Bug 799129
Summary: | [RFE] Add Kerberos authentication for Cumin | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Trevor McKay <tmckay> | ||||
Component: | cumin | Assignee: | Chad Roberts <croberts> | ||||
Status: | CLOSED ERRATA | QA Contact: | Stanislav Graf <sgraf> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | high | ||||||
Version: | Development | CC: | chetan, croberts, esammons, iboverma, ltoscano, matt, rrati, sgraf, tao | ||||
Target Milestone: | 2.3 | Keywords: | FutureFeature | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | cumin-0.1.5562-1 | Doc Type: | Enhancement | ||||
Doc Text: |
Feature: Kerberos authentication in cumin
Reason: Some customers may want to use their kerberos auth server to handle cumin authentication.
Result (if any): By adding "kerb" to the "auth" config in cumin.conf and by setting kerberos_realm to the value required by their kerberos setup (krb5.conf), cumin will use the python-kerberos library to authenticate users. By default, all kerberos-authenticated users will be treated as non-admins in cumin. In order to get a kerberos-authenticated admin user, you would need to add an "external" user to the cumin datbase and then add the admin role assignment via the cumin-admin utility.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-03-06 18:41:57 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 850563, 486202, 861485, 916732 | ||||||
Attachments: |
|
Description
Trevor McKay
2012-03-01 20:27:53 UTC
Will this be implemented natively (using auth?) or using an external script (through auth: script=...) ? Not certain, I haven't looked at what this will take. But, I would heavily lean toward "native" -- much better to have less indirection, and have something easier to debug, tie into Cumin logging, etc etc. The script mechanism really exists for user extension or customization, to cover edge cases, and to give us a (temporary) catch-all for "we didn't think of that". All mechanisms that we intend to be first class, and for which Python has supporting modules, should be native. That is my intention. This is available in revision 5486 on trunk. *** Bug 486202 has been marked as a duplicate of this bug. *** Adding a rpm dependency to the el6 spec file on python-kerberos. Marking this BZ rhel6 only since python-kerberos is not carried on el5. Created attachment 656854 [details]
Remove need for kerberos_server in configuration.
Remove need for kerberos_server in configuration.
Tested on cumin-0.1.5564-1.el6 Setup kerberos server according to https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html Setup kerberos in cumin.conf: auth: kerb kerberos_realm: EXAMPLE.COM Setup kerberos in /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = hostname admin_server = hostname } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM In web.log: DEBUG Authenticator: authenticating external user DEBUG Authenticator: authenticate, try <cumin.kerbauth.CuminAuthenticatorKerberos object at 0xa2dba6c> DEBUG Authenticating for user cuminkrb against CuminAuthenticatorKerberos DEBUG Authenticator: authentication succeeded for external user Log for wrong password: DEBUG Auth failed ('Decrypt integrity check failed', -1765328353) DEBUG Authenticator: authentication failed for external user Log for wrong realm: DEBUG Auth failed ('Cannot find KDC for requested realm', -1765328230) DEBUG Authenticator: authentication failed for external user Log for wrong kdc: DEBUG Auth failed ('Cannot contact any KDC for requested realm', -1765328228) DEBUG Authenticator: authentication failed for external user Log for unaccessible /etc/krb5.conf DEBUG Auth failed ('Cannot initialize Kerberos5 context', 13) DEBUG Authenticator: authentication failed for external user Local user/auth is always first: - add user with the same name as kerberos user # cumin-admin add-user cuminkrb - try to login with password belonging to local user - in web.log: DEBUG Authenticator: authentication succeeded for user # cumin-admin remove-user cuminkrb Role enforcement: - set in cumin.conf: authorize: True - restart cumin # service cumin restart - login as kerberos user and check that administrator tab is not available - in web.log: DEBUG Authenticator: authentication succeeded for external user DEBUG Denying cumin.main.MainPage authorization for ['user'] DEBUG Not authorized, redirecting to usergrid.html DEBUG Allowing usergrid authorization for ['user'] - add administrator right to the kerberos user # cumin-admin external-user cuminkrb # cumin-admin add-assignment cuminkrb admin - login as kerberos user and administrator tab is available again - in web.log: DEBUG Authenticator: authentication succeeded for external user DEBUG Allowing ['messaging', 'grid'] authorization for ['user', 'admin'] DEBUG Allowing grid authorization for ['user', 'admin'] Feature doesn't work on RHEL5 (comment 13) Tested on RHEL6 i386/x86_64 with cumin-0.1.5564-1.el6 One issue separated into Bug 879562 --> VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0564.html |