[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy
Rob Crittenden
rcritten at redhat.com
Fri Feb 28 14:35:13 UTC 2014
Simo Sorce wrote:
> On Fri, 2014-02-28 at 09:03 -0500, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 02/28/2014 12:41 PM, Martin Kosek wrote:
>>>> On 02/28/2014 10:47 AM, Petr Viktorin wrote:
>>>>> On 02/27/2014 10:18 PM, Rob Crittenden wrote:
>>>>>> Rob Crittenden wrote:
>>>>> [...]
>>>>>>> Ok, so try to summarize this long-running thread, I'll rename the
>>>>>>> subpackage to freeipa-server-foreman-smartproxy to make it clearer
>>>>>>> what
>>>>>>> it is/does. Right now it requires manual configuration so having the
>>>>>>> package installed should have no negative impacts (other than
>>>>>>> potentially pulling in additional dependencies).
>>>>>>>
>>>>>>> I'll leave it in smartproxy for now, it's just cleaner and better
>>>>>>> integrates with ipatests IMHO.
>>>>>>>
>>>>>>> Foreman supports SSL client auth which is great, by cherrypy does not
>>>>>>> yet. There is a pull request to add this,
>>>>>>> https://bitbucket.org/cherrypy/cherrypy/pull-request/15/added-support-for-client-certificate/activity
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> . Foreman otherwise supports no other authentication method, so we're
>>>>>>> blocked with this. The certs for this would initially come out of
>>>>>>> Foreman/puppet.
>>>>>>>
>>>>>>> I'll submit a new patch with an updated spec but I think otherwise
>>>>>>> I've
>>>>>>> addressed the isuses Petr has raised. This thread has taken a lot of
>>>>>>> turns so it is very possible I missed something though :-)
>>>>>>
>>>>>> Updated patch based on feedback from Foreman team. I added a new URI,
>>>>>> /features, which Foreman uses to determine what capabilities a proxy
>>>>>> has.
>>>>>>
>>>>>> rob
>>>>>
>>>>> My review is blocked because 389-ds doesn't install on Rawhide due to
>>>>> https://fedorahosted.org/389/ticket/47700
>>>>>
>>>>> Noriko, do you know of a Rawhide build that includes your fix?
>>>>
>>>> Guys, if this patch still makes our master branch incompatible with
>>>> F20, then
>>>> it is a NACK from me. All developers run on F20, our CI runs on F20
>>>> and I do
>>>> not think we can afford loosing that and forcing everyone to
>>>> permanently switch
>>>> to rawhide - it is too unstable.
>>>>
>>>> IMO the Requires and BuildRequires most be set so that RPMs are
>>>> buildable and
>>>> installable on F20. The only acceptable exception is when only
>>>> freeipa-server-foreman-smartprox cannot be installed on F20, but
>>>> otherwise
>>>> everything else need to work.
>>>>
>>>> Thanks,
>>>> Martin
>>>>
>>>
>>> Okay, it's not a BuildRequires; IPA doesn't build because of a lint
>>> failure: ipalib/util.py - Module 'kerberos' has no
>>> 'authGSSClientInquireCred' member
>>>
>>> I guess the new get_current_principal needs to be kept out of ipalib
>>> until we move to f21. Until then we can have a lint exception; after
>>> then we need to remove it, and add BuildRequires so lint passes.
>>>
>>
>> The other option is to locally rebuild python-kerberos from rawhide in
>> F-20. Simo was a bit reluctant to put it into F-20 with the patch I
>> added for authenticate_gss_client_inquire_cred(). We can also work on
>> convincing him it is low risk.
>
> Or you can simply provide a copr repo with the new build for f20 for the
> time being ?
That doesn't deal with Martin's requirement that master build in F-20,
and I presume by that no asterisks allowed (though we have made
exceptions in the past).
For a package this small, fetching from copr and rpmbuild are similar
amounts of effort, IMHO.
rob
More information about the Freeipa-devel
mailing list