Bug 999639 - HTTPClient gem auto-loads GSSAPI gem; errors out if no Kerberos ticket
Summary: HTTPClient gem auto-loads GSSAPI gem; errors out if no Kerberos ticket
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: oc
Version: 2.x
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-21 18:36 UTC by Lynn Root
Modified: 2015-05-15 02:20 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-19 16:46:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Lynn Root 2013-08-21 18:36:28 UTC 
Description of problem:

When running `rhc setup` after installation, if the `gssapi` gem is installed on the user's machine, HTTPClient gem automatically requires `gssapi`. Before initiating the first request to the Broker, the gssapi gem will search for a Kerberos ticket locally on the user's machine.  If no ticket is found, then RHC will error out with a GSSAPI Error.

If a user has gssapi installed for another program/project/process/etc, RHC should not assume, at least before the first authenticated request, to use Negotiate and therefore trying to find the ticket cache.

This should pretty much only happen if the server only accepts Negotiate authentication.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. `gem install gssapi`
2. `gem install rhc`
3. `kdestroy` # make sure you don't have any ticket available
4. `rhc setup`

Actual results:

GSSAPI error is returned.

Expected results:

Prompt for user/password during the setup process.

Additional info:

This is because HTTPClient will always try to `require gssapi` (or `require win32/sspi` for windows).  

This is also all on the client side, meaning this does not ever ping the Broker for available auth methods.

I am working on the ability to ping the server for available authentication, as well as behavior when gssapi is purposefully installed for the use of Negotiate authentication.
Comment 1 Jessica Forrester 2013-09-10 18:16:07 UTC 
I tried this on fedora 18, with these versions of the gems and couldn't reproduce it:

gssapi (1.1.2)
rhc (1.13.6)
httpclient (2.3.4.1)

It prompts me for the username/password.

What OS and gem versions were you using when you created the error?
Comment 2 Jordan Liggitt 2013-09-11 19:47:05 UTC 
If the server supports negotiate and basic, httpclient will attempt to use gssapi if available.

To recreate, we have to enable Negotiate auth for the broker.

We need to catch the following types of errors encountered when initializing gssapi and fall back to basic:
- Kerberos doesn't know about the server (gssapi just happens to be installed)
- Kerberos doesn't have any tickets for that server
- Kerberos only has expired tickets for that server
Comment 3 Jordan Liggitt 2013-09-11 19:47:27 UTC 
Will merge in https://github.com/openshift/rhc/pull/463
Comment 4 weiwei jiang 2013-09-13 10:07:19 UTC 
Tested on windows 7 via rhc-1.13.6 & rhc-1.12.4, can not reproduce this issue.
Tried on windows 7 via rhc-1.14.6-build_from_devenv_3776, can not reproduce this issue.

And then try this issue on fedora(rhc-1.13.6 & rhc-1.14.6-build_from_devenv_3776), still can not reproduced this issue.

So I have to verified this bug, thx.
Comment 5 weiwei jiang 2013-09-13 10:32:01 UTC 
Also tried on fedora 18 & windows 7 via latest rhc(rhc-1.15.0-build_from_devenv_3781), still can not reproduce.
Comment 6 Jordan Liggitt 2013-09-13 13:16:20 UTC 
To reproduce:
1. Enable Negotiate authentication and basic authentication for the broker
2. Install the gssapi gem on the rhc client machine
Note You need to log in before you can comment on or make changes to this bug.