Bug 799129 - [RFE] Add Kerberos authentication for Cumin
[RFE] Add Kerberos authentication for Cumin
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: cumin (Show other bugs)
Development
Unspecified Unspecified
high Severity low
: 2.3
: ---
Assigned To: Chad Roberts
Stanislav Graf
: FutureFeature
: 486202 (view as bug list)
Depends On:
Blocks: 850563 486202 861485 916732
  Show dependency treegraph
 
Reported: 2012-03-01 15:27 EST by Trevor McKay
Modified: 2013-03-06 13:41 EST (History)
9 users (show)

See Also:
Fixed In Version: cumin-0.1.5562-1
Doc Type: Enhancement
Doc Text:
Feature: Kerberos authentication in cumin Reason: Some customers may want to use their kerberos auth server to handle cumin authentication. Result (if any): By adding "kerb" to the "auth" config in cumin.conf and by setting kerberos_realm to the value required by their kerberos setup (krb5.conf), cumin will use the python-kerberos library to authenticate users. By default, all kerberos-authenticated users will be treated as non-admins in cumin. In order to get a kerberos-authenticated admin user, you would need to add an "external" user to the cumin datbase and then add the admin role assignment via the cumin-admin utility.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-06 13:41:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Remove need for kerberos_server in configuration. (3.49 KB, patch)
2012-12-03 13:06 EST, Chad Roberts
no flags Details | Diff

  None (edit)
Description Trevor McKay 2012-03-01 15:27:53 EST
Description of problem:

Support Kerberos authentication for Cumin login.

LDAP authentication is a similar issue, Bug 737979
Comment 2 Luigi Toscano 2012-08-01 06:30:41 EDT
Will this be implemented natively (using auth?) or using an external script (through auth: script=...) ?
Comment 4 Trevor McKay 2012-08-21 09:30:16 EDT
Not certain, I haven't looked at what this will take.  But, I would heavily lean toward "native" -- much better to have less indirection, and have something easier to debug, tie into Cumin logging, etc etc.

The script mechanism really exists for user extension or customization, to cover edge cases, and to give us a (temporary) catch-all for "we didn't think of that".  All mechanisms that we intend to be first class, and for which Python has supporting modules, should be native.  That is my intention.
Comment 6 Chad Roberts 2012-09-28 14:57:00 EDT
This is available in revision 5486 on trunk.
Comment 10 Trevor McKay 2012-10-04 10:42:27 EDT
*** Bug 486202 has been marked as a duplicate of this bug. ***
Comment 13 Trevor McKay 2012-11-20 11:04:07 EST
Adding a rpm dependency to the el6 spec file on python-kerberos.  Marking this BZ rhel6 only since python-kerberos is not carried on el5.
Comment 18 Chad Roberts 2012-12-03 13:06:31 EST
Created attachment 656854 [details]
Remove need for kerberos_server in configuration.

Remove need for kerberos_server in configuration.
Comment 19 Stanislav Graf 2012-12-06 09:43:04 EST
Tested on cumin-0.1.5564-1.el6

Setup kerberos server according to
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html

Setup kerberos in cumin.conf:
auth: kerb
kerberos_realm: EXAMPLE.COM

Setup kerberos in /etc/krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = hostname
  admin_server = hostname
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

In web.log:
DEBUG Authenticator: authenticating external user
DEBUG Authenticator: authenticate, try <cumin.kerbauth.CuminAuthenticatorKerberos object at 0xa2dba6c>
DEBUG Authenticating for user cuminkrb against CuminAuthenticatorKerberos
DEBUG Authenticator: authentication succeeded for external user

Log for wrong password:
DEBUG Auth failed ('Decrypt integrity check failed', -1765328353)
DEBUG Authenticator: authentication failed for external user

Log for wrong realm:
DEBUG Auth failed ('Cannot find KDC for requested realm', -1765328230)
DEBUG Authenticator: authentication failed for external user

Log for wrong kdc:
DEBUG Auth failed ('Cannot contact any KDC for requested realm', -1765328228)
DEBUG Authenticator: authentication failed for external user

Log for unaccessible /etc/krb5.conf
DEBUG Auth failed ('Cannot initialize Kerberos5 context', 13)
DEBUG Authenticator: authentication failed for external user
Comment 20 Stanislav Graf 2012-12-07 10:14:30 EST
Local user/auth is always first:
- add user with the same name as kerberos user
# cumin-admin add-user cuminkrb
- try to login with password belonging to local user
- in web.log:
DEBUG Authenticator: authentication succeeded for user
# cumin-admin remove-user cuminkrb

Role enforcement:
- set in cumin.conf:
authorize: True
- restart cumin
# service cumin restart
- login as kerberos user and check that administrator tab is not available
- in web.log:
DEBUG Authenticator: authentication succeeded for external user
DEBUG Denying  cumin.main.MainPage authorization for ['user'] 
DEBUG Not authorized, redirecting to usergrid.html
DEBUG Allowing usergrid authorization for ['user'] 
- add administrator right to the kerberos user
# cumin-admin external-user cuminkrb
# cumin-admin add-assignment cuminkrb admin
- login as kerberos user and administrator tab is available again
- in web.log:
DEBUG Authenticator: authentication succeeded for external user
DEBUG Allowing ['messaging', 'grid'] authorization for ['user', 'admin'] 
DEBUG Allowing grid authorization for ['user', 'admin']
Comment 21 Stanislav Graf 2012-12-07 10:31:05 EST
Feature doesn't work on RHEL5 (comment 13)

Tested on RHEL6 i386/x86_64 with cumin-0.1.5564-1.el6

One issue separated into Bug 879562

--> VERIFIED
Comment 23 errata-xmlrpc 2013-03-06 13:41:57 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0564.html

Note You need to log in before you can comment on or make changes to this bug.