swiftkrbauth.git, branch master Fix unit tests failing in RHEL 2014-01-21T18:07:52+00:00 Prashanth Pai ppai@redhat.com 2014-01-20T07:26:28+00:00 1fe843ba94bc73ebcc022a1038d19e8f374d9ea7 RHEL 6.4 has Python 2.6 which do not contain certain assert statements present in python 2.7 Change-Id: Ib3c46e5613c0f8270d280d58b5842ffb0a3ab3e2 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6732 Reviewed-by: Chetan Risbud <crisbud@redhat.com> Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
RHEL 6.4 has Python 2.6 which do not contain certain assert
statements present in python 2.7

Change-Id: Ib3c46e5613c0f8270d280d58b5842ffb0a3ab3e2
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6732
Reviewed-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Handle case in passive mode where Kerberos password has expired 2014-01-17T09:28:11+00:00 Prashanth Pai ppai@redhat.com 2014-01-15T10:01:07+00:00 d5fe1795d40db8c61c0c84d29a8131600e0986bb In RHEL IdM or Windows AD server, the administrator can expire user passwords after certain period of time. On password expiry, running kinit will present a prompt to enter the new passwod. This used to result in kinit subprocess waiting indefinitely for user input and request never reaching completion. This fix will kill kinit child process if it is taking too long to finish. Change-Id: I129a420663c67debe3345448a172b54abc8179bc Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6713 Tested-by: Chetan Risbud <crisbud@redhat.com> Reviewed-by: Chetan Risbud <crisbud@redhat.com> 
In RHEL IdM or Windows AD server, the administrator can expire user passwords
after certain period of time. On password expiry, running kinit will present
a prompt to enter the new passwod. This used to result in kinit subprocess
waiting indefinitely for user input and request never reaching completion.

This fix will kill kinit child process if it is taking too long to finish.

Change-Id: I129a420663c67debe3345448a172b54abc8179bc
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6713
Tested-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-by: Chetan Risbud <crisbud@redhat.com>
Return X-Storage-Url in passive mode 2014-01-10T15:45:51+00:00 Prashanth Pai ppai@redhat.com 2013-12-26T08:54:19+00:00 f952c756ad024e100953a43b1f297f82b5c8f3e2 When auth_mode is set to 'passive', client can authenticate itself using account, user and key. This enables swiftkerbauth to return X-Storage-Url response header to client. X-Storage-Url contains account name provided in the request. This required a change in X-Storage-User header format from X-Storage-User: user to X-Storage-User: account:user This makes swiftkerbauth(passive mode) handle_get_token APIs to be more consistent with that of swauth and tempauth. Change-Id: Ic1d1520bb8afbc80cca443d92d659436f2f7cd0e Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6595 Reviewed-by: Chetan Risbud <crisbud@redhat.com> Tested-by: Chetan Risbud <crisbud@redhat.com> 
When auth_mode is set to 'passive', client can authenticate itself
using account, user and key. This enables swiftkerbauth to return
X-Storage-Url response header to client. X-Storage-Url contains
account name provided in the request.

This required a change in X-Storage-User header format from

X-Storage-User: user
            to
X-Storage-User: account:user

This makes swiftkerbauth(passive mode) handle_get_token APIs to be
more consistent with that of swauth and tempauth.

Change-Id: Ic1d1520bb8afbc80cca443d92d659436f2f7cd0e
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6595
Reviewed-by: Chetan Risbud <crisbud@redhat.com>
Tested-by: Chetan Risbud <crisbud@redhat.com>
Additional Parameters to create keytab file 2013-12-04T21:09:44+00:00 Chetan Risbud crisbud@redhat.com 2013-11-27T11:44:35+00:00 2f9e3120bbd7ef6b7459fccb5b740b6542b13c57 Minor changes to explicitly set keyversion number as 0 and encryption method while creating keytab file on Windows AD server. This has been noticed on different windows 2008 server that they set different kvno by default. So just making sure it to be 0 as expected by mod_auth_kerb. Bug: N/A Change-Id: Ic114e4964745abfe97fbfcd575b5205bd6aaf171 Signed-off-by: Chetan Risbud <crisbud@redhat.com> Reviewed-on: http://review.gluster.org/6370 Reviewed-by: Prashanth Pai <ppai@redhat.com> Tested-by: Prashanth Pai <ppai@redhat.com> Reviewed-by: Luis Pabon <lpabon@redhat.com> 
Minor changes to explicitly set keyversion number as 0 and
encryption method while creating keytab file on Windows AD server.
This has been noticed on different windows 2008 server that they set
different kvno by default. So just making sure it to be 0 as expected by
mod_auth_kerb.

