[Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals

Fraser Tweedale ftweedal at redhat.com
Thu Apr 14 06:33:00 UTC 2016 

On Wed, Apr 13, 2016 at 11:15:50AM +1000, Fraser Tweedale wrote:
> On Tue, Apr 12, 2016 at 09:31:30AM -0400, Simo Sorce wrote:
> > On Sat, 2016-04-09 at 10:11 +1000, Fraser Tweedale wrote:
> > > On Fri, Apr 08, 2016 at 10:47:19AM -0400, Simo Sorce wrote:
> > > > On Sat, 2016-04-09 at 00:23 +1000, Fraser Tweedale wrote:
> > > > > -        name = gssapi.Name('host@%s' % (self.client,),
> > > > > 
> > > > > -                           gssapi.NameType.hostbased_service)
> > > > 
> > > > If you remove this then on a serve that has nfs keys in the keytab you
> > > > may end up acquiring the wrong credentials.
> > > > You need to pass down what credentials you want to use to initialize the
> > > > cred store, we canot rely on ordering in the system keytab case.
> > > > 
> > > > Simo.
> > > > 
> > > Thanks Simo; updated patch attached.
> > 
> > Except the ACI the rest looks good to me.
> > For ACI please add a separate patch that follows the naming scheme for
> > subCA keys.
> > 
> The ACI here targets the Custodia server public keys, so the client
> can search and read them.  It should just read:
> 
> add:aci: (target = "ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")
>     (targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")
>     (version 3.0; acl "Anyone can search Custodia public keys";
>         allow(read, search, compare) userdn = "ldap:///all";)
> 
> I don't mind putting the ACI in a separate patch, but it is
> necessary to restrict read access on the public keys to only the
> dogtag-ipa-custodia service principals.
> 
Updated patches attached.  ACI was split into new patch and
simplified (removed ($dn) macro).

Cheers,
Fraser
-------------- next part --------------
From 1f1193b3a4e786c63bde4fa0abe3640c16481633 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 8 Apr 2016 15:21:19 +1000
Subject: [PATCH] Allow CustodiaClient to be used by arbitrary principals

Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.

For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica.  Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.

Update CustodiaClient to allow specifying the keytab and Custodia
keyfile to use.  Avoid hard-coding the service name to find in the
keytab.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 ipapython/secrets/client.py | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
index 5b671988ddc66eedd9ae1cd4ddec0e1308bc5a93..a15057ae67c377a782db3642d14384e0bf11b5a2 100644
--- a/ipapython/secrets/client.py
+++ b/ipapython/secrets/client.py
@@ -41,16 +41,19 @@ class CustodiaClient(object):
 
         return iSecStore(config)
 
-    def __init__(self, client, server, realm, ldap_uri=None, auth_type=None):
-        self.client = client
-        self.creds = None
+    def __init__(self, client, server, realm, ldap_uri=None, auth_type=None,
+            client_servicename='host', keyfile=None, keytab=None):
+        self.client_service = '%s@%s' % (client_servicename, client)
+        self.keytab = keytab or paths.KRB5_KEYTAB
+        self.creds = self.init_creds()
 
         self.service_name = gssapi.Name('HTTP@%s' % (server,),
                                         gssapi.NameType.hostbased_service)
         self.server = server
 
-        keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys')
-        self.ikk = IPAKEMKeys({'server_keys': keyfile})
+        if keyfile is None:
+            keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys')
+        self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri})
 
         self.kemcli = KEMClient(self._server_keys(server, realm),
                                 self._client_keys())
@@ -61,9 +64,9 @@ class CustodiaClient(object):
         requests.packages.urllib3.disable_warnings()
 
     def init_creds(self):
-        name = gssapi.Name('host@%s' % (self.client,),
+        name = gssapi.Name(self.client_service,
                            gssapi.NameType.hostbased_service)
-        store = {'client_keytab': paths.KRB5_KEYTAB,
+        store = {'client_keytab': self.keytab,
                  'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
         return gssapi.Credentials(name=name, store=store, usage='initiate')
 
-- 
2.5.5

-------------- next part --------------
From 234e6334dafb27224b89fed86968df3016b27474 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 13 Apr 2016 14:51:16 +1000
Subject: [PATCH] Allow all principals to read Custodia keys

Add an ACI to allow all authenticated principals to read and search
for Custodia server public keys.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 install/updates/20-aci.update | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 4802ae0458e8b870bf3127764ebabac1a48f7cf2..f4d20cba3b2449042c841477f64beff416c71862 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -136,3 +136,6 @@ add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5R
 dn: cn=ipa,cn=etc,$SUFFIX
 add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+
+# Anyone can search Custodia public keys
+add:aci: (target = "ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Anyone can search Custodia public keys"; allow(read, search, compare) userdn = "ldap:///all";)
-- 
2.5.5

More information about the Freeipa-devel mailing list