[MERGE] GSSAPI Authentication support for HTTP
Vincent Ladeuil
v.ladeuil+lp at free.fr
Tue Feb 17 14:31:58 GMT 2009
>>>>> "Jelmer" == Jelmer Vernooij <jelmer at samba.org> writes:
Jelmer> pre-canned responses won't work, since the Apache
Jelmer> server won't be able to validate the tickets unless
Jelmer> you have a proper Keytab and KDC running for it. The
Jelmer> client won't be able to obtain tickets to send to the
Jelmer> server without a connection to a KDC.
<shudder>
Jelmer> Setting up the server environment is nontrivial:
Why do you think I'm asking to capture as much knowledge as
possible *now* ? :-)
Jelmer> * The Apache server with mod_auth_kerb will need to
Jelmer> have a keytab file that it can use to obtain
Jelmer> credentials from the KDC.
Jelmer> * A KDC needs to be set up (/etc/krb5.conf and a
Jelmer> kdc-specific conf file) with reverse DNS set up
Jelmer> properly or some custom host -> realm mapping in
Jelmer> /etc/krb5.conf
Jelmer> * An account has to be set up for the apache server
Jelmer> in the KDC, named something like HTTP@<hostname>
Jelmer> * An account has to be created for the user
Jelmer> * whatever test we run has to have access to the
Jelmer> krb5.conf file in the test environment, and has to
Jelmer> run "kinit" to obtain the initial Kerberos
Jelmer> credentials
Since you have already done the hard work, you should be able to
define a *working* (even if only under *your* setup so far) local
test server. Even if it works only on your host, that's a start
(I plan to implement all needed infrastructure on my test server
but it may be a while before *that* reaches the top of my list
:-/).
I don't care for a reusable server yet (you can even put your
host in the .conf file), I care about a working apache conf
(since that's all local-test-server can handle so far).
Note that local-test-server can handle more files than just the
apache2.conf, so feel free to add 'users', 'keytab' (or whatever)
files with edited content as long as it works for you (i.e. I
don't care if it's incomplete at that point, since the kerberos
part will not be there, but at least that will make a known
working starting point).
Even the 'kinit' may be required to be run *before* starting the
test server if that makes it simpler for you.
Use any trick you want as long as you document them as you did
just above.
Jelmer> I'll hopefully have a look at providing a fix for this in the next
Jelmer> couple of days.
Great.
Jelmer> === modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
Jelmer> --- bzrlib/transport/http/_urllib2_wrappers.py 2009-02-09 18:25:43 +0000
Jelmer> +++ bzrlib/transport/http/_urllib2_wrappers.py 2009-02-17 11:05:48 +0000
Jelmer> @@ -66,6 +66,13 @@
Jelmer> ui,
Jelmer> )
Jelmer> +try:
Jelmer> + import kerberos
Jelmer> +except ImportError:
Jelmer> + have_kerberos = False
Jelmer> +else:
Jelmer> + have_kerberos = True
Jelmer> +
system packages *before* bzr packages please.
Jelmer> + if ret < 1:
Jelmer> + trace.warning('Unable to create GSSAPI context for %(host)s: %d',
Jelmer> + auth, ret)
I think you're asking a bit too much to '%' above :)
You can't mix %(attr)s and %d syntax in the same format (sorry
for not noticing that at the first review).
Untested code is broken code :-/
Anyway, as far as bzr core is concerned, that's now a:
BB:tweak
but you really should implement a local test server (merging such
a patch against lp:~vila/bzr/local-test-server, even if it needs
tweaks for setups without installed kerberos will reach the top of
my TODO list *very* quickly).
Vincent
More information about the bazaar
mailing list