This summer I am working in an environment where we have a well-established Linux + Kerberos + Active Directory infrastructure. We would prefer to re-use that infrastructure rather than maintain a separate private key infrastructure for puppet. So, I am investigating enabling Kerberos authentication for node <-> master authentication. So far it looks like the work breaks up into several pieces:
1 MASTER 1.a Configure Apache2 for Kerberos HTTP authentication 1.b Retrieve the principle from the web request. 1.c Enhance Puppet::Network::AuthStore::Declaration to support Active Directory host principles (e.g. [email protected]). 2 AGENT 2.a Acquire/build a Kerberos / GSSAPI capable HTTP client library 2.b Integrate it into the puppet agent lifecycle I'm new to puppet and related technologies so would appreciate any high level guidance/suggestions/etc. that the community might have to offer. mjz --- Further details and questions (in no particular order) * POC master progress - So far I have a very small set of non-production quality edits to the puppet master code that allows GET production/node/[email protected] to work as expected when using "curl --negotiate -u:" as a client. See: https://github.com/mzeren-vmw/puppet/commit/draft_kerberos_baby_steps. I am just starting to create proper patches for pull requests. * POC agent progress - I have not yet found a GSSAPI capable http client library, but I have found and successfully tested https://github.com/cbeer/net-ssh-kerberos which depends on git://github.com/zenchild/gssapi.git (MIT) which in turn depends on ffi (LGPLv3). When I get to the client side work I may leverage gssapi to extend Net::HTTP? * How would Kerberos integrate with MCollective? - I don't really understand the relationship between mcollective and puppet yet. How might Kerberos auth affect mcollective based features or future enhancements? * Is pulling REMOTE_USER from the environment acceptable? Or do we need a way to get the mod_auth_kerb user into a request header as we do for X-Client-DN and X-Client-Verify? So far mod_rewrite hasn't been cooperating here... * Apache mod_auth_kerb only? I am focused on using Apache2's mod_auth_kerb. I don't anticipate getting this to work for webrick, and haven't yet investigated nginx. Would a single webserver solution be acceptable? * There's a related bug here: https://projects.puppetlabs.com/issues/3958 discussion: https://groups.google.com/forum/#!msg/puppet-dev/ECIvFzj4dKo/ivOqTQEKVeoJ * Are there any plans to support ruby 2.0? Net::HTTP apparently has basic auth support in 2.0, which might lead to cleaner Kerberos support (but I really haven't looked at this in detail yet.) -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
