[Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code

simo5 freeipa-github-notification at redhat.com
Thu Dec 8 20:46:28 UTC 2016 

   URL: https://github.com/freeipa/freeipa/pull/314
Author: simo5
 Title: #314: RFC: privilege separation for ipa framework code
Action: edited

 Changed field: body
Original value:
"""
As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189

The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early.

This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon).
In order to allow trying the code, I made two copr repos with the necessary changes available here:
- https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
- https://copr.fedorainfracloud.org/coprs/simo/gssproxy/

I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet.

There are 2 fundamental changes in this code:
- the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached.
- the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.)
  This required two changes in the form-based authentication workflow:
  * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR)
  * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead.

@jcholast @pvoborni Please provide comments on the framework changes.
@rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ?
"""

More information about the Freeipa-devel mailing list