Bug: N/A

Change-Id: Ic114e4964745abfe97fbfcd575b5205bd6aaf171
Signed-off-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-on: http://review.gluster.org/6370
Reviewed-by: Prashanth Pai <ppai@redhat.com>
Tested-by: Prashanth Pai <ppai@redhat.com>
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Feature: Support client outside domain 2013-11-26T02:40:41+00:00 Prashanth Pai ppai@redhat.com 2013-11-18T10:10:47+00:00 5405fd7927ef68015c25632951a94bcddb60c33d Until now, all clients had to be part of Kerberos domain as authentication was done by mod_auth_kerb module of httpd by using Kerberos Ticket bundled with the request. To suport clients residing outside domain, we introduce a configurable option called "auth_mode". When auth_mode is set to 'passive', a client residing outside domain can authenticate itself by sending username(X-Auth-User) and password(X-Auth-Key) as request headers. This information is gleaned from the request and kinit is run against it. A successful kinit means the username and password exists on the Kerberos server. Change-Id: I1a165bd56bc3a425b00bcfdbf32150c14b5d9790 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6296 Reviewed-by: Chetan Risbud <crisbud@redhat.com> Tested-by: Chetan Risbud <crisbud@redhat.com> Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
Until now, all clients had to be part of Kerberos domain as authentication
was done by mod_auth_kerb module of httpd by using Kerberos Ticket bundled
with the request.

To suport clients residing outside domain, we introduce a configurable option
called "auth_mode". When auth_mode is set to 'passive', a client residing
outside domain can authenticate itself by sending username(X-Auth-User) and
password(X-Auth-Key) as request headers. This information is gleaned from the
request and kinit is run against it. A successful kinit means the username
and password exists on the Kerberos server.

Change-Id: I1a165bd56bc3a425b00bcfdbf32150c14b5d9790
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6296
Reviewed-by: Chetan Risbud <crisbud@redhat.com>
Tested-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Modularize swift-auth CGI script, add unit tests 2013-11-18T00:34:11+00:00 Prashanth Pai ppai@redhat.com 2013-11-06T12:00:28+00:00 991989bc04178442b2a6b766a67f7a26e60c08f0 - Moved most of swift-auth CGI script to kerbauth_utils.py - Added unit tests for kerbauth_utils.py - Made MEMCACHE_SERVERS, DEBUG_HEADERS, TOKEN_LIFE as configurable parameters Change-Id: I2e9e9823e8aa99dc2cf41327c55428350c8768dc Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6248 Tested-by: Chetan Risbud <crisbud@redhat.com> Reviewed-by: Chetan Risbud <crisbud@redhat.com> Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
- Moved most of swift-auth CGI script to kerbauth_utils.py
- Added unit tests for kerbauth_utils.py
- Made MEMCACHE_SERVERS, DEBUG_HEADERS, TOKEN_LIFE as
  configurable parameters

Change-Id: I2e9e9823e8aa99dc2cf41327c55428350c8768dc
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6248
Tested-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Update to OpenStack Swift Havana 2013-11-06T15:09:29+00:00 Luis Pabon lpabon@redhat.com 2013-11-05T22:01:26+00:00 f64a3354185f32928e2568d9ece4a52fa4746c05 To update to Havana, we needed to change the return status of the unit tests to code 303 which means See Other Change-Id: I068fddae6e3f0f9d77c2eebd54fba1f91dfeb025 Signed-off-by: Luis Pabon <lpabon@redhat.com> Reviewed-on: http://review.gluster.org/6227 Reviewed-by: Prashanth Pai <ppai@redhat.com> Tested-by: Prashanth Pai <ppai@redhat.com> 
To update to Havana, we needed to change the
return status of the unit tests to code 303
which means See Other

Change-Id: I068fddae6e3f0f9d77c2eebd54fba1f91dfeb025
Signed-off-by: Luis Pabon <lpabon@redhat.com>
Reviewed-on: http://review.gluster.org/6227
Reviewed-by: Prashanth Pai <ppai@redhat.com>
Tested-by: Prashanth Pai <ppai@redhat.com>
Add Windows AD documentation 2013-10-17T20:01:12+00:00 Prashanth Pai ppai@redhat.com 2013-10-04T12:20:32+00:00 41261e3828f5102ae8d203a5b576b0001bdcc075 Added documentation to setup swiftkerbauth environment with Windows Active Directory Server and Linux client Change-Id: I18333428c633b23fd15afc8965266d546f0bb03b Original-author: Chetan Risbud <crisbud@redhat.com> Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6041 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
Added documentation to setup swiftkerbauth environment
with Windows Active Directory Server and Linux client

Change-Id: I18333428c633b23fd15afc8965266d546f0bb03b
Original-author: Chetan Risbud <crisbud@redhat.com>
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6041
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Add documentation 2013-10-16T22:49:12+00:00 Prashanth Pai ppai@redhat.com 2013-09-24T06:17:50+00:00 373032fc97d27c79895e6114670760aa717f9f61 The following guides were added: * Setting up a RHEL 6.x IdM server with a Fedora 18 client * Setting up and configuring swiftkerbauth * Architecture of Swiftkerbauth Change-Id: I50665e584ff9513b5a20d1eda546c73c93f14638 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6040 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
The following guides were added:
* Setting up a RHEL 6.x IdM server with a Fedora 18 client
* Setting up and configuring swiftkerbauth
* Architecture of Swiftkerbauth

Change-Id: I50665e584ff9513b5a20d1eda546c73c93f14638
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6040
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Add unit tests 2013-10-15T03:20:24+00:00 Prashanth Pai ppai@redhat.com 2013-10-10T10:17:31+00:00 9812a4a9e4a30a208d77d3b10828a1c174dccd77 Change-Id: I7bbf74b66c26d0a964fa769bf9c46dd73bd03d73 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6067 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
Change-Id: I7bbf74b66c26d0a964fa769bf9c46dd73bd03d73
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6067
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>