#53 make the keytab file configurable
Closed 3 years ago by mjia. Opened 3 years ago by mjia.
mjia/waiverdb upstream  into  master

file modified
+1
@@ -34,6 +34,7 @@ 

      AUTH_METHOD = 'OIDC'  # Specify OIDC or Kerberos for authentication

      # Change it if the Kerberos service is not running on which the waiverdb is run.

      KERBEROS_HTTP_HOST = None

+     KERBEROS_AUTH_KEYTAB = '/etc/httpd.keytab'

      ZEROMQ_PUBLISH = True

  

  

file modified
+3
@@ -10,6 +10,9 @@ 

  # GNU General Public License for more details.

  #

  

+ import os

  from waiverdb.app import create_app, init_db

  app = create_app()

  init_db(app)

+ if app.config['AUTH_METHOD'] == 'Kerberos':

+     os.environ['KRB5_KTNAME'] = app.config['KERBEROS_AUTH_KEYTAB']

This will overwrite anything that is being passed in for KRB5_KTNAME, which is what I am doing in OpenShift...

Why can't you just set KRB5_KTNAME explicitly? Which environment is this for? Why is it needed?

mjia commented 3 years ago

I just can't find a clean way to set this environment variable in my ansible playbook. I can modify the code to only set this variable when it does not exist.

This will allow us to use the default keytab file when deploying with
Gunicorn if the environment variable KRB5_KTNAME is not set.

This will overwrite anything that is being passed in for KRB5_KTNAME, which is what I am doing in OpenShift...

Why can't you just set KRB5_KTNAME explicitly? Which environment is this for? Why is it needed?

I just can't find a clean way to set this environment variable in my ansible playbook. I can modify the code to only set this variable when it does not exist.

The right place to set this would be in the systemd unit that is invoking gunicorn.

You can also make the systemd unit source its environment from another file, like /etc/sysconfig/waiverdb or so, and then configure that other file from Ansible.

Btw the KRB5_KTNAME variable has to have FILE: prefixed to it.

I kind of hate that we configure the Kerberos library through that env var, instead of just passing it the keytab we want to use directly... maybe that would be worth fixing in that library?

Yeah, it might be worth pointing it to python-gssapi which is intended to replace python-kerberos.

We should send a PR to flask-kerberos which makes it usable with other authentication methods (and also ports it to use python-gssapi???) so that we can go back to it, instead of carrying our own copy of all that logic.

Oops, I actually meant to write that comment on the (related) discussion in #55... will copy-paste it over there. :-)

Close this one as I'll create a new PR to set this in the systemd unit.

Pull-Request has been closed by mjia

3 years ago
Metadata