URL: https://github.com/freeipa/freeipa/pull/314
Author: simo5
 Title: #314: RFC: privilege separation for ipa framework code
Action: edited

 Changed field: body
Original value:
As part of the External Authentication work this PR implements the privilege 
separation portion of the design available here: 
https://www.freeipa.org/page/V4/External_Authentication and implements tickets: 
https://fedorahosted.org/freeipa/ticket/5959 and 

The update process from an old server has not been implemented yet, so this is 
just an RFC request at this stage. Please look at the code and let me know if 
you notice any major issue with it so we can correct mistakes early.

This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi 
and gssproxy, which are not released/accepted upstream yet (all PRs filed, and 
will be available soon).
In order to allow trying the code, I made two copr repos with the necessary 
changes available here:
- https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
- https://copr.fedorainfracloud.org/coprs/simo/gssproxy/

I tested a new install and both gssapi as well as password authentication work 
(via command line and web browser). I have not tested OTP authentication yet.

There are 2 fundamental changes in this code:
- the session handling code has been dropped in favor of deferring session 
handling to mod_auth_gssapi, simplifying the code greatly. As part of this 
change we stop using memcached.
- the framework configuration is changed to work as a different user from the 
Apache framework and depends on gssproxy in order to be able to access 
necessary credentials. (Apache itself is also using gssproxy and does not have 
direct access to the HTTP keytab.)
  This required two changes in the form-based authentication workflow:
  * The armor cache is obtained via anonymous pkinit as we do not have access 
anymore to the HTTP keytab. This means this PR depends on #62 (until it is 
accepted commits from that PR are in this PR)
  * The actual authentication is done via a loopback HTTP request to apache 
after we obtain a TGT, this is done in order to obtain a session cookie from 
mod_auth_gssapi as well as to be able to immediately discard the TGT and just 
keep the HTTP ticket instead.

@jcholast @pvoborni Please provide comments on the framework changes.
@rcritten @abbra do you have ideas on how to deal with dropping a service 
(memcached) on upgrade ?

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to