Bug 799129

Summary: [RFE] Add Kerberos authentication for Cumin
Product: Red Hat Enterprise MRG Reporter: Trevor McKay <tmckay>
Component: cuminAssignee: Chad Roberts <croberts>
Status: CLOSED ERRATA QA Contact: Stanislav Graf <sgraf>
Severity: low Docs Contact:
Priority: high    
Version: DevelopmentCC: chetan, croberts, esammons, iboverma, ltoscano, matt, rrati, sgraf, tao
Target Milestone: 2.3Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cumin-0.1.5562-1 Doc Type: Enhancement
Doc Text:
Feature: Kerberos authentication in cumin Reason: Some customers may want to use their kerberos auth server to handle cumin authentication. Result (if any): By adding "kerb" to the "auth" config in cumin.conf and by setting kerberos_realm to the value required by their kerberos setup (krb5.conf), cumin will use the python-kerberos library to authenticate users. By default, all kerberos-authenticated users will be treated as non-admins in cumin. In order to get a kerberos-authenticated admin user, you would need to add an "external" user to the cumin datbase and then add the admin role assignment via the cumin-admin utility.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-06 18:41:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 850563, 486202, 861485, 916732    
Attachments:
Description Flags
Remove need for kerberos_server in configuration. none

Description Trevor McKay 2012-03-01 20:27:53 UTC
Description of problem:

Support Kerberos authentication for Cumin login.

LDAP authentication is a similar issue, Bug 737979

Comment 2 Luigi Toscano 2012-08-01 10:30:41 UTC
Will this be implemented natively (using auth?) or using an external script (through auth: script=...) ?

Comment 4 Trevor McKay 2012-08-21 13:30:16 UTC
Not certain, I haven't looked at what this will take.  But, I would heavily lean toward "native" -- much better to have less indirection, and have something easier to debug, tie into Cumin logging, etc etc.

The script mechanism really exists for user extension or customization, to cover edge cases, and to give us a (temporary) catch-all for "we didn't think of that".  All mechanisms that we intend to be first class, and for which Python has supporting modules, should be native.  That is my intention.

Comment 6 Chad Roberts 2012-09-28 18:57:00 UTC
This is available in revision 5486 on trunk.

Comment 10 Trevor McKay 2012-10-04 14:42:27 UTC
*** Bug 486202 has been marked as a duplicate of this bug. ***

Comment 13 Trevor McKay 2012-11-20 16:04:07 UTC
Adding a rpm dependency to the el6 spec file on python-kerberos.  Marking this BZ rhel6 only since python-kerberos is not carried on el5.

Comment 18 Chad Roberts 2012-12-03 18:06:31 UTC
Created attachment 656854 [details]
Remove need for kerberos_server in configuration.

Remove need for kerberos_server in configuration.

Comment 19 Stanislav Graf 2012-12-06 14:43:04 UTC
Tested on cumin-0.1.5564-1.el6

Setup kerberos server according to
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html

Setup kerberos in cumin.conf:
auth: kerb
kerberos_realm: EXAMPLE.COM

Setup kerberos in /etc/krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = hostname
  admin_server = hostname
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

In web.log:
DEBUG Authenticator: authenticating external user
DEBUG Authenticator: authenticate, try <cumin.kerbauth.CuminAuthenticatorKerberos object at 0xa2dba6c>
DEBUG Authenticating for user cuminkrb against CuminAuthenticatorKerberos
DEBUG Authenticator: authentication succeeded for external user

Log for wrong password:
DEBUG Auth failed ('Decrypt integrity check failed', -1765328353)
DEBUG Authenticator: authentication failed for external user

Log for wrong realm:
DEBUG Auth failed ('Cannot find KDC for requested realm', -1765328230)
DEBUG Authenticator: authentication failed for external user

Log for wrong kdc:
DEBUG Auth failed ('Cannot contact any KDC for requested realm', -1765328228)
DEBUG Authenticator: authentication failed for external user

Log for unaccessible /etc/krb5.conf
DEBUG Auth failed ('Cannot initialize Kerberos5 context', 13)
DEBUG Authenticator: authentication failed for external user

Comment 20 Stanislav Graf 2012-12-07 15:14:30 UTC
Local user/auth is always first:
- add user with the same name as kerberos user
# cumin-admin add-user cuminkrb
- try to login with password belonging to local user
- in web.log:
DEBUG Authenticator: authentication succeeded for user
# cumin-admin remove-user cuminkrb

Role enforcement:
- set in cumin.conf:
authorize: True
- restart cumin
# service cumin restart
- login as kerberos user and check that administrator tab is not available
- in web.log:
DEBUG Authenticator: authentication succeeded for external user
DEBUG Denying  cumin.main.MainPage authorization for ['user'] 
DEBUG Not authorized, redirecting to usergrid.html
DEBUG Allowing usergrid authorization for ['user'] 
- add administrator right to the kerberos user
# cumin-admin external-user cuminkrb
# cumin-admin add-assignment cuminkrb admin
- login as kerberos user and administrator tab is available again
- in web.log:
DEBUG Authenticator: authentication succeeded for external user
DEBUG Allowing ['messaging', 'grid'] authorization for ['user', 'admin'] 
DEBUG Allowing grid authorization for ['user', 'admin']

Comment 21 Stanislav Graf 2012-12-07 15:31:05 UTC
Feature doesn't work on RHEL5 (comment 13)

Tested on RHEL6 i386/x86_64 with cumin-0.1.5564-1.el6

One issue separated into Bug 879562

--> VERIFIED

Comment 23 errata-xmlrpc 2013-03-06 18:41:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0564.html