Bug 1118011 - External authentication via FreeIPA should be configurable with foreman-installer
Summary: External authentication via FreeIPA should be configurable with foreman-insta...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Kedar Bidarkar
URL: http://projects.theforeman.org/issues...
Whiteboard:
: 1102374 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-09 20:38 UTC by Bryan Kearney
Modified: 2016-04-22 15:44 UTC (History)
9 users (show)

Fixed In Version: katello-installer-0.0.57-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-11 12:28:39 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 6445 None None None 2016-04-22 15:44:47 UTC

Description Bryan Kearney 2014-07-09 20:38:46 UTC
Foreman 1.5 brought almost complete external authentication support. However, configuring the environment (packages, Apache modules, sssd, keytab) is manual process with many steps:

http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication

The foreman-installer should make it easy to enable the external authentication via FreeIPA with few command-line options.

Comment 1 Bryan Kearney 2014-07-09 20:38:47 UTC
Created from redmine issue http://projects.theforeman.org/issues/6445

Comment 3 Bryan Kearney 2014-07-23 10:04:16 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/6445 has been closed
-------------
Jan Pazdziora
Created https://github.com/theforeman/puppet-foreman/pull/199
-------------
Jan Pazdziora
Applied in changeset commit:puppet-foreman|378d602424da89f4493767949d534b66942db8e2.

Comment 4 Marek Hulan 2014-07-24 15:43:23 UTC
Katello-installer related update in https://github.com/Katello/katello-installer/pull/90

Comment 5 Bryan Kearney 2014-08-01 14:44:56 UTC
*** Bug 1102374 has been marked as a duplicate of this bug. ***

Comment 6 Jan Pazdziora 2014-08-02 19:41:21 UTC
(In reply to Marek Hulan from comment #4)
> The pull request https://github.com/Katello/katello-installer/pull/90 seems to have been merged into Katello upstream.

Comment 11 Kedar Bidarkar 2014-08-18 10:19:16 UTC
Please provide what and how we need to test this here.

Comment 12 Kedar Bidarkar 2014-08-19 15:24:10 UTC
I see this link http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication and the steps.

But me not sure exactly what steps to follow, when this task is supposed to get executed via katello-installer.

Some detailed steps would be of great help here.

Comment 13 Marek Hulan 2014-08-19 15:51:32 UTC
Explained on IRC, for the records, it's about testing that most of the steps from 5.7 are not required and installer does them for you. You have to enroll foreman host into FreeIPA and create HTTP/$foreman_fqdn principal, then use --foreman-ipa-authentication=true --foreman-configure-ipa-repo=true options for the installer.

Comment 14 Kedar Bidarkar 2014-08-19 21:26:08 UTC
Tested with Sat6-GA-snap5


Registering Sat6/capsule box to IPA Server.
-----------------------------------

1) Just add a nameserver entry to /etc/resolv.conf as "nameserver xxx.xxx.xxx.xxx" in your sat6 box.  
2) Run "ipa-client-install" on sat6 box/capsule, 
3) Provide the domain info if asked for on prompting and be done registering sat6 box to IPA server.
4) Note:- Provide domain as "katellolabs.org" or whatever you have set your IPA server domain to.


Configuring External Authentication for Sat6 with IPA.
--------------------------------------

1) On the FreeIPA server, we create the service:

ipa service-add HTTP/<the-foreman-hostname>

2) katello-installer --foreman-ipa-authentication=true --foreman-configure-ipa-repo=true

Observations
-----------------------------------------------------------------------
With the above configuration in place
1) The IPA users are now able to access the Sat6 UI.
2) These users upon first login get created under Users of Sat6, with "authorized type" as "external".
3) Then one could assign roles to the (external) IPA users for sat6, after logging in to sat6's admin account.



