Red Hat Bugzilla – Bug 472519
GSSAPI Support is needed for oVirt 1.0
Last modified: 2016-04-26 10:25:19 EDT
The oVirt 1.0 development team requires GSSAPI Support by the end of December 08'.
For oVirt GSSAPI support needs to be added to the C++ and Ruby clients as well as qpidd.
Created attachment 326785 [details] Initial patch for qpidd and qpic c++ client
Created attachment 327139 [details] SASL authentication and encryption for qpidd and c++ client Includes support for security layer over RDMA. There are new min/max ssf (security strength factor) options for the client to control the strength of the negotiated security layer.
Support from ruby client tracked by dependent BZ476716.
*** Bug 445747 has been marked as a duplicate of this bug. ***
*** Bug 453528 has been marked as a duplicate of this bug. ***
Committed as r732093. Note to use gssapi you need to install the cyrus-sasl-gssapi package (and make sure your configured mech-list if any does not exclude gssapi). Then you need to have a kdc configured for use with the qpidd service. Below are some notes on what I did to set up a simple test environment (on mrg15). I am not very knowledgeable about kerberos admin so this shouldn't be read as best practice, but may be useful to QE etc. Most of what I found out came from: http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/ Broadly, the steps are: install the packages, edit the config file, create an admin account, start the services, add the user principal(s), add a service principal for qpidd, create a key tab for the service principal, ensure that your qpidd instance can read the key tab, kinit the client shell and then specify --mechanism GSSAPI to any of the tests (you also probably need to specify the --broker to match the hostname your service principal is configured with). In a bit more detail: The package you need for a kdc is krb5-server (you also need krb5-libs but that is included by default I think in most cases). Then you edit the /ect/krb5.conf file (e.g. see the one I used on mrg15) and add an entry to /var/Kerberos/krb5kdc/kadm5.acl to grant administrative access. I simply added the following line: */admin@QPID_TEST * which I believe grants all rights to any account that ends with '/admin'. You then create that admin user, e.g.: /usr/Kerberos/sbin/kadmin.local -q "addprinc admin/admin" Then you start the services krb5kdc and kadmin. Then you create (a) user account(s) using the kadmin.local tool. This starts an interactive 'shell' and the command to do so is: addprinc <username>. You also need a principal for the qpidd service. I used: addprinc -randkey qpidd/mrg15.lab.bos.redhat.com for that. Then you export a keytab entry for that principal with the ktadd command, e.g.: ktadd qpidd/mrg15.lab.bos.redhat.com. This is /etc/krb5.keytab by default and the qpidd server must be able to access it (I ran my qpidd as root for this).
Verified on RHEL5.i386, qpidd-0.4.744917-1.el5, qpidc-perftest-0.4.744917-1.el5 Will verify on X86_64 soon, so far full script follows: ------------------------------------------------------------------ # make sure you have everything installed - # yum install krb5-server krb5-workstation qpidd qpidc-perftest FQDN="dhcp-0-137.brq.redhat.com" USERNAME="testuser" REALM="EXAMPLE.COM" cat > /etc/krb5.conf <<EOF [libdefaults] default_realm = $REALM [realms] $REALM = { kdc = $FQDN admin_server = $FQDN } [domain_realm] .redhat.com = $REALM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log EOF cat > /var/kerberos/krb5kdc/kdc.conf <<EOF [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] $REALM = { acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } EOF cat > /var/kerberos/krb5kdc/kadm5.acl <<EOF */admin@$REALM * EOF kdb5_util create -s kadmin.local -q 'addprinc admin/admin' /etc/init.d/krb5kdc start /etc/init.d/kadmin start kinit admin/admin kadmin -q "addprinc -randkey qpidd/$FQDN" kadmin -q "ktadd qpidd/$FQDN" kadmin -q "addprinc $USERNAME" kinit $USERNAME qpidd --auth yes --realm $REALM & perftest -b $FQDN --mechanism GSSAPI --username $USERNAME --tx 1 ------------------------------------------------------------------ and the clean-up: ----------------------------------------- pkill qpidd /etc/init.d/krb5kdc stop /etc/init.d/kadmin stop rm -rfv /etc/krb5* rm -rfv /var/kerberos/krb5kdc/{.k*,*} -----------------------------------------
Verified on both i386 and x86_64, both RHEL4.7 and RHEL5.3, The package cyrus-sasl-gssapi as also vital and I did not mention it earlier. RHEL4: qpidd-0.4.744917-1.el4 qpidc-perftest-0.4.744917-1.el4 RHEL5: qpidd-0.4.744917-1.el5 qpidc-perftest-0.4.744917-1.el5
Created attachment 339507 [details] Automated test Something like this will be added to RHTS soon. Tested on both RHELs (4 and 5).