I am working on setting up my own koji server. *I have a kerberos realm all setup and want to use kerberos for the front-end interaction. *Is it possible to use SSL cert authentication on the backend (hub to kojira, hub to kojid) if I have kerberos setup for the frontend?
Thanks,Nathan
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
03-15-2010, 02:26 PM
Mike McLean
Question on Authentication for a koji server
On 03/12/2010 05:18 PM, Nathan Blackham wrote:
> I am working on setting up my own koji server. I have a kerberos realm all
> setup and want to use kerberos for the front-end interaction. Is it
> possible to use SSL cert authentication on the backend (hub to kojira, hub
> to kojid) if I have kerberos setup for the frontend?
Sure, you can mix authentication methods for xml-rpc (though I doubt you
can get both to work for users logging into the web ui). I recommend
getting one to work before adding the next though.
That being said, why not use kerberos all around?
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
03-15-2010, 04:02 PM
Nathan Blackham
Question on Authentication for a koji server
I am trying to use kerberos all around, but I am looking at fall back
methods. Also looking at automation of bringing up new build nodes. It
seems easier to have the automation with certificates, but that is just
after an initial look.
Nathan
On Mon, 2010-03-15 at 11:26 -0400, Mike McLean wrote:
> On 03/12/2010 05:18 PM, Nathan Blackham wrote:
> > I am working on setting up my own koji server. I have a kerberos realm all
> > setup and want to use kerberos for the front-end interaction. Is it
> > possible to use SSL cert authentication on the backend (hub to kojira, hub
> > to kojid) if I have kerberos setup for the frontend?
>
> Sure, you can mix authentication methods for xml-rpc (though I doubt you
> can get both to work for users logging into the web ui). I recommend
> getting one to work before adding the next though.
>
> That being said, why not use kerberos all around?
> --
> buildsys mailing list
> buildsys@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
03-15-2010, 07:30 PM
Mike McLean
Question on Authentication for a koji server
On 03/15/2010 01:02 PM, Nathan Blackham wrote:
> I am trying to use kerberos all around, but I am looking at fall back
> methods. Also looking at automation of bringing up new build nodes. It
> seems easier to have the automation with certificates, but that is just
> after an initial look.
I was about to write that on the koji side it's all equal work, though
depending on your situation creating a host ssl key might be easier then
creating a krb host principal (if for example, you aren't a kerberos admin).
However, I realized that setting the krb_principal for the host entry in
the db might be a slight hassle. While the addHost call supports
specifying it, the cli command doesn't handle that optional arg. (I
think I'll fix that now).
Even so, the code still sets a default krb_principal for the host based
on the HostPrincipalFormat hub config option and its hostname. If you
still to a standard naming scheme this should allow automation. Plus if
you really need to, you could call addHost via the call subcommand to
specify that third arg.
That being said -- are you bringing so many hosts online that human
intervention is really a barrier? I'm curious why you need this.
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
03-16-2010, 03:07 AM
Nathan Blackham
Question on Authentication for a koji server
On Mon, 2010-03-15 at 16:30 -0400, Mike McLean wrote:
> On 03/15/2010 01:02 PM, Nathan Blackham wrote:
> > I am trying to use kerberos all around, but I am looking at fall back
> > methods. Also looking at automation of bringing up new build nodes. It
> > seems easier to have the automation with certificates, but that is just
> > after an initial look.
>
> I was about to write that on the koji side it's all equal work, though
> depending on your situation creating a host ssl key might be easier then
> creating a krb host principal (if for example, you aren't a kerberos admin).
>
> However, I realized that setting the krb_principal for the host entry in
> the db might be a slight hassle. While the addHost call supports
> specifying it, the cli command doesn't handle that optional arg. (I
> think I'll fix that now).
>
> Even so, the code still sets a default krb_principal for the host based
> on the HostPrincipalFormat hub config option and its hostname. If you
> still to a standard naming scheme this should allow automation. Plus if
> you really need to, you could call addHost via the call subcommand to
> specify that third arg.
>
> That being said -- are you bringing so many hosts online that human
> intervention is really a barrier? I'm curious why you need this.
No it is not the number of hosts. Initially it won't be that many. I
just am on the mindset, that if it takes longer than a few minutes, and
it is something that can be easily scripted/automated, why not spend the
extra time to make sure that you don't have to do it again.
Nathan
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
Question on Authentication for a koji server
