb_principal allows to override the Kerberos principal
in waiverdb-cli configuration file instead. E.g:

[waiverdb]
auth_method=Kerberos
api_url=https://waiverdb.example.com/api/v1.0
krb_principal=HTTP/waiverdb.example.com@EXAMPLE.COM

Signed-off-by: Lukas Holecek hluk@email.cz

Hmm, I need to get rid of the REDHAT.COM.

rebased onto beea54d

a year ago

Hmm, I need to get rid of the REDHAT.COM.

Done. :)

There is probably a better way to do all this automatically - i.e. if krb authentication fails, retry with krb principal constructed from the original host name (constructed the same way as if we had dns_canonicalize_hostname=false in krb5.conf).

should we change also our internal conf once this is merged with this parameter?

should we change also our internal conf once this is merged with this parameter?

I don't know if we have any. But we should update internal documentation for the kerberos setup for waiverdb-cli.

should we change also our internal conf once this is merged with this parameter?

I don't know if we have any. But we should update internal documentation for the kerberos setup for waiverdb-cli.

We already have that: https://mojo.redhat.com/docs/DOC-1166445

I'll update the documentation after this is merged. I can mention the new option and that the kerberos setup won't be needed after waiverdb-cli version 1.1.2.

rebased onto 5ca2b79

a year ago

Pull-Request has been merged by lholecek

a year ago