Ian Main
2009-Jan-29 13:36 UTC
[Ovirt-devel] [PATCH node] Set up libvirt-qpid to use kerberos/gssapi authentication.
This patch makes libvirt-qpid connect to qpidd using gssapi/kerberos
authentication and encryption. A principal for qpidd is added to the
libvirt keytab and kinit is used in cron to keep the ticket from
expiring.
Signed-off-by: Ian Main <imain at redhat.com>
---
Makefile.am | 1 +
kinit/ovirt-kinit | 10 ++++++++++
ovirt-node.spec.in | 3 +++
scripts/ovirt | 3 ++-
4 files changed, 16 insertions(+), 1 deletions(-)
create mode 100644 kinit/ovirt-kinit
diff --git a/Makefile.am b/Makefile.am
index 0cdf430..733fef1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -46,6 +46,7 @@ EXTRA_DIST = \
scripts/ovirt-post \
scripts/ovirt-process-config \
scripts/ovirt-uninstall-node-stateful \
+ kinit/ovirt-kinit \
logrotate/ovirt-logrotate \
logrotate/ovirt-logrotate.conf
diff --git a/kinit/ovirt-kinit b/kinit/ovirt-kinit
new file mode 100644
index 0000000..143b356
--- /dev/null
+++ b/kinit/ovirt-kinit
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+/usr/kerberos/bin/kinit -k -t /etc/libvirt/krb5.tab
qpidd/`hostname`@PRIV.OVIRT.ORG
+
+EXITVALUE=$?
+if [ $EXITVALUE != 0 ]; then
+ /usr/bin/logger -t kinit "ALERT kinit failed abnormally with
[$EXITVALUE]"
+fi
+exit $EXITVALUE
+
diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index da5e5a1..287a29f 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -162,6 +162,8 @@ cd -
%{__install} -p -m0644 scripts/collectd %{buildroot}%{_sysconfdir}/chkconfig.d
%{__install} -p -m0644 scripts/collectd.conf.in %{buildroot}%{_sysconfdir}
+%{__install} -p -m0755 kinit/ovirt-kinit %{buildroot}%{_sysconfdir}/cron.hourly
+
%{__install} -p -m0755 logrotate/ovirt-logrotate
%{buildroot}%{_sysconfdir}/cron.hourly
%{__install} -p -m0644 logrotate/ovirt-logrotate.conf
%{buildroot}%{_sysconfdir}/logrotate.d
@@ -278,6 +280,7 @@ fi
%{_initrddir}/ovirt-firstboot
%{_initrddir}/ovirt
%{_initrddir}/ovirt-post
+%config %{_sysconfdir}/cron.hourly/ovirt-kinit
%config %{_sysconfdir}/logrotate.d/ovirt-logrotate.conf
%config %{_sysconfdir}/cron.hourly/ovirt-logrotate
%{_sysconfdir}/ovirt-config-setup.d
diff --git a/scripts/ovirt b/scripts/ovirt
index 8694db9..83fe2d7 100755
--- a/scripts/ovirt
+++ b/scripts/ovirt
@@ -63,7 +63,8 @@ start() {
if [ -n "$SRV_HOST" -a -n "$SRV_PORT" ]; then
libvirt_qpid_conf=/etc/sysconfig/libvirt-qpid
if [ -f $libvirt_qpid_conf ]; then
- echo "LIBVIRT_QPID_ARGS=\"--broker $SRV_HOST --port
$SRV_PORT\"" >> $libvirt_qpid_conf
+ echo "LIBVIRT_QPID_ARGS=\"--broker $SRV_HOST --port
$SRV_PORT --gssapi\"" >> $libvirt_qpid_conf
+ echo "/usr/kerberos/bin/kinit -k -t /etc/libvirt/krb5.tab
qpidd/`hostname`@PRIV.OVIRT.ORG" >> $libvirt_qpid_conf
fi
else
log "skipping libvirt-qpid configuration, could not find
$libvirt_qpid_conf"
--
1.6.0.4
This patch adds krb5-workstation package to the node, but then we
remove all but kinit and klist (for debugging purposes). This is
to support libvirt-qpid needing a kerberos ticket.
