Bug 1636547 - [RFE] Move appliance from apache module mod_auth_kerb to mod_auth_gssapi
Summary: [RFE] Move appliance from apache module mod_auth_kerb to mod_auth_gssapi
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: GA
: 5.10.0
Assignee: Joe Vlcek
QA Contact: Antonin Pagac
Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-05 16:11 UTC by Joe Vlcek
Modified: 2019-02-07 23:03 UTC (History)
7 users (show)

Fixed In Version: 5.10.0.19
Doc Type: Release Note
Doc Text:
This release of Red Hat CloudForms will introduce an alternate Apache module, mod_auth_gssapi, to support Single Sign On (SSO) via external authentication. The current module, mod_auth_kerb, will continue to be supported for the foreseeable future but at some point will likely be deprecated from Cloudforms. As mod_auth_gssapi is the direction forward for Apache kerberos SSO support, it is recommended, but not required to migrate from using mod_auth_kerb to mod_auth_gssapi
Clone Of:
Environment:
Last Closed: 2019-02-07 23:03:44 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0212 None None None 2019-02-07 23:03:49 UTC

Description Joe Vlcek 2018-10-05 16:11:51 UTC
Description of problem:

Apache module mod_auth_gssapi is favored over mod_auth_kerb going forward.
GSSAPI is available now so we can make the transition.

This RFE is to track the work needed to make the transition for the appliance.

mod_auth_kerb is currently supported but will be deprecated at some point in
the future. The favored kerberos Apache module is not mod_auth_gssapi and is
therefore more likely to contain patches and improvements more quickly than
mod_auth_kerb

Expected results:


Additional info:

Comment 3 Joe Vlcek 2018-10-05 16:23:19 UTC
(In reply to Joe Vlcek from comment #0)
> Description of problem:
> 
> Apache module mod_auth_gssapi is favored over mod_auth_kerb going forward.
> GSSAPI is available now so we can make the transition.
> 
> This RFE is to track the work needed to make the transition for the
> appliance.
> 
> mod_auth_kerb is currently supported but will be deprecated at some point in
> the future. The favored kerberos Apache module is not mod_auth_gssapi and is
> therefore more likely to contain patches and improvements more quickly than
> mod_auth_kerb
> 
> Expected results:
> 
> 
> Additional info:

Correction The subject had a typo. "not" should be "now" as shown below

Change: 
The favored kerberos Apache module is "not" mod_auth_gssapi

To:
The favored kerberos Apache module is "now" mod_auth_gssapi

Comment 4 Dave Johnson 2018-10-05 16:45:14 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 5 CFME Bot 2018-10-11 14:01:35 UTC
New commit detected on ManageIQ/manageiq/hammer:

https://github.com/ManageIQ/manageiq/commit/51b26b7a2917fa7707c8efb7e93589b6769b9814
commit 51b26b7a2917fa7707c8efb7e93589b6769b9814
Author:     Gregg Tanzillo <gtanzill@redhat.com>
AuthorDate: Fri Oct  5 16:42:46 2018 -0400
Commit:     Gregg Tanzillo <gtanzill@redhat.com>
CommitDate: Fri Oct  5 16:42:46 2018 -0400

    Merge pull request #18014 from jvlcek/gssapi

    Move from apache module mod_auth_kerb to mod_auth_gssapi

    (cherry picked from commit 90853a61ff9881fb730bdbc71418286b159a0513)

    https://bugzilla.redhat.com/show_bug.cgi?id=1636547

 spec/tools/miqldap_to_sssd/configure_apache_spec.rb | 40 +-
 tools/miqldap_to_sssd/configure_apache.rb | 2 +-
 2 files changed, 27 insertions(+), 15 deletions(-)

Comment 6 CFME Bot 2018-10-11 14:06:35 UTC
New commit detected on ManageIQ/manageiq-appliance/hammer:

https://github.com/ManageIQ/manageiq-appliance/commit/8f6c2dfb04b7a53961da332da8e7a477c34c1f58
commit 8f6c2dfb04b7a53961da332da8e7a477c34c1f58
Author:     Gregg Tanzillo <gtanzill@redhat.com>
AuthorDate: Fri Oct  5 16:34:35 2018 -0400
Commit:     Gregg Tanzillo <gtanzill@redhat.com>
CommitDate: Fri Oct  5 16:34:35 2018 -0400

    Merge pull request #206 from jvlcek/gssapi

    Move from apache module mod_auth_kerb to mod_auth_gssapi

    (cherry picked from commit 16221db14d40bfe730829bb7c054da7b39690548)

    https://bugzilla.redhat.com/show_bug.cgi?id=1636547

 TEMPLATE/etc/httpd/conf.d/manageiq-external-auth.conf.erb | 11 +-
 1 file changed, 4 insertions(+), 7 deletions(-)

Comment 7 CFME Bot 2018-10-11 14:06:57 UTC
New commit detected on ManageIQ/manageiq-appliance-build/hammer:

https://github.com/ManageIQ/manageiq-appliance-build/commit/9fe5cc5a44d08890934058c8aee086c15dbb7d69
commit 9fe5cc5a44d08890934058c8aee086c15dbb7d69
Author:     Gregg Tanzillo <gtanzill@redhat.com>
AuthorDate: Fri Oct  5 16:39:04 2018 -0400
Commit:     Gregg Tanzillo <gtanzill@redhat.com>
CommitDate: Fri Oct  5 16:39:04 2018 -0400

    Merge pull request #282 from jvlcek/gssapi

    Move from apache module mod_auth_kerb to mod_auth_gssapi

    (cherry picked from commit 9ab682c2641fa2384b0d4d4836b23f6a203d4c5f)

    https://bugzilla.redhat.com/show_bug.cgi?id=1636547

 kickstarts/partials/packages/includes.ks.erb | 1 +
 1 file changed, 1 insertion(+)

Comment 8 Antonin Pagac 2019-01-29 17:39:20 UTC
Verified with 5.10.0.32.

Comment 9 errata-xmlrpc 2019-02-07 23:03:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212


Note You need to log in before you can comment on or make changes to this bug.