Title: #314: RFC: privilege separation for ipa framework code
Changed field: body
As part of the External Authentication work this PR implements the privilege
separation portion of the design available here:
https://www.freeipa.org/page/V4/External_Authentication and implements tickets:
The update process from an old server has not been implemented yet, so this is
just an RFC request at this stage. Please look at the code and let me know if
you notice any major issue with it so we can correct mistakes early.
This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi
and gssproxy, which are not released/accepted upstream yet (all PRs filed, and
will be available soon).
In order to allow trying the code, I made two copr repos with the necessary
changes available here:
I tested a new install and both gssapi as well as password authentication work
(via command line and web browser). I have not tested OTP authentication yet.
There are 2 fundamental changes in this code:
- the session handling code has been dropped in favor of deferring session
handling to mod_auth_gssapi, simplifying the code greatly. As part of this
change we stop using memcached.
- the framework configuration is changed to work as a different user from the
Apache framework and depends on gssproxy in order to be able to access
necessary credentials. (Apache itself is also using gssproxy and does not have
direct access to the HTTP keytab.)
This required two changes in the form-based authentication workflow:
* The armor cache is obtained via anonymous pkinit as we do not have access
anymore to the HTTP keytab. This means this PR depends on #62 (until it is
accepted commits from that PR are in this PR)
* The actual authentication is done via a loopback HTTP request to apache
after we obtain a TGT, this is done in order to obtain a session cookie from
mod_auth_gssapi as well as to be able to immediately discard the TGT and just
keep the HTTP ticket instead.
@jcholast @pvoborni Please provide comments on the framework changes.
@rcritten @abbra do you have ideas on how to deal with dropping a service
(memcached) on upgrade ?
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code