Signed-off-by: Ian Main <imain at redhat.com>
---
common-blacklist.ks | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/common-blacklist.ks b/common-blacklist.ks
index a507911..a295805 100644
--- a/common-blacklist.ks
+++ b/common-blacklist.ks
@@ -14,7 +14,7 @@ RPMS="$RPMS kpartx mkinitrd isomd5sum dmraid
checkpolicy"
# Remove additional RPMs forcefully
RPMS="$RPMS gamin pm-utils kbd usermode vbetool ConsoleKit hdparm \
- efibootmgr krb5-workstation linux-atm-libs fedora-release-notes \
+ efibootmgr linux-atm-libs fedora-release-notes \
slang psmisc gdbm cryptsetup-luks pciutils mtools syslinux \
wireless-tools radeontool libicu gnupg2 \
fedora-logos"
@@ -85,7 +85,7 @@ blacklist="/boot /etc/alsa /etc/pki
/usr/share/hwdata/MonitorsDB \
/usr/share/firstboot /usr/share/lua /usr/share/kde4 /usr/share/pixmaps \
/usr/share/hwdata/videodrivers /usr/share/icons /usr/share/fedora-release \
/usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \
- /usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \
+ /usr/share/tc /usr/share/emacs /usr/share/info \
/usr/src /usr/etc /usr/games /usr/include /usr/local \
/usr/sbin/{dell*,sasldblistusers2,build-locale-archive,glibc_post_upgrade.*}"
blacklist_lib="/usr/lib{,64}/gconv \
@@ -131,6 +131,8 @@ drop /usr/lib64/libboost*
keep /usr/lib64/libboost_program_options.so*
keep /usr/lib64/libboost_filesystem.so*
keep /usr/lib64/libboost_thread-mt.so*
-
+drop /usr/kerberos
+keep /usr/kerberos/bin/kinit
+keep /usr/kerberos/bin/klist
%end
--
1.6.0.4
This adds configuration files for qpidd to allow it to use gssapi
for authentication of clients. Note that we still allow 'plain'
authentication as well. This is only temporary and is required
because there is currently no way to allow localhost connects to
be anonymous. Once ruby has gssapi support we can remove the
plain authentication.
Signed-off-by: Ian Main <imain at redhat.com>
---
Makefile.am | 1 +
appliances/ovirt/files/qpidd.conf | 8 ++++-
appliances/ovirt/files/sasl2_qpidd.conf | 47 +++++++++++++++++++++++++++++++
appliances/ovirt/ovirt.pp.in | 5 +++
ovirt-recipe.spec.in | 1 +
5 files changed, 61 insertions(+), 1 deletions(-)
create mode 100644 appliances/ovirt/files/sasl2_qpidd.conf
diff --git a/Makefile.am b/Makefile.am
index 16d3867..8e1451b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -28,6 +28,7 @@ EXTRA_DIST = \
appliances/ovirt/files/cobbler-import \
appliances/ovirt/files/collectd.conf \
appliances/ovirt/files/qpidd.conf \
+ appliances/ovirt/files/sasl2_qpidd.conf \
appliances/ovirt/files/ovirt-cfgdb \
appliances/ovirt/files/ovirt.repo \
appliances/ovirt/files/ovirt-dnsmasq.conf \
diff --git a/appliances/ovirt/files/qpidd.conf
b/appliances/ovirt/files/qpidd.conf
index a7e34bb..bf80918 100644
--- a/appliances/ovirt/files/qpidd.conf
+++ b/appliances/ovirt/files/qpidd.conf
@@ -1,5 +1,11 @@
# Configuration file for qpidd. Entries are of the form:
# name = value
# Using default settings: "qpidd --help" or "man qpidd" for
more details.
-auth=no
+
+
+# This is where we want to be, but we can't actually do that yet because
+# we have unencrypted db-omatic and taskomatic running over localhost.
+# This will change shortly once we have gssapi support for ruby.
+#
+#require-encryption
diff --git a/appliances/ovirt/files/sasl2_qpidd.conf
b/appliances/ovirt/files/sasl2_qpidd.conf
new file mode 100644
index 0000000..c61131f
--- /dev/null
+++ b/appliances/ovirt/files/sasl2_qpidd.conf
@@ -0,0 +1,47 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
+# This configuation allows for either SASL PLAIN or ANONYMOUS
+# authentication. The PLAIN authentication is done on a
+# username+password, which is stored in the sasldb_path
+# file. Usernames and passwords can be added to the file using the
+# command:
+#
+# saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER>
+#
+# The REALM is important and should be the same as the --auth-realm
+# option to the broker. This lets the broker properly find the user in
+# the sasldb file.
