d78d31eec0
This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: #5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> |
||
|---|---|---|
| ceo | ||
| ceo_common | ||
| ceod | ||
| tests | ||
| .gitignore | ||
| README.md | ||
| clear_cache.sh | ||
| dev-requirements.txt | ||
| gen_cred.py | ||
| requirements.txt | ||
| setup.cfg | ||
README.md
pyceo
work in progress
Development
First, make sure that you have installed the syscom dev environment. This will setup all of the services needed for ceo to work. You should clone this repo in one of the dev environment containers.
Next, install and activate a virtualenv:
sudo apt install libkrb5-dev libsasl2-dev python3-dev
python3 -m venv venv
. venv/bin/activate
pip install -r requirements.txt
pip install -r dev-requirements.txt
C bindings
Due to the lack of a decent Python library for Kerberos we ended up writing our own C bindings using cffi. Make sure you compile the bindings:
cd ceo_common/krb5
python krb5_build.py
This should create a file named '_krb5.cpython-37m-x86_64-linux-gnu.so'. This will be imported by other modules in ceo.
Running the application
ceod is essentially a distributed application, with instances on different hosts offering different services. For example, the ceod instance on mail offers a service to subscribe people to mailing lists, and the ceod instance on phosphoric-acid offers a service to create new members. Therefore, you will need to run ceod on multiple hosts. Currently, those are phosphoric-acid, mail and caffeine (in the dev environment, caffeine is replaced by coffee).
To run ceod on a single host:
export FLASK_APP=ceod.api
export FLASK_ENV=development
flask run -h 0.0.0.0 -p 9987
Sometimes changes you make in the source code don't show up while Flask
is running. Stop the flask app (Ctrl-C), run clear_cache.sh, then
restart the app.
Interacting with the application
The client part of ceo hasn't been written yet, so we'll use curl to interact with ceod for now.
ceod uses SPNEGO for authentication, and TLS for confidentiality and integrity. In development mode, TLS can be disabled.
First, make sure that your version of curl has been compiled with SPNEGO support:
curl -V
Your should see 'SPNEGO' in the 'Features' section.
The API also uses unconstrained Kerberos delegation when interacting with
the LDAP database. This means that the client obtains a forwarded TGT, then
sends that to ceod, which then uses it to interact with LDAP on the client's
behalf. There is a script called gen_cred.py which can generate this
ticket for you.
Here's an example of making a request to an endpoint which writes to LDAP:
# Get a Kerberos TGT first
kinit
# Obtain a forwarded TGT
./gen_cred.py phosphoric-acid
# Make the request
curl --negotiate -u : --service-name ceod \
-H "X-KRB5-CRED: $(cat cred)" \
-d '{"uid":"test_1","cn":"Test One","program":"Math","terms":["s2021"]}' \
-X POST http://phosphoric-acid:9987/api/members