From c8f5fa271c12fb2a8972e51f9ef21aa229b45525 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Thu, 24 Nov 2016 19:53:51 +0000
Subject: [PATCH] Switch epylog to krb5

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 playbooks/groups/logserver.yml     |  6 ++++++
 roles/epylog/files/epylog-web.conf | 13 ++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/playbooks/groups/logserver.yml b/playbooks/groups/logserver.yml
index f728361170..fa9588bc58 100644
--- a/playbooks/groups/logserver.yml
+++ b/playbooks/groups/logserver.yml
@@ -23,6 +23,12 @@
   - epylog
   - openvpn/client
   - awstats
+  - role: keytab/service
+    owner_user: apache
+    owner_group: apache
+    service: HTTP
+    host: "admin.fedoraproject.org"
+    when: env == "production"
 
   tasks:
   - include: "{{ tasks }}/yumrepos.yml"
diff --git a/roles/epylog/files/epylog-web.conf b/roles/epylog/files/epylog-web.conf
index dc7fe5a0ac..826d4be322 100644
--- a/roles/epylog/files/epylog-web.conf
+++ b/roles/epylog/files/epylog-web.conf
@@ -6,10 +6,13 @@ LoadModule authn_file_module modules/mod_authn_file.so
 
 <Directory /srv/web/epylog>
     Options FollowSymLinks Indexes
-    AuthType Basic
-    AuthName "Fedora Log Server"
-    AuthBasicProvider file
-    AuthUserFile /srv/web/epylog/.htpasswd
-    Require valid-user
+    AuthName "Epylog GSSAPI Login"
+    GssapiCredStore keytab:/etc/krb5.HTTP_admin.fedoraproject.org.keytab
+    AuthType GSSAPI
+    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+    GssapiSSLonly Off
+    GssapiLocalName on
+    # This should coincide with sysadmin-logs until we have group info
+    Require user codeblock kevin puiterwijk ralph smooge nb cydrobolt
 </Directory>