+#
+# Existing user accounts may be listed with:
+#
+# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
+#
+# NOTE: The sasldb file must be readable by the user running the qpidd
+# daemon, and should be readable only by that user.
+#
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+sasldb_path: /var/lib/qpidd/qpidd.sasldb
+
+# For now we allow plain auth too because the local daemons do not yet
+# support kerberos.
+mech_list: gssapi plain
+keytab: /usr/share/ovirt-server/ovirt.keytab
+
diff --git a/appliances/ovirt/ovirt.pp.in b/appliances/ovirt/ovirt.pp.in
index f409ee3..c61f2b2 100644
--- a/appliances/ovirt/ovirt.pp.in
+++ b/appliances/ovirt/ovirt.pp.in
@@ -88,6 +88,11 @@ file {"/etc/qpidd.conf":
notify => Service["qpidd"]
}
+file {"/etc/sasl2/qpidd.conf":
+ source => "puppet:///ovirt/sasl2_qpidd.conf",
+ notify => Service["qpidd"]
+}
+
file {"/var/www/html/ovirt-cfgdb":
source => "puppet:///ovirt/ovirt-cfgdb"
}
diff --git a/ovirt-recipe.spec.in b/ovirt-recipe.spec.in
index ea51c3a..e8aa596 100644
--- a/ovirt-recipe.spec.in
+++ b/ovirt-recipe.spec.in
@@ -38,6 +38,7 @@ Requires: syslinux
Requires: lokkit
Requires: curl
Requires: qpidd
+Requires: cyrus-sasl-plain
Requires: rubygem-qpid
Requires: qpidc
Requires: qmf
--
1.6.0.4
Ian Main
2009-Jan-29 13:38 UTC
[Ovirt-devel] [PATCH] Set up kerberos authentication for qpidd
This patch generates a kerberos principal for qpidd and adds it to
the ovirt principal. It also changes the localhost qmf apps to use
plain sasl auth as there's no way to configure qpidd to accept
anonymous connections over localhost. Once gssapi is supported by
ruby (any day now) we can change those over to using gssapi as well.
Signed-off-by: Ian Main <imain at redhat.com>
---
scripts/ovirt-add-host | 10 +++++++---
src/db-omatic/db_omatic.rb | 2 +-
src/host-browser/host-browser.rb | 3 +++
src/qmf-libvirt-example.rb | 2 +-
src/task-omatic/taskomatic.rb | 2 +-
5 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/scripts/ovirt-add-host b/scripts/ovirt-add-host
index 700e2ac..c6b7cd2 100755
--- a/scripts/ovirt-add-host
+++ b/scripts/ovirt-add-host
@@ -23,6 +23,8 @@ default_realm = krbV.Context().default_realm
ipaddr = get_ip(sys.argv[1])
libvirt_princ = 'libvirt/' + sys.argv[1] + '@' + default_realm
+qpidd_princ = 'qpidd/' + sys.argv[1] + '@' + default_realm
+
if len(sys.argv) > 2:
outname = sys.argv[2]
else:
@@ -33,6 +35,8 @@ else:
kadmin_local('addprinc -randkey +requires_preauth ' + libvirt_princ)
kadmin_local('ktadd -k ' + outname + ' ' + libvirt_princ)
-if len(sys.argv) <= 2:
- # make sure it is readable by apache
- os.chmod(outname, 0644)
+kadmin_local('addprinc -randkey ' + qpidd_princ)
+kadmin_local('ktadd -k ' + outname + ' ' + qpidd_princ)
+
+# make sure it is readable by apache and qpidd.
