backwards compatibility for ProxyDNs change

2019-05-15 01:46:36 +08:00 · 2019-05-15 01:46:36 +08:00 · 7b60e0e7eb
commit 7b60e0e7eb
parent 0c4d57d958
3 changed files with 13 additions and 0 deletions
--- a/hub/hub.conf
+++ b/hub/hub.conf
@ -25,6 +25,8 @@ KojiDir = /mnt/koji
 ## Allowed Kerberos Realms separated by ','.
 ## Default value "*" indicates any Realm is allowed
 # AllowedKrbRealms = *
+## TODO: this option should be removed in future release
+# DisableGSSAPIProxyDNFallback = False

 ## end Kerberos auth configuration

--- a/hub/kojixmlrpc.py
+++ b/hub/kojixmlrpc.py
@ -422,6 +422,8 @@ def load_config(environ):
        ['ProxyPrincipals', 'string', ''],
        ['HostPrincipalFormat', 'string', None],
        ['AllowedKrbRealms', 'string', '*'],
+        # TODO: this option should be removed in future release
+        ['DisableGSSAPIProxyDNFallback', 'boolean', False],

        ['DNUsernameComponent', 'string', 'CN'],
        ['ProxyDNs', 'string', ''],
--- a/koji/auth.py
+++ b/koji/auth.py
@ -423,6 +423,15 @@ class Session(object):
                delimiter = '|'
                proxy_opt = 'ProxyDNs'
            proxy_dns = [dn.strip() for dn in context.opts.get(proxy_opt, '').split(delimiter)]
+
+            # backwards compatible for GSSAPI.
+            # in old way, proxy user whitelist is ProxyDNs.
+            # TODO: this should be removed in future release
+            if authtype == koji.AUTHTYPE_GSSAPI and not context.opts.get(
+                    'DisableGSSAPIProxyDNFallback', False):
+                proxy_dns += [dn.strip() for dn in
+                              context.opts.get('ProxyDNs', '').split('|')]
+
            if client_dn in proxy_dns:
                # the user authorized to login other users
                username = proxyuser