New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WFCORE-105] Enabling Kerberos authentication over the HTTP management interface. #214

Merged
merged 6 commits into from Oct 6, 2014

Conversation

Projects
None yet
3 participants
@darranl
Contributor

darranl commented Oct 1, 2014

No description provided.

@wildfly-ci

This comment has been minimized.

Show comment
Hide comment
@wildfly-ci

wildfly-ci Oct 1, 2014

Windows Build 249 is now running using a merge of 87437e7

wildfly-ci commented Oct 1, 2014

Windows Build 249 is now running using a merge of 87437e7

@wildfly-ci

This comment has been minimized.

Show comment
Hide comment
@wildfly-ci

wildfly-ci Oct 1, 2014

Linux Build 506 is now running using a merge of 87437e7

wildfly-ci commented Oct 1, 2014

Linux Build 506 is now running using a merge of 87437e7

@wildfly-ci

This comment has been minimized.

Show comment
Hide comment
@wildfly-ci

wildfly-ci Oct 1, 2014

Windows Build 249 outcome was SUCCESS using a merge of 87437e7
Summary: Tests passed: 2601, ignored: 56 Build time: 0:13:15

wildfly-ci commented Oct 1, 2014

Windows Build 249 outcome was SUCCESS using a merge of 87437e7
Summary: Tests passed: 2601, ignored: 56 Build time: 0:13:15

@wildfly-ci

This comment has been minimized.

Show comment
Hide comment
@wildfly-ci

wildfly-ci Oct 1, 2014

Linux Build 506 outcome was SUCCESS using a merge of 87437e7
Summary: Tests passed: 2601, ignored: 56 Build time: 0:16:20

wildfly-ci commented Oct 1, 2014

Linux Build 506 outcome was SUCCESS using a merge of 87437e7
Summary: Tests passed: 2601, ignored: 56 Build time: 0:16:20

Show outdated Hide outdated server/src/main/resources/schema/wildfly-config_3_0.xsd
<xs:documentation>
Reference to an individual keytab.
On receipt of an incomming request the host name will be extracted from the request and the keytab to be used will be selected as follows: -

This comment has been minimized.

@bstansberry

bstansberry Oct 1, 2014

Contributor

s/incomming/incoming

@bstansberry

bstansberry Oct 1, 2014

Contributor

s/incomming/incoming

2 - Iterate the list of keytabs and compare the host name against the host extracted from the request.
3 - Use the keytab where for-hosts is set to '*'.
If no match is found no keytab will be selected and Kerberos will not be available for communication as that host.

This comment has been minimized.

@bstansberry

bstansberry Oct 1, 2014

Contributor

"for communication as that host"

"to that host" or "with that host"

@bstansberry

bstansberry Oct 1, 2014

Contributor

"for communication as that host"

"to that host" or "with that host"

This comment has been minimized.

@darranl

darranl Oct 2, 2014

Contributor

I think 'as' is fine here - when we receive a HTTP request from a client the Host header could be any one of a number of host names - what we are doing here is selecting a keytab so that we can assume the identity of the host the client thinks they are talking to.

If no keytab is selected we can not use Kerberos as the host the client thinks we are.

@darranl

darranl Oct 2, 2014

Contributor

I think 'as' is fine here - when we receive a HTTP request from a client the Host header could be any one of a number of host names - what we are doing here is selecting a keytab so that we can assume the identity of the host the client thinks they are talking to.

If no keytab is selected we can not use Kerberos as the host the client thinks we are.

Show outdated Hide outdated ...src/main/java/org/jboss/as/domain/management/security/KeytabService.java
@Override
public void start(StartContext context) throws StartException {
String relativeTo = this.relativeTo.getOptionalValue();
String keytabFile = relativeTo == null ? path : relativeTo + "/" + path;

This comment has been minimized.

@bstansberry

bstansberry Oct 1, 2014

Contributor

The PathManager should be used for this sort of thing.

@bstansberry

bstansberry Oct 1, 2014

Contributor

The PathManager should be used for this sort of thing.

Show outdated Hide outdated ...main/java/org/jboss/as/domain/management/security/KeytabTestHandler.java
.setReplyType(ModelType.STRING).setReplyValueType(ModelType.STRING).build();
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {

This comment has been minimized.

@bstansberry

bstansberry Oct 1, 2014

Contributor

Please add...