Installed Packages

    candlepin-0.9.23-1.el6_5.noarch
    candlepin-common-1.0.1-1.el6_5.noarch
    candlepin-scl-1-5.el6_4.noarch
    candlepin-scl-quartz-2.1.5-5.el6_4.noarch
    candlepin-scl-rhino-1.7R3-1.el6_4.noarch
    candlepin-scl-runtime-1-5.el6_4.noarch
    candlepin-selinux-0.9.23-1.el6_5.noarch
    candlepin-tomcat6-0.9.23-1.el6_5.noarch
    createrepo-0.9.9-21.2.pulp.el6sat.noarch
    elasticsearch-0.90.10-4.el6sat.noarch
    katello-1.5.0-28.el6sat.noarch
    katello-ca-1.0-1.noarch
    katello-certs-tools-1.5.6-1.el6sat.noarch
    katello-installer-0.0.59-1.el6sat.noarch
    m2crypto-0.21.1.pulp-10.el6sat.x86_64
    mod_wsgi-3.4-1.pulp.el6sat.x86_64
    pulp-katello-0.3-3.el6sat.noarch
    pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch
    pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch
    pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch
    pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch
    pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch
    pulp-selinux-2.4.0-0.30.beta.el6sat.noarch
    pulp-server-2.4.0-0.30.beta.el6sat.noarch
    python-gofer-qpid-1.3.0-1.el6sat.noarch
    python-isodate-0.5.0-1.pulp.el6sat.noarch
    python-kombu-3.0.15-12.pulp.el6sat.noarch
    python-pulp-bindings-2.4.0-0.30.beta.el6sat.noarch
    python-pulp-common-2.4.0-0.30.beta.el6sat.noarch
    python-pulp-puppet-common-2.4.0-0.30.beta.el6sat.noarch
    python-pulp-rpm-common-2.4.0-0.30.beta.el6sat.noarch
    python-qpid-0.22-14.el6sat.noarch
    python-qpid-qmf-0.22-37.el6.x86_64
    qpid-cpp-client-0.22-42.el6.x86_64
    qpid-cpp-server-0.22-42.el6.x86_64
    qpid-cpp-server-linearstore-0.22-42.el6.x86_64
    qpid-java-client-0.22-6.el6.noarch
    qpid-java-common-0.22-6.el6.noarch
    qpid-proton-c-0.7-1.el6.x86_64
    qpid-qmf-0.22-37.el6.x86_64
    qpid-tools-0.22-12.el6.noarch
    ruby193-rubygem-katello-1.5.0-82.el6sat.noarch
    rubygem-hammer_cli_katello-0.0.4-12.el6sat.noarch
    rubygem-smart_proxy_pulp-1.0.0-1.1.el6sat.noarch

Comment 15 Jan Pazdziora 2014-08-20 13:19:32 UTC
(In reply to Kedar Bidarkar from comment #12)
> I see this link
> http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication and
> the steps.
> 
> But me not sure exactly what steps to follow, when this task is supposed to
> get executed via katello-installer.
> 
> Some detailed steps would be of great help here.

We are working on getting the Foreman 1.6 documentation updated.

Comment 16 Jan Pazdziora 2014-08-20 13:24:41 UTC
(In reply to Kedar Bidarkar from comment #14)
> Tested with Sat6-GA-snap5
> 
> 
> Registering Sat6/capsule box to IPA Server.
> -----------------------------------
> 
> 1) Just add a nameserver entry to /etc/resolv.conf as "nameserver
> xxx.xxx.xxx.xxx" in your sat6 box.  
> 2) Run "ipa-client-install" on sat6 box/capsule, 
> 3) Provide the domain info if asked for on prompting and be done registering
> sat6 box to IPA server.
> 4) Note:- Provide domain as "katellolabs.org" or whatever you have set your
> IPA server domain to.
> 
> 
> Configuring External Authentication for Sat6 with IPA.
> --------------------------------------
> 
> 1) On the FreeIPA server, we create the service:
> 
> ipa service-add HTTP/<the-foreman-hostname>
> 
> 2) katello-installer --foreman-ipa-authentication=true
> --foreman-configure-ipa-repo=true

This is *not* correct -- for Satellite, the thing has to work without the --foreman-configure-ipa-repo parameter. All the packages are (supposed to be) on the Satellite composes and in the Satellite channels and customer is *not* supposed to get any external packages.

