Pulp

Deliverables

• documentation (including release notes)
• pulp-admin and pulp-consumer can provide krb in a request
• requests to pulp's API can be authenticated with krb

This does not include configuring apache or creating the users in pulp.

++ This bug was initially created as a clone of Bugzilla Bug #1166565 ++

Description of problem:

Description of problem:

I'd like to have the possibility to authenticate via Kerberos from pulp-admin and pulp-consumer.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

--- Additional comment from contact@andreagiardini.com at 11/21/2014 10:33:32 ---

Server configuration for Kerberos (slightly different from the Nick Coghlan's one):

- /etc/httpd/conf/httpd.conf

WSGIScriptAlias /pulp/krb /srv/pulp/webservices.wsgi

<Location /pulp/krb>
AuthName "Pulp API: Kerberos Login"
AuthType Kerberos
KrbMethodNegotiate on
Require valid-user
KrbServiceName Any
KrbAuthRealm $MYREALM
KrbVerifyKDC off
KrbMethodK5Passwd on
Krb5Keytab $MYKEYTABFILE
KrbSaveCredentials on
KrbLocalUserMapping On
</Location>

Make sure that /etc/krb5.conf and keytab files are readable by the apache user.
After that you can point the clients to /pulp/krb.

Discussion keypoints and ideas:

- Kerberos URL

Right now the pulp API are exposed in /pulp/api/v2 and they allow username/password authentication. We need to decide the URL for the krb authentication. I propose /pulp/krb/v2 as the example above.

- Possibility to have a separate -k option to specify if we want to authenticate through Kerberos or not.

It would be much better to do it automatically, without having to specify a separate option for it. The idea is to wrap the import to test if it is available, if the import is ok so we should try to auth with Kerb, falling back to usr/psw if the auth fails.

--- Additional comment from bbouters@redhat.com at 11/21/2014 13:49:17 ---

+1 to having it automatically attempt kerberos if a TGT is available. Let's not introduce an option to turn something on when it can be done automagically.

We should avoid introducing a hard dependency with this feature. We need this to work on all the platforms FC19, FC20, FC21, EL6, and EL7. If its not available in those we can't pick it up as a dependency because we shouldn't carry security dependencies ourselves.

We probably want the feature to also work with pulp-consumer, not just pulp-admin. pulp-consumer runs on EL5 which Python 2.4. The code that goes into pulp-consumer needs to be compliant with that older verison. The pulp-admin can target Python 2.6 since the oldest Python version it will run on is 2.6 on EL6.

In terms of authentication order, I believe kerberos first if the TGT and necessary libraries are available. If kerberos fails to authenticate, the TGT isn't available, or the necessary libraries aren't available then it should "do what it does today" in terms of username/password auth.

I think we need to select a URL as a default and have that option added to admin.conf (for pulp-admin). All we need is a default and a way for the user to change the default. They can set the URL to whatever they want as long as it agrees with their httpd configuration. Does that sound right? In terms of a default, can't we have the normal API served through kerberos? Could we use /pulp/api/v2 so that Pulp WSGI service runs at the same URL but it runs with or without kerberos depending on how the user configures it. Does this make sense?

--- Additional comment from bbouters@redhat.com at 11/21/2014 14:08:58 ---

The more I think about this, having an option to configure the URL endpoint is probably a separate RFE. I believe pulp-admin expects the API to be available at /pulp/api/v2 and this feature would expect that if kerberos is being used on the server side that it is served from /pulp/api/v2.

The design above has the limitation that username/password and kerberos cannot both be used at the same time. Is that a reasonable limitation?

An example of the httpd config should be added to /etc/httpd/conf.d/pulp.conf so that users can enable server side kerberos by uncommenting the example.

--- Additional comment from rbarlow@redhat.com at 11/21/2014 14:13:18 ---

I think that we can add the dependency that is needed so long as it is available in all the OSes we want to support (EL 5 - F21 for pulp-consumer, EL 6 - F21 for pulp-admin). I don't think we need to have it as an optional dependency if that is true.

It's also fine with me if the httpd config is one or the other for username/password, but pulp-admin should be able to autodetect what it should do. In fact, if you want to use kerberos on the server-side, it does make sense to disable password auth there.