Switch epylog to krb5

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

playbooks/groups/logserver.yml

@@ -23,6 +23,12 @@
   - epylog
   - openvpn/client
   - awstats
+  - role: keytab/service
+    owner_user: apache
+    owner_group: apache
+    service: HTTP
+    host: "admin.fedoraproject.org"
+    when: env == "production"
 
   tasks:
   - include: "{{ tasks }}/yumrepos.yml"

roles/epylog/files/epylog-web.conf

@@ -6,10 +6,13 @@ LoadModule authn_file_module modules/mod_authn_file.so
 
 <Directory /srv/web/epylog>
     Options FollowSymLinks Indexes
-    AuthType Basic
+    AuthName "Epylog GSSAPI Login"
-    AuthName "Fedora Log Server"
+    GssapiCredStore keytab:/etc/krb5.HTTP_admin.fedoraproject.org.keytab
-    AuthBasicProvider file
+    AuthType GSSAPI
-    AuthUserFile /srv/web/epylog/.htpasswd
+    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
-    Require valid-user
+    GssapiSSLonly Off
+    GssapiLocalName on
+    # This should coincide with sysadmin-logs until we have group info
+    Require user codeblock kevin puiterwijk ralph smooge nb cydrobolt
 </Directory>