Conversation
https://github.com/AndreaGiardini/pulp/blob/master/client_lib/pulp/client/launcher.py#L71 These lines create problem with the kerberos authentication (no password needed for kerb)... |
@AndreaGiardini I think these should have additional checks to ensure that kerberos is not being used. https://github.com/AndreaGiardini/pulp/blob/master/client_lib/pulp/client/launcher.py#L71 |
@AndreaGiardini I think release notes in master.rst should be written introducing this feature. |
@AndreaGiardini It looks like python-krbV is on EL5, EL6, and FC19+, but not on EL7. Given that, I think the subprocess call to klist is good enough for now since we shouldn't pick up python-krbV yet. One thing that you could do would be to ask the maintainer (mikeb) if he would be willing to add python-krbV 1.0.90-1 to EPEL7. Would you want to do that? |
Note: Pic module needs to be able to send kerberos requests well |
@AndreaGiardini After looking into it python-kerberos should be available on all distros EL5, EL6, EL7, and FC19+. I see it listed on EL5 and FC19+ at this page. I also manually checked an EL6 box and an EL7 box and they both could receive python-kerberos from rhel-os. Given that it is available everywhere I think it should be included in the spec file as a dependency that gets installed along with python-pulp-bindings. You can do that in this area of the spec file. |
@AndreaGiardini Add it to PIC if you like, but I don't think it's a requirement. Generally, I think PIC should go away, and a generic tool like drest should be used instead but that is a whole other issue altogether. |
@AndreaGiardini I read through this and it looks right overall. Its going to need some hand testing, and I'm not able to get to that today, but I wanted to let you know that it looks like you did the right thing. I know that it needs release notes in master.rst and the auth docs in general need to be updated to explain that Pulp now supports kerberos in bindings , pulp-admin, and pulp-consumer. I think it's probably smart to wait on writing the tests until we can verify correctness with hand testing. I hope to get to it soon, maybe tomorrow. |
Any update? |
Hi @AndreaGiardini! I apologize for the delay. I am planning to check this out, but it may be a few more weeks before I have time to do a thorough analysis. Since this is an authentication change, it warrants more scrutiny than usual. Don't worry, we haven't forgotten it, and we are also very excited and happy that you have taken this work on! |
Can one of the admins verify this patch? |
@AndreaGiardini would you mind rebasing this PR down to one commit? I'm deploying a Kerberos domain right now and I'm testing this code. Sorry it took so long, but I'm hoping to get this done soon! |
ok test |
There does appear to be a small problem - if the user has no credential cache, and they also do not have an SSL certificate, pulp-admin has a traceback:
I'll keep testing, and I'll make more notes as I go. Thanks again for this PR, this is great stuff! |
It does appear that pulp-admin is now able to use kerberos:
|
""" | ||
Verify if the user has a valid Kerberos ticket. | ||
|
||
:rtype: boolean |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also add a :return: True if the user has a valid ticket
here.
username = options.username | ||
password = options.password | ||
|
||
logger.info("BASIC selected") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might also be better to log at the debug level.
It does appear that password auth does work when the server is configured to use it, so that is good. Here are my thoughts so far:
Thanks so much, and let me know if you have any questions or if you want to discuss anything further. I'm happy to help you get this into Pulp! |
ok to test |
Hello @AndreaGiardini! Apologies again for so much delay on this PR. I hope that didn't dissuade you from continuing on it. Do you think you will find some time to look at my comments soon? I'm very excited about this feature, and I appreciate the time you've invested in it so far! |
Didn't have time yet, I'm quite busy at the moment! Will have a look as soon as i can! |
Can one of the admins verify this patch? |
Sorry guys... i just don't have time anymore to keep working on this. |
I was turned onto this incomplete patch by @rbarlow via IRC as we also had the need for Kerberos (AD) based SSO logins. I asked the lead admin here at work to take a look because my Python is extremely weak and his input was that this path is something of a dead end. Any future efforts on implementing Kerberos auth into pulp-admin should be done using mod_auth_gssapi.so and not mod_auth_kerb.so and/or Python modules that make direct Kerberos API calls as opposed to using GSSAPI. For now at least in our infra with Pulp 2.8, we've been able to show that AD Kerberos integration works provided you relax the current input validation on pulp-admin to allow '@' in usernames, using both mod_auth_kerb.so OR mod_auth_gssapi.so. The remaining problem is that since pulp-admin in it's current state isn't GSSAPI-aware it cannot be used in lieu of the session certificate, but merely to obtain the session certificate. So it's certainly an improvement but it's not the promised land that this pull originally set out to be. Hopefully at some point in the future someone with more Python chops will come by and take up the task of making pulp-admin GSSAPI compatible. |
This is a work in progress pull request to implement kerberos authentication via pulp CLI.