Skip to content

mod_auth_gssapi: Add support for GssapiBasicAuth. #2212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 10, 2022
Merged

mod_auth_gssapi: Add support for GssapiBasicAuth. #2212

merged 2 commits into from
May 10, 2022

Conversation

olifre
Copy link
Contributor

@olifre olifre commented Feb 8, 2022

This adds support for the GssapiBasicAuth setting
which allows to fall back to basic auth if NEGOTIATE fails.

@olifre olifre requested a review from a team as a code owner February 8, 2022 13:15
@puppet-community-rangefinder
Copy link

apache::vhost is a type

Breaking changes to this file WILL impact these 129 modules (exact match):
Breaking changes to this file MAY impact these 34 modules (near match):

This module is declared in 172 of 578 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@olifre
mod_auth_gssapi: Add support for GssapiBasicAuth.
7267ca1 
This adds support for the GssapiBasicAuth setting
which allows to fall back to basic auth if NEGOTIATE fails.
@olifre olifre force-pushed the gssapi-basic-auth branch from 7c6ef5a to 7267ca1 Compare February 8, 2022 13:16
@olifre
Copy link
Contributor Author

olifre commented Feb 8, 2022

I believe the change fits into:
https://puppet.com/community/trivial-patch-exemption-policy/
(link currently broken, but I hope I remember the content correctly). So no CLA signing should be needed (I am anyways lacking the necessary understanding of the legalese to sign it without support).

ekohl
ekohl approved these changes Feb 8, 2022
View reviewed changes
Copy link
Collaborator

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From a technical perspective this looks correct. The test failures look unrelated.

I can't comment on the legal side but I've pinged someone who might.

templates/vhost/_gssapi.epp
Comment on lines 7 to +8
|%>
# mod_auth_gssapi configuration
# mod_auth_gssapi configuration
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering about this and whitespace. It looks correct, but have you manually verified this looks sane?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, it does:

  <Location "/somewhere">
    <RequireAll>
      Require user abc
    </RequireAll>
    AuthType GSSAPI
    AuthName "My ID"
      
    # mod_auth_gssapi configuration
    GssapiBasicAuth On
    GssapiSSLonly Off
    GssapiLocalName On
    GssapiCredStore keytab:/etc/httpd/conf/http.keytab
  </Location>

@binford2k
Copy link
Contributor

binford2k commented Feb 8, 2022
edited
Loading

Hey @olifre! We have actually removed the TPE because it required engineers and contributors to make legal decisions without necessarily having the expertise to do so.

That said, the new CLA is basically the well-known Apache CLA with s/Apache Software Foundation/Puppet/, so it might be easier than you expect to get that approved.

Note; yeah, I know the web page still references the old CLA, I've poked the web team to update it!

@olifre
Copy link
Contributor Author

olifre commented Mar 1, 2022

Hi @binford2k ,

I did raise the CLA issue in various circles here, and people are at least aware of it. In administration, this may take a year or longer, though (if we are lucky).
However, it seems that this PR has been superseded by #2214 (which adds all these options and many more) or #2215 (which adds some options, but notably, the one added here). So I guess this one can be closed in favour of the others?

@github-actions
Copy link

github-actions bot commented May 9, 2022

This PR has been marked as stale because it has been open for a while and has had no recent activity. If this PR is still important to you please drop a comment below and we will add this to our backlog to complete. Otherwise, it will be closed in 7 days.

@github-actions github-actions bot added the stale label May 9, 2022
@olifre
Copy link
Contributor Author

olifre commented May 9, 2022

I have no feedback concerning CLA signing from my organization yet. Adding this (not helpful for the PR) comment to keep stalebot at bay.

@github-actions github-actions bot removed the stale label May 10, 2022
@david22swan
Copy link
Member

@olifre Sorry for the wait on review, anyway this change look's good to me and the failures are unrelated so I feel comfortable to go ahead and merge.

Thank's for putting in the work.

@david22swan david22swan merged commit b5656ef into puppetlabs:main May 10, 2022
This was referenced May 10, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
community feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@olifre @CLAassistant @binford2k @david22swan @ekohl @chelnak