diff --git a/src/api/app/controllers/application_controller.rb b/src/api/app/controllers/application_controller.rb index 5fc1854b287..e7c2eb0633f 100644 --- a/src/api/app/controllers/application_controller.rb +++ b/src/api/app/controllers/application_controller.rb @@ -306,7 +306,7 @@ def gather_exception_defaults(opt) if @status == 401 unless response.headers["WWW-Authenticate"] - if CONFIG['kerberos_service_principal'] + if CONFIG['kerberos_mode'] response.headers["WWW-Authenticate"] = 'Negotiate' else response.headers["WWW-Authenticate"] = 'basic realm="API login"' diff --git a/src/api/app/controllers/webui/webui_controller.rb b/src/api/app/controllers/webui/webui_controller.rb index 896463ddf23..ee5a3ceb302 100644 --- a/src/api/app/controllers/webui/webui_controller.rb +++ b/src/api/app/controllers/webui/webui_controller.rb @@ -104,7 +104,7 @@ def valid_xml_id(rawid) protected def require_login - if CONFIG['kerberos_service_principal'] + if CONFIG['kerberos_mode'] kerberos_auth else if User.current.nil? || User.current.is_nobody? @@ -165,7 +165,7 @@ def authenticator end def kerberos_auth - return true unless CONFIG['kerberos_service_principal'] && (User.current.nil? || User.current.is_nobody?) + return true unless CONFIG['kerberos_mode'] && (User.current.nil? || User.current.is_nobody?) authorization = authenticator.authorization_infos || [] if authorization[0].to_s != "Negotiate" diff --git a/src/api/app/helpers/webui/webui_helper.rb b/src/api/app/helpers/webui/webui_helper.rb index 51ed1b6b5a0..a3203d985c6 100644 --- a/src/api/app/helpers/webui/webui_helper.rb +++ b/src/api/app/helpers/webui/webui_helper.rb @@ -379,7 +379,7 @@ def possibly_empty_ul(html_opts, &block) end def can_register - return false if CONFIG['kerberos_service_principal'] + return false if CONFIG['kerberos_mode'] return true if User.current.try(:is_admin?) begin diff --git a/src/api/config/options.yml.example b/src/api/config/options.yml.example index 213e6f493ed..4861121d11b 100644 --- a/src/api/config/options.yml.example +++ b/src/api/config/options.yml.example @@ -34,11 +34,6 @@ frontend_protocol: https #external_frontend_port: 443 #external_frontend_protocol: https -# Kerberos authentication -#kerberos_keytab: "/etc/krb5.keytab" -#kerberos_service_principal: "HTTP/hostname.example.com@EXAMPLE.COM" -#kerberos_realm: "EXAMPLE.COM" - extended_backend_log: false # proxy_auth_mode can be :off, :on or :simulate @@ -50,6 +45,16 @@ proxy_auth_mode: :off proxy_auth_test_user: coolguy proxy_auth_test_email: coolguy@example.com +### Kerberos configuration + +# can be true or false +kerberos_mode: false + +#kerberos_keytab: "/etc/krb5.keytab" +#kerberos_service_principal: "HTTP/hostname.example.com@EXAMPLE.COM" +#kerberos_realm: "EXAMPLE.COM" + + #schema_location #version diff --git a/src/api/lib/authenticator.rb b/src/api/lib/authenticator.rb index 7c176acd901..1c4a0b66086 100644 --- a/src/api/lib/authenticator.rb +++ b/src/api/lib/authenticator.rb @@ -104,6 +104,10 @@ def authorization_infos def initialize_krb_session principal = CONFIG['kerberos_service_principal'] + if principal.blank? + raise AuthenticationRequiredError, 'Kerberos configuration is broken. Principal is empty.' + end + unless CONFIG['kerberos_realm'] CONFIG['kerberos_realm'] = principal.rpartition("@")[2] end @@ -202,13 +206,12 @@ def extract_proxy_user def extract_auth_user authorization = authorization_infos - # privacy! logger.debug( "AUTH: #{authorization.inspect}" ) if authorization # logger.debug( "AUTH2: #{authorization}" ) if authorization[0] == "Basic" extract_basic_user authorization - elsif authorization[0] == "Negotiate" && CONFIG['kerberos_service_principal'] + elsif authorization[0] == "Negotiate" && CONFIG['kerberos_mode'] extract_krb_user authorization else Rails.logger.debug "Unsupported authentication string '#{authorization[0]}' received."