Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

copr: mod_auth_gssapi support for kerberos auth in Copr

Browse source
This commit is contained in:
Silvie Chlupova 2021-07-01 10:05:43 +02:00 committed by praiskup
parent 688ff267e4
commit ffee619673
4 changed files with 29 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
inventory/group_vars/copr_front_aws
View file

@ -30,3 +30,5 @@ copr_pagure_events:
copr_messaging_queue: "a9b74258-21c6-4e79-ba65-9e858dc84a2b" copr_messaging_queue: "a9b74258-21c6-4e79-ba65-9e858dc84a2b"
copr_fe_homedir: /usr/share/copr/coprs_frontend copr_fe_homedir: /usr/share/copr/coprs_frontend
copr_kerberos_auth_enabled: false

2
inventory/group_vars/copr_front_dev_aws
View file

@ -33,3 +33,5 @@ copr_pagure_events:
copr_messaging_queue: "c8e11df7-e863-4ca4-99b9-d37c6663c7f7" copr_messaging_queue: "c8e11df7-e863-4ca4-99b9-d37c6663c7f7"
copr_fe_homedir: /usr/share/copr/coprs_frontend copr_fe_homedir: /usr/share/copr/coprs_frontend
copr_kerberos_auth_enabled: true

15
roles/copr/frontend/templates/copr.conf
View file

@ -54,6 +54,16 @@ WTF_CSRF_ENABLED = True
# send emails when user's perms change in project? # send emails when user's perms change in project?
SEND_EMAILS = True SEND_EMAILS = True
{% if copr_kerberos_auth_enabled %}
KRB5_LOGIN = {
'FEDORAPROJECT': {
'URI': "fedoraproject",
'log_text': "krb5-login",
'email_domain': "fedoraproject.org",
}
}
{% endif %}
PUBLIC_COPR_HOSTNAME = "{{ copr_frontend_public_hostname }}" PUBLIC_COPR_HOSTNAME = "{{ copr_frontend_public_hostname }}"
# When running the website through apache, # When running the website through apache,
@ -142,3 +152,8 @@ PAGURE_EVENTS = {
# Increase build timeout to 48h # Increase build timeout to 48h
# Requested by lantw44 for chromium # Requested by lantw44 for chromium
MAX_BUILD_TIMEOUT = 172800 MAX_BUILD_TIMEOUT = 172800
{% if copr_kerberos_auth_enabled %}
API_GSSAPI_AUTH = True
{% else %}
API_GSSAPI_AUTH = False
{% endif %}

10
roles/copr/frontend/templates/httpd/coprs.conf
View file

@ -105,6 +105,16 @@ WSGIApplicationGroup %{GLOBAL}
Require all granted Require all granted
</Directory> </Directory>
{% if copr_kerberos_auth_enabled %}
<LocationMatch /(krb5_login/fedoraproject|api_3/(build/(delete|create|cancel)|module|package/(add|edit|reset|build|delete)|project/permissions|project-chroot/edit|project/(add|edit|fork|delete)|webhook|auth-check))/*>
AuthType GSSAPI
AuthName "Fedoraproject GSSAPI/krb5 Credentials"
GssapiBasicAuthMech krb5
GssapiCredStore keytab:/etc/httpd/conf.d/copr-frontend-http-api.keytab
Require valid-user
</LocationMatch>
{% endif %}
RewriteEngine on RewriteEngine on
RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301] RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301] RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]