+os.chmod(outname, 0644)
diff --git a/src/db-omatic/db_omatic.rb b/src/db-omatic/db_omatic.rb
index 4afffb1..2ba9456 100755
--- a/src/db-omatic/db_omatic.rb
+++ b/src/db-omatic/db_omatic.rb
@@ -326,7 +326,7 @@ def main()
dbsync = DbOmatic.new()
s = Qpid::Qmf::Session.new(:console => dbsync, :rcv_events => false)
- b = s.add_broker("amqp://localhost:5672")
+ b = s.add_broker("amqp://guest:guest at localhost:5672")
dbsync.db_init_cleanup()
diff --git a/src/host-browser/host-browser.rb b/src/host-browser/host-browser.rb
index 852d6bf..579f241 100755
--- a/src/host-browser/host-browser.rb
+++ b/src/host-browser/host-browser.rb
@@ -328,6 +328,7 @@ class HostBrowser
krb5 = krb5_arg || Krb5.new
default_realm = krb5.get_default_realm
+ qpidd_princ = 'qpidd/' + hostname + '@' + default_realm
libvirt_princ = 'libvirt/' + hostname + '@' +
default_realm
outfile = ipaddress + '-libvirt.tab'
@keytab_filename = @keytab_dir + outfile
@@ -338,6 +339,8 @@ class HostBrowser
puts "Writing keytab file: #{@keytab_filename}" unless
defined?(TESTING)
kadmin_local('addprinc -randkey ' + libvirt_princ)
kadmin_local('ktadd -k ' + @keytab_filename + ' ' +
libvirt_princ)
+ kadmin_local('addprinc -randkey ' + qpidd_princ)
+ kadmin_local('ktadd -k ' + @keytab_filename + ' ' +
qpidd_princ)
File.chmod(0644, at keytab_filename)
end
diff --git a/src/qmf-libvirt-example.rb b/src/qmf-libvirt-example.rb
index 5bfe44d..8fac3c9 100644
--- a/src/qmf-libvirt-example.rb
+++ b/src/qmf-libvirt-example.rb
@@ -4,7 +4,7 @@ require "rubygems"
require "qpid"
s = Qpid::Qmf::Session.new()
-b = s.add_broker("amqp://localhost:5672")
+b = s.add_broker("amqp://guest:guest at localhost:5672")
while true:
nodes = s.objects(:class => "node")
diff --git a/src/task-omatic/taskomatic.rb b/src/task-omatic/taskomatic.rb
index bcb9bd3..0570246 100755
--- a/src/task-omatic/taskomatic.rb
+++ b/src/task-omatic/taskomatic.rb
@@ -47,7 +47,7 @@ class TaskOmatic
@session = Qpid::Qmf::Session.new()
# FIXME: Should come from some kind of config or DNS SRV or what have you.
- @broker = @session.add_broker("amqp://localhost:5672")
+ @broker = @session.add_broker("amqp://guest:guest at
localhost:5672")
do_daemon = true
--
1.6.0.4
This set of patches adds support gssapi/kerberos to qpidd. You'll note that it's still not secure as we allow 'plain' auth with a guest account for daemons that connect over localhost (taskomatic, dbomatic etc.) and unfortunately there's no way to constrain that to localhost connections at this time. The qpid team is putting out a new set of rpms in the next day or two which will add gssapi support to ruby at which point we can move those connections to gssapi as well and remove the plain auth with guest access. Ian
On Thu, Jan 29, 2009 at 08:45:08AM -0800, Ian Main wrote:> > This set of patches adds support gssapi/kerberos to qpidd. You'll > note that it's still not secure as we allow 'plain' auth with a > guest account for daemons that connect over localhost (taskomatic, > dbomatic etc.) and unfortunately there's no way to constrain that > to localhost connections at this time.Doesn't QPidd have UNIX domain socket support ? We shouldn't really use TCP over 'localhost' for local connections, since it is just unneccessarily increasing latency & overheads. Unless you really do need/want to authenticate local connections with GSSAPI too, there'd be no particular need to run GSSAPI over the UNIX domain socket, just rely on the filesystem permissioning on the socket to restrict access. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On Thu, 29 Jan 2009 08:45:08 -0800 Ian Main <imain at redhat.com> wrote:> > This set of patches adds support gssapi/kerberos to qpidd. You'll note that it's still not secure as we allow 'plain' auth with a guest account for daemons that connect over localhost (taskomatic, dbomatic etc.) and unfortunately there's no way to constrain that to localhost connections at this time. > > The qpid team is putting out a new set of rpms in the next day or two which will add gssapi support to ruby at which point we can move those connections to gssapi as well and remove the plain auth with guest access.I've pushed these patches. I figured we all know the need to go in anyway so if someone has problems using this let me know and we'll get them resolved asap. Ian