Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it easier to set up Apache httpd as a proxied service and a proxied NFS client #40

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Make it easier to set up Apache httpd as a proxied service and a proxied NFS client #40

wants to merge 2 commits into from

Conversation

jflorian
Copy link

Per discussion#39.

John Florian added 2 commits January 21, 2022 14:34
examples don't play well together
f5a0cbe 
The 80-httpd and 99-network-fs-clients examples might be used together
such as an Apache httpd web server that authenticates web clients but is
also authenticated itself as an NFS client to access remote content it
must serve to web clients.

This prevents ticket collisions in the credential caches by making them
distinct for these two independent use cases so that they might be used
together.

Signed-off-by: John Florian <jflorian@doubledog.org>
Cover two independent goals in Apache doc
8c1da97 
GSS-Proxy might be used to authenticate web clients to httpd AND also
authenticate the apache user running httpd to access networked file
systems with Kerberos.

Signed-off-by: John Florian <jflorian@doubledog.org>
simo5
simo5 requested changes Jan 21, 2022
View reviewed changes
Copy link
Contributor

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure I want to change the config snippets by default.
I think we should describe that an admin may want to change the ccache if he intends to use disjoint principals for the http and nfs service configurations (if the same principal is used and just mapped on the nfs server side, this change would not be necessary)

docs/Apache.md
make sure the HTTP stanza preceeds any ```allow_any_uid=yes``` sections.)
make sure the HTTP stanza precedes any ```allow_any_uid=yes``` sections.)

For the second goal, the proxy will require a keytab for the user principal (apache@REALM). Again, the uid used here is 48, but it must match whatever httpd is running as.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So while this is a valid choice, it is not required. It is as well possible to simply map the HTTP/fqdn principal to an "apache" user on the server for example.
So I think we should rephrase this bit something like "a principal that maps to the correct user on the server", then you can make an example using apache@REALM...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"NFS Server"

@jflorian
Copy link
Author

jflorian commented Feb 1, 2022

I think I follow and see why that would be less involved. Also seems more resilient to the order in which resources become available (booting a micro home data center or even installing rpms that want to conditionally add system users like apache). It would also be nice to not clutter IPA with extra principals for system users if they're really not needed. Let me try to rework my setup to make sure I truly comprehend it all. That will make it much easier for me to rework this.

Once again, thank you for taking the time to educate me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simo5 simo5 simo5 requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jflorian @simo5