search

theforeman / foreman-ansible-modules

Ansible modules for interacting with the Foreman API and various plugin APIs such as Katello
GNU General Public License v3.0
146 stars 163 forks source link

Kerberos authentication #912

Open ignatenkobrain opened 4 years ago

ignatenkobrain commented 4 years ago
SUMMARY

In our environment we rely on kerberos everywhere and creating special user for this purpose is not really nice because all users would need to get that password and so on. It would be much easier if everybody would use their own kerberos tickets to get the inventory.

I guess as a downsides this would make this functionality to work only on linux and only under some specific conditions (depending on user and so on, similar to why negotiate is not supported for the uri module).

If that sounds acceptable, I could try writing a patch that implements this feature.

ISSUE TYPE
evgeni commented 4 years ago

The Foreman API does not support Kerberos auth, so you'd first have to implement that ;)

That said, once the API supports it, I see no reason why we should not have it as an alternative.

ignatenkobrain commented 4 years ago

Hmm, interesting how it works in our environment. Because with negotiate I can easily talk to foreman API. Need to check how we configure that.

evgeni commented 4 years ago

That would be cool!

Last time I actively tried to get that working was around Foreman 1.14 and back then the config explicitly excluded the /api route from krb auth. Given all the redmine tickets are still open, I assume(d) it still doesn't work.

FWIW, when you work on this, most changes probably need to happen in https://github.com/Apipie/apypie (by using requests_kerberos) and then the modules in here just need to gain a switch.

The inventory is different, as that is not using apypie but requests directly.

mdellweg commented 4 years ago

I'm not sure the original poster requested this feature beyond the inventory plugin, but i think it is also interesting for the modules.

evgeni commented 4 years ago

Right, the original request is about the inventory, which is not apypie, but it would be cool to support Krb everywhere (if possible).

@ignatenkobrain can you tell us how you deploy Foreman with kerberos, so that we can try to replicate your success? :)

ezr-ondrej commented 3 years ago

IMHO it is working, because the Apache module in foreman is enabled behind setting tu support this. We even enable usage of coockie in API, so we can have browser-like login experience. We are missing negotiate in hammer, but apart of that it should work, so it should already be possible to do here :thinking: