foreman-ansible-modules icon indicating copy to clipboard operation
foreman-ansible-modules copied to clipboard

Published 20 hours ago verified publisher icon theforeman

Kerberos authentication

Open ignatenkobrain opened this issue 4 years ago • 6 comments

SUMMARY

In our environment we rely on kerberos everywhere and creating special user for this purpose is not really nice because all users would need to get that password and so on. It would be much easier if everybody would use their own kerberos tickets to get the inventory.

I guess as a downsides this would make this functionality to work only on linux and only under some specific conditions (depending on user and so on, similar to why negotiate is not supported for the uri module).

If that sounds acceptable, I could try writing a patch that implements this feature.

ISSUE TYPE
  • Feature Idea

ignatenkobrain avatar Aug 09 '20 12:08 ignatenkobrain

The Foreman API does not support Kerberos auth, so you'd first have to implement that ;)

That said, once the API supports it, I see no reason why we should not have it as an alternative.

evgeni avatar Aug 09 '20 19:08 evgeni

Hmm, interesting how it works in our environment. Because with negotiate I can easily talk to foreman API. Need to check how we configure that.

ignatenkobrain avatar Aug 10 '20 05:08 ignatenkobrain

That would be cool!

Last time I actively tried to get that working was around Foreman 1.14 and back then the config explicitly excluded the /api route from krb auth. Given all the redmine tickets are still open, I assume(d) it still doesn't work.

FWIW, when you work on this, most changes probably need to happen in https://github.com/Apipie/apypie (by using requests_kerberos) and then the modules in here just need to gain a switch.

The inventory is different, as that is not using apypie but requests directly.

evgeni avatar Aug 10 '20 06:08 evgeni

I'm not sure the original poster requested this feature beyond the inventory plugin, but i think it is also interesting for the modules.

mdellweg avatar Aug 10 '20 10:08 mdellweg

Right, the original request is about the inventory, which is not apypie, but it would be cool to support Krb everywhere (if possible).

@ignatenkobrain can you tell us how you deploy Foreman with kerberos, so that we can try to replicate your success? :)

evgeni avatar Aug 18 '20 14:08 evgeni

IMHO it is working, because the Apache module in foreman is enabled behind setting tu support this. We even enable usage of coockie in API, so we can have browser-like login experience. We are missing negotiate in hammer, but apart of that it should work, so it should already be possible to do here :thinking:

ezr-ondrej avatar Dec 29 '20 19:12 ezr-ondrej