diff --git a/builder/kojid b/builder/kojid index b0a1a7bc..788e8b12 100755 --- a/builder/kojid +++ b/builder/kojid @@ -2776,6 +2776,7 @@ def get_options(): 'host_principal_format': 'compile/%s@EXAMPLE.COM', 'keytab': '/etc/kojid/kojid.keytab', 'ccache': '/var/tmp/kojid.ccache', + 'krbservice': 'host', 'server': None, 'user': None, 'password': None, @@ -2851,7 +2852,7 @@ if __name__ == "__main__": #build session options session_opts = {} - for k in ('user','password','debug_xmlrpc', 'debug', + for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug', 'retry_interval', 'max_retries', 'offline_retry', 'offline_retry_interval'): v = getattr(options, k, None) if v is not None: diff --git a/builder/kojid.conf b/builder/kojid.conf index d329e861..dd4a837e 100644 --- a/builder/kojid.conf +++ b/builder/kojid.conf @@ -51,6 +51,18 @@ smtphost=example.com ; The From address used when sending email notifications from_addr=Koji Build System +;configuration for Kerberos authentication + +;the format of the principal used by the build hosts +;%s will be replaced by the FQDN of the host +;host_principal_format = compile/%s@EXAMPLE.COM + +;location of the keytab +;keytab = /etc/kojid/kojid.keytab + +;the service name of the principal being used by the hub +;krbservice = host + ;configuration for SSL authentication ;client certificate diff --git a/cli/koji b/cli/koji index 27e8acc0..754143a2 100755 --- a/cli/koji +++ b/cli/koji @@ -159,6 +159,7 @@ def get_options(): 'offline_retry' : None, 'offline_retry_interval' : None, 'poll_interval': 5, + 'krbservice': 'host', 'cert': '~/.koji/client.crt', 'ca': '~/.koji/clientca.crt', 'serverca': '~/.koji/serverca.crt', @@ -5620,7 +5621,7 @@ if __name__ == "__main__": options, command, args = get_options() session_opts = {} - for k in ('user', 'password', 'debug_xmlrpc', 'debug', 'max_retries', + for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug', 'max_retries', 'retry_interval', 'offline_retry', 'offline_retry_interval', 'anon_retry'): value = getattr(options,k) diff --git a/cli/koji.conf b/cli/koji.conf index 3fb27ea0..01ac7ee1 100644 --- a/cli/koji.conf +++ b/cli/koji.conf @@ -14,6 +14,11 @@ ;path to the koji top directory ;topdir = /mnt/koji +;configuration for Kerberos authentication + +;the service name of the principal being used by the hub +;krbservice = host + ;configuration for SSL authentication ;client certificate diff --git a/koji/__init__.py b/koji/__init__.py index 2a0375db..97a29749 100644 --- a/koji/__init__.py +++ b/koji/__init__.py @@ -1600,7 +1600,7 @@ class ClientSession(object): # We're trying to log ourself in. Connect using existing credentials. cprinc = ccache.principal() - sprinc = krbV.Principal(name=self._serverPrincipal(), context=ctx) + sprinc = krbV.Principal(name=self._serverPrincipal(cprinc), context=ctx) ac = krbV.AuthContext(context=ctx) ac.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE|krbV.KRB5_AUTH_CONTEXT_DO_TIME @@ -1637,22 +1637,17 @@ class ClientSession(object): return True - def _serverPrincipal(self): + def _serverPrincipal(self, cprinc): """Get the Kerberos principal of the server we're connecting - to, based on baseurl. Assume the last two components of the - server name are the Kerberos realm.""" + to, based on baseurl.""" servername = urlparse.urlparse(self.baseurl)[1] portspec = servername.find(':') if portspec != -1: servername = servername[:portspec] + realm = cprinc.realm + service = self.opts.get('krbservice', 'host') - parts = servername.split('.') - if len(parts) < 2: - domain = servername.upper() - else: - domain = '.'.join(parts[-2:]).upper() - - return 'host/%s@%s' % (servername, domain) + return '%s/%s@%s' % (service, servername, realm) def ssl_login(self, cert, ca, serverca, proxyuser=None): if not self.baseurl.startswith('https:'): diff --git a/util/koji-shadow b/util/koji-shadow index 95ce1bd4..a5f4e6b3 100755 --- a/util/koji-shadow +++ b/util/koji-shadow @@ -77,6 +77,7 @@ def get_options(): help=_("use alternate configuration file")) parser.add_option("--keytab", help=_("specify a Kerberos keytab to use")) parser.add_option("--principal", help=_("specify a Kerberos principal to use")) + parser.add_option("--krbservice", help=_("the service name of the principal being used by the hub")) parser.add_option("--runas", metavar="USER", help=_("run as the specified user (requires special privileges)")) parser.add_option("--user", help=_("specify user")) @@ -1256,7 +1257,7 @@ if __name__ == "__main__": options, args = get_options() session_opts = {} - for k in ('user', 'password', 'debug_xmlrpc', 'debug'): + for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug'): session_opts[k] = getattr(options,k) session = koji.ClientSession(options.server, session_opts) if not