On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote:
>    URL: https://github.com/freeipa/freeipa/pull/314
> Author: simo5
>  Title: #314: RFC: privilege separation for ipa framework code
> Action: edited
> 
>  Changed field: body
> Original value:
> """
> As part of the External Authentication work this PR implements the privilege 
> separation portion of the design available here: 
> https://www.freeipa.org/page/V4/External_Authentication and implements 
> tickets: https://fedorahosted.org/freeipa/ticket/5959 and 
> https://fedorahosted.org/freeipa/ticket/4189
> 
> The update process from an old server has not been implemented yet, so this 
> is just an RFC request at this stage. Please look at the code and let me know 
> if you notice any major issue with it so we can correct mistakes early.
> 
> This PR depends on improvements and fixes to two dependencies: 
> mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet 
> (all PRs filed, and will be available soon).
> In order to allow trying the code, I made two copr repos with the necessary 
> changes available here:
> - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
> - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/
> 
> I tested a new install and both gssapi as well as password authentication 
> work (via command line and web browser). I have not tested OTP authentication 
> yet.
> 
> There are 2 fundamental changes in this code:
> - the session handling code has been dropped in favor of deferring session 
> handling to mod_auth_gssapi, simplifying the code greatly. As part of this 
> change we stop using memcached.
> - the framework configuration is changed to work as a different user from the 
> Apache framework and depends on gssproxy in order to be able to access 
> necessary credentials. (Apache itself is also using gssproxy and does not 
> have direct access to the HTTP keytab.)
>   This required two changes in the form-based authentication workflow:
>   * The armor cache is obtained via anonymous pkinit as we do not have access 
> anymore to the HTTP keytab. This means this PR depends on #62 (until it is 
> accepted commits from that PR are in this PR)
>   * The actual authentication is done via a loopback HTTP request to apache 
> after we obtain a TGT, this is done in order to obtain a session cookie from 
> mod_auth_gssapi as well as to be able to immediately discard the TGT and just 
> keep the HTTP ticket instead.
> 
> @jcholast @pvoborni Please provide comments on the framework changes.
> @rcritten @abbra do you have ideas on how to deal with dropping a service 
> (memcached) on upgrade ?
> """
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

There seem to be a bug in the mailing list posting script when someone
edits a PR description, I see the original text here but not the new
text!

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to