On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote: > URL: https://github.com/freeipa/freeipa/pull/314 > Author: simo5 > Title: #314: RFC: privilege separation for ipa framework code > Action: edited > > Changed field: body > Original value: > """ > As part of the External Authentication work this PR implements the privilege > separation portion of the design available here: > https://www.freeipa.org/page/V4/External_Authentication and implements > tickets: https://fedorahosted.org/freeipa/ticket/5959 and > https://fedorahosted.org/freeipa/ticket/4189 > > The update process from an old server has not been implemented yet, so this > is just an RFC request at this stage. Please look at the code and let me know > if you notice any major issue with it so we can correct mistakes early. > > This PR depends on improvements and fixes to two dependencies: > mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet > (all PRs filed, and will be available soon). > In order to allow trying the code, I made two copr repos with the necessary > changes available here: > - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ > - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ > > I tested a new install and both gssapi as well as password authentication > work (via command line and web browser). I have not tested OTP authentication > yet. > > There are 2 fundamental changes in this code: > - the session handling code has been dropped in favor of deferring session > handling to mod_auth_gssapi, simplifying the code greatly. As part of this > change we stop using memcached. > - the framework configuration is changed to work as a different user from the > Apache framework and depends on gssproxy in order to be able to access > necessary credentials. (Apache itself is also using gssproxy and does not > have direct access to the HTTP keytab.) > This required two changes in the form-based authentication workflow: > * The armor cache is obtained via anonymous pkinit as we do not have access > anymore to the HTTP keytab. This means this PR depends on #62 (until it is > accepted commits from that PR are in this PR) > * The actual authentication is done via a loopback HTTP request to apache > after we obtain a TGT, this is done in order to obtain a session cookie from > mod_auth_gssapi as well as to be able to immediately discard the TGT and just > keep the HTTP ticket instead. > > @jcholast @pvoborni Please provide comments on the framework changes. > @rcritten @abbra do you have ideas on how to deal with dropping a service > (memcached) on upgrade ? > """ > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
There seem to be a bug in the mailing list posting script when someone edits a PR description, I see the original text here but not the new text! Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
