953452 – [RFE] apache HBAC and kerberos auth

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 953452 - [RFE] apache HBAC and kerberos auth

Summary: [RFE] apache HBAC and kerberos auth

Keywords:
Status:	CLOSED DUPLICATE of bug 1107555
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-18 08:49 UTC by Lukas Bezdicka
Modified:	2023-09-14 01:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-11 12:45:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Lukas Bezdicka 2013-04-18 08:49:37 UTC

Description of problem:
Right now I can do apache auth against pam to get HBAC rules working somehow but I'll loose SSO or I can do Kerberos auth with LDAP to get something simillar. I'd love to get to state where I'll use auth_whatever module that'll provide GSS-API + HBAC rules (with caching against sssd?). It would also be nice if this worked per service EG I can disable access to ssh but enable access to virtualhost1 and virtualhost2, where virtualhost1 users aren't same as virtualhost2.

This might work purely by just using kerberos and adding some authz support to kerberos?

Version-Release number of selected component (if applicable):
ALL

How reproducible:
ALWAYS

Steps to Reproduce:
1. Try to get HBAC + kerberos working.
  
Actual results:
Impossible.

Expected results:
Somewhat possible.

Comment 1 Martin Kosek 2013-04-18 09:04:50 UTC

Jakub, wasn't there an idea to create HBAC enforcing mod_ for apache? I think I recall some relevant discussion.

Comment 2 Jakub Hrozek 2013-04-18 10:24:46 UTC

(In reply to comment #1)
> Jakub, wasn't there an idea to create HBAC enforcing mod_ for apache? I
> think I recall some relevant discussion.

There was a proposal to develop a standalone PAM HBAC module, but I don't remember anything about an Apache module.

Comment 3 Dmitri Pal 2013-04-19 18:43:46 UTC

The problem is that there would be no way to distinguish one application running in Apache from another. We have looked into this several times and every time the biggest problem is to identify one Apache apps from another. A separate complication is that the identities logging into the web app running in Apache and identities logging into the OS are in many cases different identities, in sssd lingo two different domains. And the problem arises in SSSD to determine which domains should be served to which Apache instances and applications. So far there is no go solution to that problem.
Realistically you want Kerberos SSO + Siteminder. HBAC is just a simplified access control engine in comparison to Siteminder. 
This is probably a route to go but this would be a huge undertaking and it is not clear if IPA+SSSD is the right place and vehicle to define, manage and deliver access control rules around URLs and if not it immediately falls outside of our scope.
I think there should be an open source equivalent of Siteminder but so far I am unaware of it. If there is it might make sense (or might not) to store its access control rules in IPA so please if you know about such project point us to it.

Comment 4 Lukas Bezdicka 2013-04-20 15:30:06 UTC

Well the idea was to use different principals for virtual servers, for example:
HTTP/a.example.com 
HTTP/b.example.com
and define different HBAC(?) rules for these services. This might work with pure apache kerberos auth if the KDC would check wether you have authorization for the service, wouldn't it?

Comment 6 Martin Kosek 2014-02-13 15:59:01 UTC

I have an update on this front. I think this request could be fulfilled with mod_authnz_pam that Jan Pazdziora developed. You can find more information here:

http://www.freeipa.org/page/Web_App_Authentication#Host_and_service_based_access_control

Packages are on their way Fedora:
https://admin.fedoraproject.org/updates/mod_authnz_pam-0.8.1-1.fc20,mod_intercept_form_submit-0.9.5-1.fc20

Comment 7 Jan Pazdziora (Red Hat) 2014-02-14 01:07:45 UTC

Confirming that the mod_authnz_pam should address all the requirements from comment 0 -- see http://www.adelton.com/apache/mod_authnz_pam/ for documentation.

As for distinguishing applications in Apache (problem mentioned in comment 3), my proposal is to use different HBAC service name for each (class of) application and the matching PAM service name. So you can have 'www-controlling' and 'www-controlling-stage', or you can have 'www-controlling.company.a' and 'www-controlling.company.b'. It's just a string, which will however allow you to come up with virtually unlimited set of rules.

In the Apache configuration,

   Require pam-account www-controlling-stage

will then select the correct service (and thus HBAC rules).

Lukáš, could you please check if the module seems like a fit for your needs? Packages for RHEL 6 and RHEL 7 are in repos at
http://copr-fe.cloud.fedoraproject.org/coprs/adelton/identity_demo/

Comment 8 Martin Kosek 2014-06-11 12:45:07 UTC

This request is currently tracked in Bug 1107555 - it contains FreeIPA apache modules as specified above.

Closing this bug as duplicate so that the effort can be tracked in one location.

*** This bug has been marked as a duplicate of bug 1107555 ***

Comment 9 Red Hat Bugzilla 2023-09-14 01:43:29 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.