diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | MANIFEST.in | 1 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | cobbler.spec | 1 | ||||
| -rw-r--r-- | cobbler/cobblerd.py | 35 | ||||
| -rw-r--r-- | cobbler/modules/authn_kerberos.py | 81 | ||||
| -rw-r--r-- | cobbler/modules/authn_ldap.py | 7 | ||||
| -rw-r--r-- | cobbler/modules/authn_passthru.py | 49 | ||||
| -rw-r--r-- | cobbler/utils.py | 2 | ||||
| -rw-r--r-- | scripts/cobbler_auth_help | 55 | ||||
| -rwxr-xr-x | scripts/index.py | 25 | ||||
| -rw-r--r-- | setup.py | 2 |
12 files changed, 111 insertions, 150 deletions
@@ -19,6 +19,7 @@ Cobbler CHANGELOG - import can now take an --arch (and is recommended usage) - now possible to override snippets on a profile/system specific basis - provide a different default sample kickstart for imports of F8 and later +- support for kerberos authentication - ??? - 0.8.3 - Make createrepo get run for local cobbler reposync invocations as needed diff --git a/MANIFEST.in b/MANIFEST.in index 4c8ed20d..c553c03d 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -24,7 +24,6 @@ include scripts/findks.cgi include scripts/nopxe.cgi include scripts/gateway.py include scripts/post_install_trigger.cgi -include scripts/cobbler_auth_help include snippets/* recursive-include po *.pot recursive-include po *.po @@ -38,6 +38,7 @@ install: clean manpage devinstall: cp /var/lib/cobbler/settings /tmp/cobbler_settings cp /etc/cobbler/modules.conf /tmp/cobbler_modules.conf + cp /etc/httpd/conf.d/cobbler.conf /tmp/cobbler_http.conf cp /etc/cobbler/users.conf /tmp/cobbler_users.conf -cp /etc/cobbler/users.digest /tmp/cobbler_users.digest make install @@ -45,6 +46,7 @@ devinstall: cp /tmp/cobbler_modules.conf /etc/cobbler/modules.conf cp /tmp/cobbler_users.conf /etc/cobbler/users.conf -cp /tmp/cobbler_users.digest /etc/cobbler/users.digest + cp /tmp/cobbler_http.conf /etc/httpd/conf.d/cobbler.conf find /var/lib/cobbler/triggers | xargs chmod +x chown -R apache /var/www/cobbler chown -R apache /var/www/cgi-bin/cobbler diff --git a/cobbler.spec b/cobbler.spec index 2b6c88df..9b775cdb 100644 --- a/cobbler.spec +++ b/cobbler.spec @@ -120,7 +120,6 @@ test "x$RPM_BUILD_ROOT" != "x" && rm -rf $RPM_BUILD_ROOT %dir /tftpboot/images %{_bindir}/cobbler %{_bindir}/cobblerd -%{_bindir}/cobbler_auth_help %dir /etc/cobbler %config(noreplace) /etc/cobbler/*.ks %config(noreplace) /etc/cobbler/*.template diff --git a/cobbler/cobblerd.py b/cobbler/cobblerd.py index 8859e034..065e99e2 100644 --- a/cobbler/cobblerd.py +++ b/cobbler/cobblerd.py @@ -18,6 +18,7 @@ import SimpleXMLRPCServer import glob from utils import _ import xmlrpclib +import binascii from server import xmlrpclib2 import api as cobbler_api @@ -40,6 +41,8 @@ def core(logger=None): pid = os.fork() + regen_ss_file() + if pid == 0: # part one: XMLRPC -- which may be just read-only or both read-only and read-write do_xmlrpc_tasks(bootapi, settings, xmlrpc_port, xmlrpc_port2, logger) @@ -47,6 +50,21 @@ def core(logger=None): # part two: syslog, or syslog+avahi if avahi is installed do_other_tasks(bootapi, settings, syslog_port, logger) +def regen_ss_file(): + # this is only used for Kerberos auth at the moment. + # it identifies XMLRPC requests from Apache that have already + # been cleared by Kerberos. + + fd = open("/dev/urandom") + data = fd.read(512) + fd.close() + fd = open("/var/lib/cobbler/web.ss","w+") + fd.write(binascii.hexlify(data)) + fd.close() + os.system("chmod 700 /var/lib/cobbler/web.ss") + os.system("chown apache /var/lib/cobbler/web.ss") + return 1 + def do_xmlrpc_tasks(bootapi, settings, xmlrpc_port, xmlrpc_port2, logger): if str(settings.xmlrpc_rw_enabled) != "0": pid2 = os.fork() @@ -195,11 +213,14 @@ if __name__ == "__main__": #main() - bootapi = cobbler_api.BootAPI() - settings = bootapi.settings() - syslog_port = settings.syslog_port - xmlrpc_port = settings.xmlrpc_port - xmlrpc_port2 = settings.xmlrpc_rw_port - logger = bootapi.logger_remote - do_xmlrpc_unix(bootapi, settings, logger) + #bootapi = cobbler_api.BootAPI() + #settings = bootapi.settings() + #syslog_port = settings.syslog_port + #xmlrpc_port = settings.xmlrpc_port + #xmlrpc_port2 = settings.xmlrpc_rw_port + #logger = bootapi.logger_remote + #do_xmlrpc_unix(bootapi, settings, logger) + + regen_ss_file() + diff --git a/cobbler/modules/authn_kerberos.py b/cobbler/modules/authn_kerberos.py deleted file mode 100644 index 46c01ada..00000000 --- a/cobbler/modules/authn_kerberos.py +++ /dev/null @@ -1,81 +0,0 @@ -""" -Authentication module that uses kerberos. - -Copyright 2007, Red Hat, Inc -Michael DeHaan <mdehaan@redhat.com> - -This software may be freely redistributed under the terms of the GNU -general public license. - -You should have received a copy of the GNU General Public License -along with this program; if not, write to the Free Software -Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -""" - -# NOTE: this is not using 'straight up' kerberos in that we -# relay passwords through cobblerd for authentication, that may -# be done later. It does of course check against kerberos, -# however. - -# ALSO NOTE: we're calling out to a Perl program to make -# this work. You must install Authen::Simple::Kerberos -# from CPAN and the Kerberos libraries for this to work. -# See the Cobbler Wiki for more info. - -# ALSO ALSO NOTE: set kerberos_realm in /var/lib/cobbler/settings -# to something appropriate or this will never work. CASING -# MATTERS. example.com != EXAMPLE.COM. - -import distutils.sysconfig -import ConfigParser -import sys -import os -from utils import _ -import md5 -import traceback -# since sub_process isn't available on older OS's -try: - import sub_process as subprocess -except: - import subprocess - -plib = distutils.sysconfig.get_python_lib() -mod_path="%s/cobbler" % plib -sys.path.insert(0, mod_path) - -import cexceptions -import utils - -def register(): - """ - The mandatory cobbler module registration hook. - """ - return "authn" - -def authenticate(api_handle,username,password): - """ - Validate a username/password combo, returning True/False - Uses cobbler_auth_helper - """ - - realm = api_handle.settings().kerberos_realm - api_handle.logger.debug("authenticating %s against %s" % (username,realm)) - - rc = subprocess.call([ - "/usr/bin/cobbler_auth_help", - "--method=kerberos", - "--username=%s" % username, - "--password=%s" % password, - "--realm=%s" % realm - ]) - print rc - if rc == 42: - api_handle.logger.debug("authenticated ok") - # authentication ok (FIXME: log) - return True - else: - api_handle.logger.debug("authentication failed") - # authentication failed - return False - - diff --git a/cobbler/modules/authn_ldap.py b/cobbler/modules/authn_ldap.py index eef4b2a2..ff317508 100644 --- a/cobbler/modules/authn_ldap.py +++ b/cobbler/modules/authn_ldap.py @@ -17,7 +17,10 @@ import os from utils import _ import md5 import traceback -import ldap + +# we'll import this just a bit later +# to keep it from being a requirement +# import ldap plib = distutils.sysconfig.get_python_lib() mod_path="%s/cobbler" % plib @@ -38,6 +41,8 @@ def authenticate(api_handle,username,password): """ Validate an ldap bind, returning True/False """ + + import ldap server = api_handle.settings().ldap_server basedn = api_handle.settings().ldap_base_dn diff --git a/cobbler/modules/authn_passthru.py b/cobbler/modules/authn_passthru.py new file mode 100644 index 00000000..ebbe79a4 --- /dev/null +++ b/cobbler/modules/authn_passthru.py @@ -0,0 +1,49 @@ +""" +Authentication module that defers to Apache and trusts +what Apache trusts. + +Copyright 2008, Red Hat, Inc +Michael DeHaan <mdehaan@redhat.com> + +This software may be freely redistributed under the terms of the GNU +general public license. