Skip to content

Make it easier to set up Apache httpd as a proxied service and a proxied NFS client#40

Open
jflorian wants to merge 2 commits intogssapi:mainfrom
jflorian:main
Open

Make it easier to set up Apache httpd as a proxied service and a proxied NFS client#40
jflorian wants to merge 2 commits intogssapi:mainfrom
jflorian:main

Conversation

@jflorian
Copy link

@jflorian jflorian commented Jan 21, 2022

Per discussion#39.

John Florian added 2 commits January 21, 2022 14:34
examples don't play well together
f5a0cbe 
The 80-httpd and 99-network-fs-clients examples might be used together
such as an Apache httpd web server that authenticates web clients but is
also authenticated itself as an NFS client to access remote content it
must serve to web clients.

This prevents ticket collisions in the credential caches by making them
distinct for these two independent use cases so that they might be used
together.

Signed-off-by: John Florian <jflorian@doubledog.org>
Cover two independent goals in Apache doc
8c1da97 
GSS-Proxy might be used to authenticate web clients to httpd AND also
authenticate the apache user running httpd to access networked file
systems with Kerberos.

Signed-off-by: John Florian <jflorian@doubledog.org>
simo5
simo5 requested changes Jan 21, 2022
View reviewed changes
Copy link
Member

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure I want to change the config snippets by default.
I think we should describe that an admin may want to change the ccache if he intends to use disjoint principals for the http and nfs service configurations (if the same principal is used and just mapped on the nfs server side, this change would not be necessary)

docs/Apache.md
make sure the HTTP stanza preceeds any ```allow_any_uid=yes``` sections.)
make sure the HTTP stanza precedes any ```allow_any_uid=yes``` sections.)

For the second goal, the proxy will require a keytab for the user principal (apache@REALM). Again, the uid used here is 48, but it must match whatever httpd is running as.
Copy link
Member

@simo5 simo5 Jan 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So while this is a valid choice, it is not required. It is as well possible to simply map the HTTP/fqdn principal to an "apache" user on the server for example.
So I think we should rephrase this bit something like "a principal that maps to the correct user on the server", then you can make an example using apache@REALM...

Copy link
Member

@simo5 simo5 Jan 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"NFS Server"

@jflorian
Copy link
Author

jflorian commented Feb 1, 2022

I think I follow and see why that would be less involved. Also seems more resilient to the order in which resources become available (booting a micro home data center or even installing rpms that want to conditionally add system users like apache). It would also be nice to not clutter IPA with extra principals for system users if they're really not needed. Let me try to rework my setup to make sure I truly comprehend it all. That will make it much easier for me to rework this.

Once again, thank you for taking the time to educate me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simo5 simo5 simo5 requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jflorian @simo5