[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy
Rob Crittenden
rcritten at redhat.com
Fri Feb 28 14:03:39 UTC 2014
Petr Viktorin wrote:
> On 02/28/2014 12:41 PM, Martin Kosek wrote:
>> On 02/28/2014 10:47 AM, Petr Viktorin wrote:
>>> On 02/27/2014 10:18 PM, Rob Crittenden wrote:
>>>> Rob Crittenden wrote:
>>> [...]
>>>>> Ok, so try to summarize this long-running thread, I'll rename the
>>>>> subpackage to freeipa-server-foreman-smartproxy to make it clearer
>>>>> what
>>>>> it is/does. Right now it requires manual configuration so having the
>>>>> package installed should have no negative impacts (other than
>>>>> potentially pulling in additional dependencies).
>>>>>
>>>>> I'll leave it in smartproxy for now, it's just cleaner and better
>>>>> integrates with ipatests IMHO.
>>>>>
>>>>> Foreman supports SSL client auth which is great, by cherrypy does not
>>>>> yet. There is a pull request to add this,
>>>>> https://bitbucket.org/cherrypy/cherrypy/pull-request/15/added-support-for-client-certificate/activity
>>>>>
>>>>>
>>>>>
>>>>> . Foreman otherwise supports no other authentication method, so we're
>>>>> blocked with this. The certs for this would initially come out of
>>>>> Foreman/puppet.
>>>>>
>>>>> I'll submit a new patch with an updated spec but I think otherwise
>>>>> I've
>>>>> addressed the isuses Petr has raised. This thread has taken a lot of
>>>>> turns so it is very possible I missed something though :-)
>>>>
>>>> Updated patch based on feedback from Foreman team. I added a new URI,
>>>> /features, which Foreman uses to determine what capabilities a proxy
>>>> has.
>>>>
>>>> rob
>>>
>>> My review is blocked because 389-ds doesn't install on Rawhide due to
>>> https://fedorahosted.org/389/ticket/47700
>>>
>>> Noriko, do you know of a Rawhide build that includes your fix?
>>
>> Guys, if this patch still makes our master branch incompatible with
>> F20, then
>> it is a NACK from me. All developers run on F20, our CI runs on F20
>> and I do
>> not think we can afford loosing that and forcing everyone to
>> permanently switch
>> to rawhide - it is too unstable.
>>
>> IMO the Requires and BuildRequires most be set so that RPMs are
>> buildable and
>> installable on F20. The only acceptable exception is when only
>> freeipa-server-foreman-smartprox cannot be installed on F20, but
>> otherwise
>> everything else need to work.
>>
>> Thanks,
>> Martin
>>
>
> Okay, it's not a BuildRequires; IPA doesn't build because of a lint
> failure: ipalib/util.py - Module 'kerberos' has no
> 'authGSSClientInquireCred' member
>
> I guess the new get_current_principal needs to be kept out of ipalib
> until we move to f21. Until then we can have a lint exception; after
> then we need to remove it, and add BuildRequires so lint passes.
>
The other option is to locally rebuild python-kerberos from rawhide in
F-20. Simo was a bit reluctant to put it into F-20 with the patch I
added for authenticate_gss_client_inquire_cred(). We can also work on
convincing him it is low risk.
rob
More information about the Freeipa-devel
mailing list