options.noauth: diff --git a/util/koji-shadow.conf b/util/koji-shadow.conf index dc1a3fd1..37318b71 100644 --- a/util/koji-shadow.conf +++ b/util/koji-shadow.conf @@ -3,5 +3,5 @@ [main] server=http://localhost/kojihub/ +krbservice=host remote=http://koji.fedoraproject.org/kojihub - diff --git a/util/kojira b/util/kojira index 0d1b451c..5fb20a4a 100755 --- a/util/kojira +++ b/util/kojira @@ -507,6 +507,7 @@ def get_options(): 'principal': None, 'keytab': None, 'ccache': '/var/tmp/kojira.ccache', + 'krbservice': 'host', 'retry_interval': 60, 'max_retries': 120, 'offline_retry': True, @@ -523,7 +524,7 @@ def get_options(): if config.has_section(section): int_opts = ('prune_batch_size', 'deleted_repo_lifetime', 'max_repo_tasks', 'delete_batch_size', 'retry_interval', 'max_retries', 'offline_retry_interval') - str_opts = ('topdir', 'server', 'user', 'password', 'logfile', 'principal', 'keytab', + str_opts = ('topdir', 'server', 'user', 'password', 'logfile', 'principal', 'keytab', 'krbservice', 'cert', 'ca', 'serverca', 'debuginfo_tags', 'source_tags') bool_opts = ('with_src','verbose','debug','ignore_stray_repos', 'offline_retry') for name in config.options(section): @@ -580,7 +581,7 @@ if __name__ == "__main__": else: logger.setLevel(logging.WARNING) session_opts = {} - for k in ('user', 'password', 'debug_xmlrpc', 'debug', + for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug', 'retry_interval', 'max_retries', 'offline_retry', 'offline_retry_interval'): session_opts[k] = getattr(options,k) session = koji.ClientSession(options.server,session_opts) diff --git a/util/kojira.conf b/util/kojira.conf index 1763bb15..a79dc823 100644 --- a/util/kojira.conf +++ b/util/kojira.conf @@ -21,6 +21,17 @@ logfile=/var/log/kojira.log ; Include srpms in repos? (not needed for normal operation) with_src=no +;configuration for Kerberos authentication + +;the kerberos principal to use +;principal = kojira@EXAMPLE.COM + +;location of the keytab +;keytab = /etc/kojira/kojira.keytab + +;the service name of the principal being used by the hub +;krbservice = host + ;configuration for SSL authentication ;client certificate diff --git a/vm/kojivmd b/vm/kojivmd index 1659246d..d8409758 100755 --- a/vm/kojivmd +++ b/vm/kojivmd @@ -121,6 +121,7 @@ def get_options(): 'host_principal_format': 'compile/%s@EXAMPLE.COM', 'keytab': '/etc/kojivmd/kojivmd.keytab', 'ccache': '/var/tmp/kojivmd.ccache', + 'krbservice': 'host', 'server': None, 'user': None, 'password': None, @@ -1001,7 +1002,7 @@ if __name__ == "__main__": #build session options session_opts = {} - for k in ('user','password','debug_xmlrpc', 'debug', + for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug', 'retry_interval', 'max_retries', 'offline_retry', 'offline_retry_interval'): v = getattr(options, k, None) if v is not None: diff --git a/vm/kojivmd.conf b/vm/kojivmd.conf index 9121df83..82c61f26 100644 --- a/vm/kojivmd.conf +++ b/vm/kojivmd.conf @@ -33,6 +33,18 @@ smtphost=example.com ; The From address used when sending email notifications from_addr=Koji Build System +;configuration for Kerberos authentication + +;the format of the principal used by the build hosts +;%s will be replaced by the FQDN of the host +;host_principal_format = compile/%s@EXAMPLE.COM + +;location of the keytab +;keytab = /etc/kojivmd/kojivmd.keytab + +;the service name of the principal being used by the hub +;krbservice = host + ;configuration for SSL authentication ;client certificate diff --git a/www/conf/kojiweb.conf b/www/conf/kojiweb.conf index 64573f26..503cdc94 100644 --- a/www/conf/kojiweb.conf +++ b/www/conf/kojiweb.conf @@ -17,6 +17,7 @@ Alias /koji "/usr/share/koji-web/scripts/" PythonOption WebPrincipal koji/web@EXAMPLE.COM PythonOption WebKeytab /etc/httpd.keytab PythonOption WebCCache /var/tmp/kojiweb.ccache + PythonOption KrbService host PythonOption WebCert /etc/kojiweb/kojiweb.crt PythonOption ClientCA /etc/kojiweb/clientca.crt PythonOption KojiHubCA /etc/kojiweb/kojihubca.crt diff --git a/www/kojiweb/index.py b/www/kojiweb/index.py index a213d3b5..9261adb6 100644 --- a/www/kojiweb/index.py +++ b/www/kojiweb/index.py @@ -103,9 +103,10 @@ def _assertLogin(req): assert False def _getServer(req): - serverURL = req.get_options().get('KojiHubURL', 'http://localhost/kojihub') - session = koji.ClientSession(serverURL) - + opts = req.get_options() + session = koji.ClientSession(opts.get('KojiHubURL', 'http://localhost/kojihub'), + opts={'krbservice': opts.get('KrbService', 'host')}) + req.currentLogin = _getUserCookie(req) if req.currentLogin: req.currentUser = session.getUser(req.currentLogin) @@ -114,7 +115,7 @@ def _getServer(req): _setUserCookie(req, req.currentLogin) else: req.currentUser = None - + req._session = session return session