> Observations
> -----------------------------------------------------------------------
> With the above configuration in place
> 1) The IPA users are now able to access the Sat6 UI.
> 2) These users upon first login get created under Users of Sat6, with
> "authorized type" as "external".
> 3) Then one could assign roles to the (external) IPA users for sat6, after
> logging in to sat6's admin account.
> 
> Installed Packages
> 
>     candlepin-0.9.23-1.el6_5.noarch
>     candlepin-common-1.0.1-1.el6_5.noarch
>     candlepin-scl-1-5.el6_4.noarch
>     candlepin-scl-quartz-2.1.5-5.el6_4.noarch
>     candlepin-scl-rhino-1.7R3-1.el6_4.noarch
>     candlepin-scl-runtime-1-5.el6_4.noarch
>     candlepin-selinux-0.9.23-1.el6_5.noarch
>     candlepin-tomcat6-0.9.23-1.el6_5.noarch
>     createrepo-0.9.9-21.2.pulp.el6sat.noarch
>     elasticsearch-0.90.10-4.el6sat.noarch
>     katello-1.5.0-28.el6sat.noarch
>     katello-ca-1.0-1.noarch
>     katello-certs-tools-1.5.6-1.el6sat.noarch
>     katello-installer-0.0.59-1.el6sat.noarch
>     m2crypto-0.21.1.pulp-10.el6sat.x86_64
>     mod_wsgi-3.4-1.pulp.el6sat.x86_64
>     pulp-katello-0.3-3.el6sat.noarch
>     pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch
>     pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch
>     pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch
>     pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch
>     pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch
>     pulp-selinux-2.4.0-0.30.beta.el6sat.noarch
>     pulp-server-2.4.0-0.30.beta.el6sat.noarch
>     python-gofer-qpid-1.3.0-1.el6sat.noarch
>     python-isodate-0.5.0-1.pulp.el6sat.noarch
>     python-kombu-3.0.15-12.pulp.el6sat.noarch
>     python-pulp-bindings-2.4.0-0.30.beta.el6sat.noarch
>     python-pulp-common-2.4.0-0.30.beta.el6sat.noarch
>     python-pulp-puppet-common-2.4.0-0.30.beta.el6sat.noarch
>     python-pulp-rpm-common-2.4.0-0.30.beta.el6sat.noarch
>     python-qpid-0.22-14.el6sat.noarch
>     python-qpid-qmf-0.22-37.el6.x86_64
>     qpid-cpp-client-0.22-42.el6.x86_64
>     qpid-cpp-server-0.22-42.el6.x86_64
>     qpid-cpp-server-linearstore-0.22-42.el6.x86_64
>     qpid-java-client-0.22-6.el6.noarch
>     qpid-java-common-0.22-6.el6.noarch
>     qpid-proton-c-0.7-1.el6.x86_64
>     qpid-qmf-0.22-37.el6.x86_64
>     qpid-tools-0.22-12.el6.noarch
>     ruby193-rubygem-katello-1.5.0-82.el6sat.noarch
>     rubygem-hammer_cli_katello-0.0.4-12.el6sat.noarch
>     rubygem-smart_proxy_pulp-1.0.0-1.1.el6sat.noarch

We'd need this retested on RHEL 7 as well.

Also -- what is the above list of packages representing? I don't see things like mod_authnz_pam or mod_auth_kerb listed.

Moving back ON_QA -- please retest without the external repo and on both RHEL 6 and RHEL 7.

Comment 17 Jan Pazdziora 2014-08-20 13:37:57 UTC
Also, could you please test that katello-installer's --foreman-ipa-authentication=true option is correctly documented in Satellite 6.0 GA documentation?

Comment 18 Kedar Bidarkar 2014-08-20 14:18:04 UTC

thanks @jpazdziora for the info. Will also make sure that it's properly documented in Sat6 GA docs.

Also we do have practise of listing a set of standard packages for the bugs and hence the list of Installed packages.
 
What you are suggesting was taken care here in the below bug and this is from the set of Sat6 compose Sat6-GA-snap5.
https://bugzilla.redhat.com/show_bug.cgi?id=1084136#c43

The below command now I understand is for the upstream purposes only and should be avoided for sat6.
katello-installer --foreman-ipa-authentication=true --foreman-configure-ipa-repo=true


NOTE for QE as we also need to test it for RHEL7:

1) katello-installer --foreman-ipa-authentication=true --foreman-configure-ipa-repo=true

The --foreman-configure-ipa-repo configures an external repo from where the  mod_authnz_pam and  mod_auth_kerb are installed.
http://copr-be.cloud.fedoraproject.org/results/adelton/identity_demo/epel-6-x86_64/


2) The idea is to test it with the packages packaged along with sat6 composes only, that is mod_authnz_pam , mod_auth_kerb, e.t.c

3) Also we need to test this with both RHEL6 and RHEL7.

4) We need to test only with "katello-installer --foreman-ipa-authentication=true"

Comment 20 Jan Pazdziora 2014-08-20 15:17:39 UTC
(In reply to Kedar Bidarkar from comment #18)
> 
> Also we do have practise of listing a set of standard packages for the bugs
> and hence the list of Installed packages.

Ah, OK.

> The below command now I understand is for the upstream purposes only and
> should be avoided for sat6.
> katello-installer --foreman-ipa-authentication=true
> --foreman-configure-ipa-repo=true

Right.

