FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Build System

 
 
LinkBack Thread Tools
 
Old 03-12-2010, 09:18 PM
Nathan Blackham
 
Default Question on Authentication for a koji server

I am working on setting up my own koji server. *I have a kerberos realm all setup and want to use kerberos for the front-end interaction. *Is it possible to use SSL cert authentication on the backend (hub to kojira, hub to kojid) if I have kerberos setup for the frontend?

Thanks,Nathan
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 03-15-2010, 02:26 PM
Mike McLean
 
Default Question on Authentication for a koji server

On 03/12/2010 05:18 PM, Nathan Blackham wrote:
> I am working on setting up my own koji server. I have a kerberos realm all
> setup and want to use kerberos for the front-end interaction. Is it
> possible to use SSL cert authentication on the backend (hub to kojira, hub
> to kojid) if I have kerberos setup for the frontend?

Sure, you can mix authentication methods for xml-rpc (though I doubt you
can get both to work for users logging into the web ui). I recommend
getting one to work before adding the next though.

That being said, why not use kerberos all around?
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 03-15-2010, 04:02 PM
Nathan Blackham
 
Default Question on Authentication for a koji server

I am trying to use kerberos all around, but I am looking at fall back
methods. Also looking at automation of bringing up new build nodes. It
seems easier to have the automation with certificates, but that is just
after an initial look.

Nathan

On Mon, 2010-03-15 at 11:26 -0400, Mike McLean wrote:
> On 03/12/2010 05:18 PM, Nathan Blackham wrote:
> > I am working on setting up my own koji server. I have a kerberos realm all
> > setup and want to use kerberos for the front-end interaction. Is it
> > possible to use SSL cert authentication on the backend (hub to kojira, hub
> > to kojid) if I have kerberos setup for the frontend?
>
> Sure, you can mix authentication methods for xml-rpc (though I doubt you
> can get both to work for users logging into the web ui). I recommend
> getting one to work before adding the next though.
>
> That being said, why not use kerberos all around?
> --
> buildsys mailing list
> buildsys@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 03-15-2010, 07:30 PM
Mike McLean
 
Default Question on Authentication for a koji server

On 03/15/2010 01:02 PM, Nathan Blackham wrote:
> I am trying to use kerberos all around, but I am looking at fall back
> methods. Also looking at automation of bringing up new build nodes. It
> seems easier to have the automation with certificates, but that is just
> after an initial look.

I was about to write that on the koji side it's all equal work, though
depending on your situation creating a host ssl key might be easier then
creating a krb host principal (if for example, you aren't a kerberos admin).

However, I realized that setting the krb_principal for the host entry in
the db might be a slight hassle. While the addHost call supports
specifying it, the cli command doesn't handle that optional arg. (I
think I'll fix that now).

Even so, the code still sets a default krb_principal for the host based
on the HostPrincipalFormat hub config option and its hostname. If you
still to a standard naming scheme this should allow automation. Plus if
you really need to, you could call addHost via the call subcommand to
specify that third arg.

That being said -- are you bringing so many hosts online that human
intervention is really a barrier? I'm curious why you need this.
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 03-16-2010, 03:07 AM
Nathan Blackham
 
Default Question on Authentication for a koji server

On Mon, 2010-03-15 at 16:30 -0400, Mike McLean wrote:
> On 03/15/2010 01:02 PM, Nathan Blackham wrote:
> > I am trying to use kerberos all around, but I am looking at fall back
> > methods. Also looking at automation of bringing up new build nodes. It
> > seems easier to have the automation with certificates, but that is just
> > after an initial look.
>
> I was about to write that on the koji side it's all equal work, though
> depending on your situation creating a host ssl key might be easier then
> creating a krb host principal (if for example, you aren't a kerberos admin).
>
> However, I realized that setting the krb_principal for the host entry in
> the db might be a slight hassle. While the addHost call supports
> specifying it, the cli command doesn't handle that optional arg. (I
> think I'll fix that now).
>
> Even so, the code still sets a default krb_principal for the host based
> on the HostPrincipalFormat hub config option and its hostname. If you
> still to a standard naming scheme this should allow automation. Plus if
> you really need to, you could call addHost via the call subcommand to
> specify that third arg.
>
> That being said -- are you bringing so many hosts online that human
> intervention is really a barrier? I'm curious why you need this.

No it is not the number of hosts. Initially it won't be that many. I
just am on the mindset, that if it takes longer than a few minutes, and
it is something that can be easily scripted/automated, why not spend the
extra time to make sure that you don't have to do it again.

Nathan
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 

Thread Tools




All times are GMT. The time now is 09:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org