[MERGE] GSSAPI Authentication support for HTTP

Vincent Ladeuil v.ladeuil+lp at free.fr
Tue Feb 17 14:31:58 GMT 2009


>>>>> "Jelmer" == Jelmer Vernooij <jelmer at samba.org> writes:

    Jelmer> pre-canned responses won't work, since the Apache
    Jelmer> server won't be able to validate the tickets unless
    Jelmer> you have a proper Keytab and KDC running for it. The
    Jelmer> client won't be able to obtain tickets to send to the
    Jelmer> server without a connection to a KDC.

<shudder>

    Jelmer> Setting up the server environment is nontrivial:

Why do you think I'm asking to capture as much knowledge as
possible *now* ? :-)

    Jelmer>  * The Apache server with mod_auth_kerb will need to
    Jelmer>    have a keytab file that it can use to obtain
    Jelmer>    credentials from the KDC.

    Jelmer>  * A KDC needs to be set up (/etc/krb5.conf and a
    Jelmer>    kdc-specific conf file) with reverse DNS set up
    Jelmer>    properly or some custom host -> realm mapping in
    Jelmer>    /etc/krb5.conf

    Jelmer>  * An account has to be set up for the apache server
    Jelmer>    in the KDC, named something like HTTP@<hostname>

    Jelmer>  * An account has to be created for the user

    Jelmer>  * whatever test we run has to have access to the
    Jelmer>    krb5.conf file in the test environment, and has to
    Jelmer>    run "kinit" to obtain the initial Kerberos
    Jelmer>    credentials

Since you have already done the hard work, you should be able to
define a *working* (even if only under *your* setup so far) local
test server. Even if it works only on your host, that's a start
(I plan to implement all needed infrastructure on my test server
but it may be a while before *that* reaches the top of my list
:-/).

I don't care for a reusable server yet (you can even put your
host in the .conf file), I care about a working apache conf
(since that's all local-test-server can handle so far).

Note that local-test-server can handle more files than just the
apache2.conf, so feel free to add 'users', 'keytab' (or whatever)
files with edited content as long as it works for you (i.e. I
don't care if it's incomplete at that point, since the kerberos
part will not be there, but at least that will make a known
working starting point).

Even the 'kinit' may be required to be run *before* starting the
test server if that makes it simpler for you.

Use any trick you want as long as you document them as you did
just above.

    Jelmer> I'll hopefully have a look at providing a fix for this in the next
    Jelmer> couple of days.

Great.

    Jelmer> === modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
    Jelmer> --- bzrlib/transport/http/_urllib2_wrappers.py	2009-02-09 18:25:43 +0000
    Jelmer> +++ bzrlib/transport/http/_urllib2_wrappers.py	2009-02-17 11:05:48 +0000
    Jelmer> @@ -66,6 +66,13 @@
    Jelmer>      ui,
    Jelmer>      )
 
    Jelmer> +try:
    Jelmer> +    import kerberos
    Jelmer> +except ImportError:
    Jelmer> +    have_kerberos = False
    Jelmer> +else:
    Jelmer> +    have_kerberos = True
    Jelmer> +
 
system packages *before* bzr packages please.

    Jelmer> +        if ret < 1:
    Jelmer> +            trace.warning('Unable to create GSSAPI context for %(host)s: %d',
    Jelmer> +                auth, ret)

I think you're asking a bit too much to '%' above :)

You can't mix %(attr)s and %d syntax in the same format (sorry
for not noticing that at the first review).

Untested code is broken code :-/

Anyway, as far as bzr core is concerned, that's now a:

BB:tweak

but you really should implement a local test server (merging such
a patch against lp:~vila/bzr/local-test-server, even if it needs
tweaks for setups without installed kerberos will reach the top of
my TODO list *very* quickly).

     Vincent



More information about the bazaar mailing list