> NOTE for QE as we also need to test it for RHEL7:
> 
> 1) katello-installer --foreman-ipa-authentication=true
> --foreman-configure-ipa-repo=true

Without the --foreman-configure-ipa-repo=true again -- it should not be used on Satellite 6, be it on RHEL 6 or RHEL 7.

> 2) The idea is to test it with the packages packaged along with sat6
> composes only, that is mod_authnz_pam , mod_auth_kerb, e.t.c
> 
> 3) Also we need to test this with both RHEL6 and RHEL7.
> 
> 4) We need to test only with "katello-installer
> --foreman-ipa-authentication=true"

Right.

Comment 22 Kedar Bidarkar 2014-08-20 17:53:56 UTC
Tested with sat6-GA-snap5 on RHEL7.

[root@xxx yum.repos.d]# ls
prod.repo  redhat.repo
[root@xxx yum.repos.d]# cat prod.repo 
[katello]
name=katello
baseurl=http:/xxx.redhat.com/devel/candidate-trees/Satellite/Satellite-6.0.4-RHEL-7-20140813.2/compose/Satellite/x86_64/os/
enabled=1
gpgcheck=0
[root@xxxx yum.repos.d]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 (Maipo)
[root@xxx yum.repos.d]# #katello-installer --foreman-ipa-authentication=true
[root@xxx yum.repos.d]# cd
[root@xxx ~]# katello-installer --foreman-ipa-authentication=true
Installing             Done                                               [100%] [..........................................................................................................]
  Success!
  * Katello is running at https://xxxx.redhat.com
      Initial credentials are admin / changeme
  * Capsule is running at https://xxxx.redhat.com:9090
  * To install additional capsule on separate machine continue by running:"

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/katello-installer/katello-installer.log

Comment 23 Kedar Bidarkar 2014-08-21 10:11:05 UTC
Tested with Sat6-GA-snap6-20140820.2 Build on RHEL6.5

[root@xxxx ~]# katello-installer --foreman-ipa-authentication=true
Installing             Done                                               [100%] [..........................................................................................................]
  Success!
  * Katello is running at https://xxxxx.redhat.com
      Initial credentials are admin / changeme
  * Capsule is running at https://xxxxx.redhat.com:9090
  * To install additional capsule on separate machine continue by running:"

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/katello-installer/katello-installer.log
[root@xxxxx ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.5 (Santiago)
[root@xxxxx ~]# cd /etc/yum.repos.d/
[root@xxxxx yum.repos.d]# ls
product.repo  redhat.repo  rhel-source.repo
[root@xxxxx yum.repos.d]# cat product.repo 
[katello]
name=katello
baseurl=http://xxxx.redhat.com/devel/candidate-trees/Satellite/Satellite-6.0.4-RHEL-6-20140820.2/compose/Satellite/x86_64/os/
enabled=1
gpgcheck=0

Comment 24 Kedar Bidarkar 2014-08-21 10:17:01 UTC
For Sat6 on both RHEL6 and RHEL7
-----------------------------------------------------------------------
With the above configuration in place
1) The IPA users are now able to access the Sat6 UI.
2) These users upon first login get created under Users of Sat6, with "authorized type" as "external".
3) Then one could assign roles to such (external) IPA users for sat6, after logging in to sat6's admin account.

With the setups as mentioned in comment 22 and comment 23, we were able to perform successfully above 3 steps.

So External Authentication via FreeIPA is configurable with katello-installer and also we are able to use only those packages packaged with Satellite6 repos.

Comment 25 Jan Pazdziora 2014-08-25 10:09:07 UTC
(In reply to Jan Pazdziora from comment #15)
> 
> We are working on getting the Foreman 1.6 documentation updated.

https://github.com/theforeman/theforeman.org/pull/253

Comment 26 Petra Kamenickova 2014-09-01 09:48:29 UTC
Foreman 1.6 documentation has been updated:
http://theforeman.org/manuals/1.6/index.html#5.7ExternalAuthentication

Comment 27 Petra Kamenickova 2014-09-01 09:57:20 UTC
(In reply to Petra Kamenickova from comment #26)
> Foreman 1.6 documentation has been updated:
> http://theforeman.org/manuals/1.6/index.html#5.7ExternalAuthentication

Related to: Need documentation for External authentication via IDM using katello-installer https://bugzilla.redhat.com/show_bug.cgi?id=1132527

Comment 28 Bryan Kearney 2014-09-11 12:28:39 UTC
This was delivered with Satellite 6.0 which was released on 10 September 2014.


Note You need to log in before you can comment on or make changes to this bug.