[jbosstools-issues] [JBoss JIRA] (JBDS-3188) Support of krb5-principal keys in openshift-java-client (eclipse)
Jason DeTiberus (JIRA)
issues at jboss.org
Fri Jan 16 11:05:49 EST 2015
[ https://issues.jboss.org/browse/JBDS-3188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13033214#comment-13033214 ]
Jason DeTiberus commented on JBDS-3188:
---------------------------------------
Adding the same comments I did on the bugzilla bug for this.
Hoping to clarify the situation a bit here. There are 2 different places that Kerberos auth can (and should) work from the perspective of the openshift-java-client.
1) Broker REST API
- Already supported on the Broker side.
- If configured properly (i.e. The default kerberos config that ships with the remote-user plugin), The broker httpd will allow any requests through that have a Bearer token or are passed in from the local Console connection. Any unauthenticated requests would then fall back to Kerberos auth using mod_auth_kerb.
- Both user/password and passed kerberos tickets are accepted in the default configuration, but we should prefer to forward a ticket for auth.
- The Kerberos ticket is only needed if a valid Bearer token is absent, and the client should use any valid Bearer tokens in preference to kerberos auth.
2) SSH Authentication to the gear
- Already supported on the Node side, given proper configuration (
- This requires that the kerberos principal be added for the user using the REST API call for adding a public key: https://access.redhat.com/documentation/en-US/OpenShift/2.0/html/REST_API_Guide/sect-API_Guide-SSH_Keys-SSH_Key_Management.html#sect-API_Guide-SSH_Keys-SSH_Key_Management-Add_SSH_Key
- The result of the API call is that the user principal is added to the k5login file within the gear.
- The ssh client implimentation would need to support forwarding the kerberos ticket for authentication (http://sachithdhanushka.blogspot.com/2014/02/kerberos-java-client-configuration.html seems to indicate that it is possible, but it is Linux focused, not sure how it would translate to Windows or Mac).
Some other client notes:
- Should prefer existing tickets to creating tickets
- Should prefer tickets to user/pass auth
- Should prefer Bearer token to kerberos ticket (in the case of the Broker API)
- Should prefer forwarding kerberos ticket to SSH Public Key auth (in the case of SSH to gear)
> Support of krb5-principal keys in openshift-java-client (eclipse)
> ------------------------------------------------------------------
>
> Key: JBDS-3188
> URL: https://issues.jboss.org/browse/JBDS-3188
> Project: Developer Studio (JBoss Developer Studio)
> Issue Type: Feature Request
> Components: openshift
> Affects Versions: 8.0.x
> Reporter: Christos Triantafyllidis
> Assignee: Max Rydahl Andersen
>
> The openshift-java-client which is used by the eclipse plugin doesn't support this krb5-principal keys.
> This request is to be able to clone/pull/push updates to openshift application repositories when krb5 credentials are already available and the openshift broker supports krb5 authentication.
> https://github.com/openshift/openshift-java-client/blob/master/src/main/java/com/openshift/client/SSHKeyType.java
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jbosstools-issues
mailing list