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +""" + +import distutils.sysconfig +import sys +import os +from utils import _ +import traceback + +plib = distutils.sysconfig.get_python_lib() +mod_path="%s/cobbler" % plib +sys.path.insert(0, mod_path) + +import cexceptions +import utils + +def register(): + """ + The mandatory cobbler module registration hook. + """ + return "authn" + +def authenticate(api_handle,username,password): + """ + Validate a username/password combo, returning True/False + Uses cobbler_auth_helper + """ + + fd = open("/var/lib/cobbler/web.ss") + data = fd.read() + if password == data: + rc = 1 + else: + rc = 0 + fd.close() + return data + diff --git a/cobbler/utils.py b/cobbler/utils.py index 8cc75bb4..8a090250 100644 --- a/cobbler/utils.py +++ b/cobbler/utils.py @@ -564,7 +564,7 @@ def linkfile(src, dst): except (IOError, OSError): pass - return utils.copyfile(src, dst) + return copyfile(src, dst) def copyfile(src,dst): try: diff --git a/scripts/cobbler_auth_help b/scripts/cobbler_auth_help deleted file mode 100644 index c43cd5b2..00000000 --- a/scripts/cobbler_auth_help +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/perl - -# Kerberos helper for logins -# -# Copyright 2007, Red Hat, Inc -# Michael DeHaan <mdehaan@redhat.com> -# -# This software may be freely redistributed under the terms of the GNU -# general public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -# Usage: -# cobbler_auth_helper kerberos username pass -# (may do other auth types later) -# Returns: -# 0 on ok, non-0 on failure -# API info: -# http://search.cpan.org/~chansen/Authen-Simple-Kerberos-0.1/ - -use warnings; -use strict; - -use Authen::Simple::Kerberos; -use Getopt::Long; - -my $method; -my $username; -my $realm; -my $password; -my $verbose=1; - -my $result = GetOptions( - "method=s" => \$method, - "username=s" => \$username, - "realm=s" => \$realm, - "password=s" => \$password, -); - -my $kerberos = Authen::Simple::Kerberos->new( - realm => $realm -); - -print "authenticating: $username against (realm=$realm) (pass=$password)\n" if $verbose; - -if ( $kerberos->authenticate( $username, $password ) ) { - print "ok\n" if $verbose; - exit(42); -} - -print "denied\n" if $verbose; -exit(1); - diff --git a/scripts/index.py b/scripts/index.py index d32a3a67..281e36ea 100755 --- a/scripts/index.py +++ b/scripts/index.py @@ -18,6 +18,7 @@ from mod_python import util import xmlrpclib import cgi +import os from cobbler.webui import CobblerWeb XMLRPC_SERVER = "http://127.0.0.1:25152" # was http://127.0.0.1/cobbler_api_rw" @@ -70,7 +71,28 @@ def handler(req): my_user = __get_user(req) my_uri = req.uri sess = __get_session(req) - token = sess['cobbler_token'] + + if not sess.has_key('cobbler_token'): + # using Kerberos instead of Python Auth handler? + # We need to get our own token for use with authn_passthru + # which should also be configured in /etc/cobbler/modules.conf + # if another auth mode is configured in modules.conf this will + # most certaintly fail. + try: + if not os.path.exists("/var/lib/cobbler/web.ss"): + apache.log_error("cannot load /var/lib/cobbler/web.ss") + return apache.HTTP_UNAUTHORIZED + fd = open("/var/lib/cobbler/web.ss") + data = fd.read() + my_pw = data + fd.close() + token = xmlrpc_server.login(my_user,my_pw) + except Exception, e: + apache.log_error(str(e)) + return apache.HTTP_UNAUTHORIZED + sess['cobbler_token'] = token + else: + token = sess['cobbler_token'] # needed? req.add_common_vars() @@ -118,7 +140,6 @@ def authenhandler(req): my_user = req.user my_uri = req.uri - apache.log_error("authenhandler called: %s" % my_user) try: token = xmlrpc_server.login(my_user,my_pw) except Exception, e: @@ -60,7 +60,7 @@ if __name__ == "__main__": "cobbler/server", "cobbler/webui", ], - scripts = ["scripts/cobbler", "scripts/cobblerd", "scripts/cobbler_auth_help"], + scripts = ["scripts/cobbler", "scripts/cobblerd"], data_files = [ (modpython, ['scripts/index.py']), # cgi files |