[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy
Rob Crittenden
rcritten at redhat.com
Fri Feb 28 14:56:57 UTC 2014
Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Fri, 2014-02-28 at 09:03 -0500, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> On 02/28/2014 12:41 PM, Martin Kosek wrote:
>>>>> On 02/28/2014 10:47 AM, Petr Viktorin wrote:
>>>>>> On 02/27/2014 10:18 PM, Rob Crittenden wrote:
>>>>>>> Rob Crittenden wrote:
>>>>>> [...]
>>>>>>>> Ok, so try to summarize this long-running thread, I'll rename the
>>>>>>>> subpackage to freeipa-server-foreman-smartproxy to make it clearer
>>>>>>>> what
>>>>>>>> it is/does. Right now it requires manual configuration so having
>>>>>>>> the
>>>>>>>> package installed should have no negative impacts (other than
>>>>>>>> potentially pulling in additional dependencies).
>>>>>>>>
>>>>>>>> I'll leave it in smartproxy for now, it's just cleaner and better
>>>>>>>> integrates with ipatests IMHO.
>>>>>>>>
>>>>>>>> Foreman supports SSL client auth which is great, by cherrypy
>>>>>>>> does not
>>>>>>>> yet. There is a pull request to add this,
>>>>>>>> https://bitbucket.org/cherrypy/cherrypy/pull-request/15/added-support-for-client-certificate/activity
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> . Foreman otherwise supports no other authentication method, so
>>>>>>>> we're
>>>>>>>> blocked with this. The certs for this would initially come out of
>>>>>>>> Foreman/puppet.
>>>>>>>>
>>>>>>>> I'll submit a new patch with an updated spec but I think otherwise
>>>>>>>> I've
>>>>>>>> addressed the isuses Petr has raised. This thread has taken a
>>>>>>>> lot of
>>>>>>>> turns so it is very possible I missed something though :-)
>>>>>>>
>>>>>>> Updated patch based on feedback from Foreman team. I added a new
>>>>>>> URI,
>>>>>>> /features, which Foreman uses to determine what capabilities a proxy
>>>>>>> has.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> My review is blocked because 389-ds doesn't install on Rawhide due to
>>>>>> https://fedorahosted.org/389/ticket/47700
>>>>>>
>>>>>> Noriko, do you know of a Rawhide build that includes your fix?
>>>>>
>>>>> Guys, if this patch still makes our master branch incompatible with
>>>>> F20, then
>>>>> it is a NACK from me. All developers run on F20, our CI runs on F20
>>>>> and I do
>>>>> not think we can afford loosing that and forcing everyone to
>>>>> permanently switch
>>>>> to rawhide - it is too unstable.
>>>>>
>>>>> IMO the Requires and BuildRequires most be set so that RPMs are
>>>>> buildable and
>>>>> installable on F20. The only acceptable exception is when only
>>>>> freeipa-server-foreman-smartprox cannot be installed on F20, but
>>>>> otherwise
>>>>> everything else need to work.
>>>>>
>>>>> Thanks,
>>>>> Martin
>>>>>
>>>>
>>>> Okay, it's not a BuildRequires; IPA doesn't build because of a lint
>>>> failure: ipalib/util.py - Module 'kerberos' has no
>>>> 'authGSSClientInquireCred' member
>>>>
>>>> I guess the new get_current_principal needs to be kept out of ipalib
>>>> until we move to f21. Until then we can have a lint exception; after
>>>> then we need to remove it, and add BuildRequires so lint passes.
>>>>
>>>
>>> The other option is to locally rebuild python-kerberos from rawhide in
>>> F-20. Simo was a bit reluctant to put it into F-20 with the patch I
>>> added for authenticate_gss_client_inquire_cred(). We can also work on
>>> convincing him it is low risk.
>>
>> Or you can simply provide a copr repo with the new build for f20 for the
>> time being ?
>
> That doesn't deal with Martin's requirement that master build in F-20,
> and I presume by that no asterisks allowed (though we have made
> exceptions in the past).
>
> For a package this small, fetching from copr and rpmbuild are similar
> amounts of effort, IMHO.
Rather than fight,
http://copr.fedoraproject.org/coprs/rcritten/python-kerberos/
rob
More information about the Freeipa-devel
mailing list