[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy
Simo Sorce
simo at redhat.com
Fri Feb 28 14:29:51 UTC 2014
On Fri, 2014-02-28 at 09:03 -0500, Rob Crittenden wrote:
> Petr Viktorin wrote:
> > On 02/28/2014 12:41 PM, Martin Kosek wrote:
> >> On 02/28/2014 10:47 AM, Petr Viktorin wrote:
> >>> On 02/27/2014 10:18 PM, Rob Crittenden wrote:
> >>>> Rob Crittenden wrote:
> >>> [...]
> >>>>> Ok, so try to summarize this long-running thread, I'll rename the
> >>>>> subpackage to freeipa-server-foreman-smartproxy to make it clearer
> >>>>> what
> >>>>> it is/does. Right now it requires manual configuration so having the
> >>>>> package installed should have no negative impacts (other than
> >>>>> potentially pulling in additional dependencies).
> >>>>>
> >>>>> I'll leave it in smartproxy for now, it's just cleaner and better
> >>>>> integrates with ipatests IMHO.
> >>>>>
> >>>>> Foreman supports SSL client auth which is great, by cherrypy does not
> >>>>> yet. There is a pull request to add this,
> >>>>> https://bitbucket.org/cherrypy/cherrypy/pull-request/15/added-support-for-client-certificate/activity
> >>>>>
> >>>>>
> >>>>>
> >>>>> . Foreman otherwise supports no other authentication method, so we're
> >>>>> blocked with this. The certs for this would initially come out of
> >>>>> Foreman/puppet.
> >>>>>
> >>>>> I'll submit a new patch with an updated spec but I think otherwise
> >>>>> I've
> >>>>> addressed the isuses Petr has raised. This thread has taken a lot of
> >>>>> turns so it is very possible I missed something though :-)
> >>>>
> >>>> Updated patch based on feedback from Foreman team. I added a new URI,
> >>>> /features, which Foreman uses to determine what capabilities a proxy
> >>>> has.
> >>>>
> >>>> rob
> >>>
> >>> My review is blocked because 389-ds doesn't install on Rawhide due to
> >>> https://fedorahosted.org/389/ticket/47700
> >>>
> >>> Noriko, do you know of a Rawhide build that includes your fix?
> >>
> >> Guys, if this patch still makes our master branch incompatible with
> >> F20, then
> >> it is a NACK from me. All developers run on F20, our CI runs on F20
> >> and I do
> >> not think we can afford loosing that and forcing everyone to
> >> permanently switch
> >> to rawhide - it is too unstable.
> >>
> >> IMO the Requires and BuildRequires most be set so that RPMs are
> >> buildable and
> >> installable on F20. The only acceptable exception is when only
> >> freeipa-server-foreman-smartprox cannot be installed on F20, but
> >> otherwise
> >> everything else need to work.
> >>
> >> Thanks,
> >> Martin
> >>
> >
> > Okay, it's not a BuildRequires; IPA doesn't build because of a lint
> > failure: ipalib/util.py - Module 'kerberos' has no
> > 'authGSSClientInquireCred' member
> >
> > I guess the new get_current_principal needs to be kept out of ipalib
> > until we move to f21. Until then we can have a lint exception; after
> > then we need to remove it, and add BuildRequires so lint passes.
> >
>
> The other option is to locally rebuild python-kerberos from rawhide in
> F-20. Simo was a bit reluctant to put it into F-20 with the patch I
> added for authenticate_gss_client_inquire_cred(). We can also work on
> convincing him it is low risk.
Or you can simply provide a copr repo with the new build for f20 for the
time being ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list