Bug 1650583 - [RFE] Move Openshift build from module mod_auth_kerb to mod_auth_gssapi
Summary: [RFE] Move Openshift build from module mod_auth_kerb to mod_auth_gssapi
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: cfme-openshift-httpd
Version: 5.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: GA
: 5.10.0
Assignee: Joe Vlcek
QA Contact: Ievgen Zapolskyi
Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-16 14:42 UTC by Joe Vlcek
Modified: 2019-02-07 22:45 UTC (History)
9 users (show)

Fixed In Version: 5.10.0.25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-07 22:45:46 UTC
Category: ---
Cloudforms Team: Container Management
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0213 0 None None None 2019-02-07 22:45:50 UTC

Description Joe Vlcek 2018-11-16 14:42:09 UTC
Description of problem:

Apache module mod_auth_gssapi is favored over mod_auth_kerb going forward.
GSSAPI is available now so we can make the transition.

This RFE is to track the work needed to make the transition for the Openshift/podified build.

mod_auth_kerb is currently supported but will be deprecated at some point in
the future. The favored kerberos Apache module is not mod_auth_gssapi and is
therefore more likely to contain patches and improvements more quickly than
mod_auth_kerb

Comment 2 Dave Johnson 2018-11-16 14:46:05 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 5 CFME Bot 2018-11-16 16:51:40 UTC
New commit detected on ManageIQ/manageiq-pods/master:

https://github.com/ManageIQ/manageiq-pods/commit/ec00ca1d830edac8791d1d6b83b7c409b56bdf9e
commit ec00ca1d830edac8791d1d6b83b7c409b56bdf9e
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Fri Nov 16 10:41:42 2018 -0500
Commit:     Joe VLcek <jvlcek@redhat.com>
CommitDate: Fri Nov 16 10:41:42 2018 -0500

    https://www.pivotaltracker.com/n/projects/1610127/stories/160297262

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1650583

 templates/miq-template-ext-db.yaml | 26 +-
 templates/miq-template.yaml | 26 +-
 2 files changed, 20 insertions(+), 32 deletions(-)

Comment 6 Satoe Imaishi 2018-11-16 21:36:18 UTC
https://github.com/ManageIQ/container-httpd/pull/38

Comment 8 CFME Bot 2018-11-16 21:41:34 UTC
New commit detected on ManageIQ/manageiq-pods/hammer:

https://github.com/ManageIQ/manageiq-pods/commit/b85250e9a1ff1f370dc4b2761640bdcc5043c700
commit b85250e9a1ff1f370dc4b2761640bdcc5043c700
Author:     Nick Carboni <ncarboni@redhat.com>
AuthorDate: Fri Nov 16 11:47:19 2018 -0500
Commit:     Nick Carboni <ncarboni@redhat.com>
CommitDate: Fri Nov 16 11:47:19 2018 -0500

    Merge pull request #314 from jvlcek/mod_auth_gssapi_master

    Move from apache module mod_auth_kerb to mod_auth_gssap

    (cherry picked from commit 16fa6d6f84174ae8743ea666e190076bb49a2538)

    https://bugzilla.redhat.com/show_bug.cgi?id=1650583

 templates/miq-template-ext-db.yaml | 26 +-
 templates/miq-template.yaml | 26 +-
 2 files changed, 20 insertions(+), 32 deletions(-)

Comment 10 Ievgen Zapolskyi 2018-12-03 10:43:56 UTC
Hello Joe,

is it enough to just check that IPA auth isn't broken after this change ?
Could you advice necessary use cases otherwise ?

Comment 11 Joe Vlcek 2018-12-03 14:28:59 UTC
(In reply to Ievgen Zapolskyi from comment #10)
> Hello Joe,
> 
> is it enough to just check that IPA auth isn't broken after this change ?
> Could you advice necessary use cases otherwise ?

Ievgen,

You need to test Single Sign On. You can use IPA but you must enable SSO on the
appliance Authentication page.

- There are 3 moving parts when doing SSO:
-- 1 the server, e.g. IPA Server, AD Server
-- 2 the client, e.g. MiQ Configured as an IPA Client or AD client
-- 3 The host running the browser, e.g. your laptop

Set up a /etc/krb5.conf on your laptop.

Get a kerberos ticket by running kinit on your laptop.

Note: SSO is DNS centric so do not user IP Addresses, You must configure
a hostname for your Cloudforms appliance and the IPA server.

Also make sure the time on all three machines is synced.

You will also need to exit chrome and restart it with --auth-server-whitelist and --auth-negotitate-delegate-whitelist. I'll PM you the command I use.

Comment 13 Ievgen Zapolskyi 2018-12-17 16:48:58 UTC
Many Thanks Joe for extended reply.
It works as expected.


Verified in 5.10.0.29

Comment 15 errata-xmlrpc 2019-02-07 22:45:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0213


Note You need to log in before you can comment on or make changes to this bug.