[Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code
Martin Basti
mbasti at redhat.com
Fri Dec 9 07:31:30 UTC 2016
On 08.12.2016 22:47, Simo Sorce wrote:
> On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote:
>> URL: https://github.com/freeipa/freeipa/pull/314
>> Author: simo5
>> Title: #314: RFC: privilege separation for ipa framework code
>> Action: edited
>>
>> Changed field: body
>> Original value:
>> """
>> As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189
>>
>> The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early.
>>
>> This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon).
>> In order to allow trying the code, I made two copr repos with the necessary changes available here:
>> - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
>> - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/
>>
>> I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet.
>>
>> There are 2 fundamental changes in this code:
>> - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached.
>> - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.)
>> This required two changes in the form-based authentication workflow:
>> * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR)
>> * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead.
>>
>> @jcholast @pvoborni Please provide comments on the framework changes.
>> @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ?
>> """
>>
>> --
>> Manage your subscription for the Freeipa-devel mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
> There seem to be a bug in the mailing list posting script when someone
> edits a PR description, I see the original text here but not the new
> text!
>
> Simo.
>
It is expected,
Changed field: body
Original value:
I just haven't had time to implement sending a new values (because of format, of github messages it is not so simple) I may try to finish github notification RFEs today
Martin
More information about the Freeipa-devel
mailing list