On 08.12.2016 22:47, Simo Sorce wrote:
On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote:URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: edited Changed field: body Original value: """ As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). In order to allow trying the code, I made two copr repos with the necessary changes available here: - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. There are 2 fundamental changes in this code: - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) This required two changes in the form-based authentication workflow: * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. @jcholast @pvoborni Please provide comments on the framework changes. @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/CodeThere seem to be a bug in the mailing list posting script when someone edits a PR description, I see the original text here but not the new text! Simo.
It is expected, Changed field: body Original value: I just haven't had time to implement sending a new values (because of format, of github messages it is not so simple) I may try to finish github notification RFEs today Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
