Bug 799129 - [RFE] Add Kerberos authentication for Cumin
Summary: [RFE] Add Kerberos authentication for Cumin
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: cumin
Version: Development
Hardware: Unspecified
OS: Unspecified
high
low
Target Milestone: 2.3
: ---
Assignee: Chad Roberts
QA Contact: Stanislav Graf
URL:
Whiteboard:
: 486202 (view as bug list)
Depends On:
Blocks: 850563 486202 861485 916732
TreeView+ depends on / blocked
 
Reported: 2012-03-01 20:27 UTC by Trevor McKay
Modified: 2018-12-01 19:05 UTC (History)
9 users (show)

Fixed In Version: cumin-0.1.5562-1
Doc Type: Enhancement
Doc Text:
Feature: Kerberos authentication in cumin Reason: Some customers may want to use their kerberos auth server to handle cumin authentication. Result (if any): By adding "kerb" to the "auth" config in cumin.conf and by setting kerberos_realm to the value required by their kerberos setup (krb5.conf), cumin will use the python-kerberos library to authenticate users. By default, all kerberos-authenticated users will be treated as non-admins in cumin. In order to get a kerberos-authenticated admin user, you would need to add an "external" user to the cumin datbase and then add the admin role assignment via the cumin-admin utility.
Clone Of:
Environment:
Last Closed: 2013-03-06 18:41:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Remove need for kerberos_server in configuration. (3.49 KB, patch)
2012-12-03 18:06 UTC, Chad Roberts 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 861485 0 medium CLOSED Add documentation to MCIG for kerberos authentication in cumin 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 879562 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Product Errata RHSA-2013:0564 0 normal SHIPPED_LIVE Low: Red Hat Enterprise MRG Grid 2.3 security update 2013-03-06 23:37:09 UTC

Internal Links: 861485 879562

Description Trevor McKay 2012-03-01 20:27:53 UTC 
Description of problem:

Support Kerberos authentication for Cumin login.

LDAP authentication is a similar issue, Bug 737979
Comment 2 Luigi Toscano 2012-08-01 10:30:41 UTC 
Will this be implemented natively (using auth?) or using an external script (through auth: script=...) ?
Comment 4 Trevor McKay 2012-08-21 13:30:16 UTC 
Not certain, I haven't looked at what this will take.  But, I would heavily lean toward "native" -- much better to have less indirection, and have something easier to debug, tie into Cumin logging, etc etc.

The script mechanism really exists for user extension or customization, to cover edge cases, and to give us a (temporary) catch-all for "we didn't think of that".  All mechanisms that we intend to be first class, and for which Python has supporting modules, should be native.  That is my intention.
Comment 6 Chad Roberts 2012-09-28 18:57:00 UTC 
This is available in revision 5486 on trunk.
Comment 10 Trevor McKay 2012-10-04 14:42:27 UTC 
*** Bug 486202 has been marked as a duplicate of this bug. ***
Comment 13 Trevor McKay 2012-11-20 16:04:07 UTC 
Adding a rpm dependency to the el6 spec file on python-kerberos.  Marking this BZ rhel6 only since python-kerberos is not carried on el5.
Comment 18 Chad Roberts 2012-12-03 18:06:31 UTC 
Created attachment 656854 [details]
Remove need for kerberos_server in configuration.

Remove need for kerberos_server in configuration.
Comment 19 Stanislav Graf 2012-12-06 14:43:04 UTC 
Tested on cumin-0.1.5564-1.el6

Setup kerberos server according to
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html

Setup kerberos in cumin.conf:
auth: kerb
kerberos_realm: EXAMPLE.COM

Setup kerberos in /etc/krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = hostname
  admin_server = hostname
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

In web.log:
DEBUG Authenticator: authenticating external user
DEBUG Authenticator: authenticate, try <cumin.kerbauth.CuminAuthenticatorKerberos object at 0xa2dba6c>
DEBUG Authenticating for user cuminkrb against CuminAuthenticatorKerberos
DEBUG Authenticator: authentication succeeded for external user

Log for wrong password:
DEBUG Auth failed ('Decrypt integrity check failed', -1765328353)
DEBUG Authenticator: authentication failed for external user

Log for wrong realm:
DEBUG Auth failed ('Cannot find KDC for requested realm', -1765328230)
DEBUG Authenticator: authentication failed for external user

Log for wrong kdc:
DEBUG Auth failed ('Cannot contact any KDC for requested realm', -1765328228)
DEBUG Authenticator: authentication failed for external user

Log for unaccessible /etc/krb5.conf
DEBUG Auth failed ('Cannot initialize Kerberos5 context', 13)
DEBUG Authenticator: authentication failed for external user
Comment 20 Stanislav Graf 2012-12-07 15:14:30 UTC 
Local user/auth is always first:
- add user with the same name as kerberos user
# cumin-admin add-user cuminkrb
- try to login with password belonging to local user
- in web.log:
DEBUG Authenticator: authentication succeeded for user
# cumin-admin remove-user cuminkrb

Role enforcement:
- set in cumin.conf:
authorize: True
- restart cumin
# service cumin restart
- login as kerberos user and check that administrator tab is not available
- in web.log:
DEBUG Authenticator: authentication succeeded for external user
DEBUG Denying  cumin.main.MainPage authorization for ['user'] 
DEBUG Not authorized, redirecting to usergrid.html
DEBUG Allowing usergrid authorization for ['user'] 
- add administrator right to the kerberos user
# cumin-admin external-user cuminkrb
# cumin-admin add-assignment cuminkrb admin
- login as kerberos user and administrator tab is available again
- in web.log:
DEBUG Authenticator: authentication succeeded for external user
DEBUG Allowing ['messaging', 'grid'] authorization for ['user', 'admin'] 
DEBUG Allowing grid authorization for ['user', 'admin']
Comment 21 Stanislav Graf 2012-12-07 15:31:05 UTC 
Feature doesn't work on RHEL5 (comment 13)

Tested on RHEL6 i386/x86_64 with cumin-0.1.5564-1.el6

One issue separated into Bug 879562

--> VERIFIED
Comment 23 errata-xmlrpc 2013-03-06 18:41:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0564.html
Note You need to log in before you can comment on or make changes to this bug.