// Validate this is being called against an actual resource.
// This makes valid the subsequent assumption that the relevant service will be installed.
context.readResource(PathAddress.EMPTY_ADDRESS, false);

Just today I diagnosed a support case issue where the console was calling an datasource subsystem op like this against all servers in a domain, even ones that didn't have the resource. The result was a very hard to diagnose problem because the missing service failure wasn't as understandable as a NoSuchResourceException. So I have this subtlety on my mind. ;)

@bstansberry

bstansberry Oct 1, 2014

Contributor

Please add...

// Validate this is being called against an actual resource.
// This makes valid the subsequent assumption that the relevant service will be installed.
context.readResource(PathAddress.EMPTY_ADDRESS, false);

Just today I diagnosed a support case issue where the console was calling an datasource subsystem op like this against all servers in a domain, even ones that didn't have the resource. The result was a very hard to diagnose problem because the missing service failure wasn't as understandable as a NoSuchResourceException. So I have this subtlety on my mind. ;)

Show outdated Hide outdated ...main/java/org/jboss/as/domain/management/security/KeytabTestHandler.java
public static final SimpleOperationDefinition DEFINITION = new SimpleOperationDefinitionBuilder(TEST,
ControllerResolver.getResolver("core.management.security-realm.server-identity.kerberos.keytab")).setReadOnly()
.setReplyType(ModelType.STRING).setReplyValueType(ModelType.STRING).build();

This comment has been minimized.

@bstansberry

bstansberry Oct 1, 2014

Contributor

You shouldn't need setReplyValueType if the reply type is STRING or some other non-collection.

@bstansberry

bstansberry Oct 1, 2014

Contributor

You shouldn't need setReplyValueType if the reply type is STRING or some other non-collection.

@darranl

This comment has been minimized.

Show comment
Hide comment
@darranl

darranl Oct 3, 2014

Contributor

Rebased and additional changes following review.

Contributor

darranl commented Oct 3, 2014

Rebased and additional changes following review.

@wildfly-ci

This comment has been minimized.

Show comment
Hide comment
@wildfly-ci

wildfly-ci Oct 3, 2014

Linux Build 530 is now running using a merge of 38425cb

wildfly-ci commented Oct 3, 2014

Linux Build 530 is now running using a merge of 38425cb

@wildfly-ci

This comment has been minimized.

Show comment
Hide comment
@wildfly-ci

wildfly-ci Oct 3, 2014

Windows Build 271 is now running using a merge of 38425cb

wildfly-ci commented Oct 3, 2014

Windows Build 271 is now running using a merge of 38425cb

@wildfly-ci

This comment has been minimized.

Show comment
Hide comment
@wildfly-ci

wildfly-ci Oct 3, 2014

Linux Build 530 outcome was SUCCESS using a merge of 38425cb
Summary: Tests passed: 2601, ignored: 56 Build time: 0:16:50

wildfly-ci commented Oct 3, 2014

Linux Build 530 outcome was SUCCESS using a merge of 38425cb
Summary: Tests passed: 2601, ignored: 56 Build time: 0:16:50

@wildfly-ci

This comment has been minimized.

Show comment
Hide comment
@wildfly-ci

wildfly-ci Oct 3, 2014

Windows Build 271 outcome was SUCCESS using a merge of 38425cb
Summary: Tests passed: 2601, ignored: 56 Build time: 0:17:20

wildfly-ci commented Oct 3, 2014

Windows Build 271 outcome was SUCCESS using a merge of 38425cb
Summary: Tests passed: 2601, ignored: 56 Build time: 0:17:20

bstansberry added a commit that referenced this pull request Oct 6, 2014

Merge pull request #214 from darranl/WFCORE-105_Rebased
[WFCORE-105] Enabling Kerberos authentication over the HTTP management interface.

@bstansberry bstansberry merged commit 0dd18dc into wildfly:master Oct 6, 2014

1 check passed

default TeamCity Build WildFly Core :: Pull Request :: Pull request aggregator finished: Running
Details

@darranl darranl deleted the darranl:WFCORE-105_Rebased branch Oct 7, 2014

iweiss pushed a commit to iweiss/wildfly-core that referenced this pull request Jun 6, 2016

Merge pull request #214 from bstansberry/JBEAP-4006
WFCORE-1425 embedded slave started with host-slave.xml has incorrect …
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment