diff options
author | Prashanth Pai <ppai@redhat.com> | 2013-11-18 15:40:47 +0530 |
---|---|---|
committer | Luis Pabon <lpabon@redhat.com> | 2013-11-25 18:40:41 -0800 |
commit | 5405fd7927ef68015c25632951a94bcddb60c33d (patch) | |
tree | eb2b6a372df52970d299aff8de62e2e44353ebed /swiftkerbauth/kerbauth_utils.py | |
parent | 991989bc04178442b2a6b766a67f7a26e60c08f0 (diff) |
Feature: Support client outside domain
Until now, all clients had to be part of Kerberos domain as authentication
was done by mod_auth_kerb module of httpd by using Kerberos Ticket bundled
with the request.
To suport clients residing outside domain, we introduce a configurable option
called "auth_mode". When auth_mode is set to 'passive', a client residing
outside domain can authenticate itself by sending username(X-Auth-User) and
password(X-Auth-Key) as request headers. This information is gleaned from the
request and kinit is run against it. A successful kinit means the username
and password exists on the Kerberos server.
Change-Id: I1a165bd56bc3a425b00bcfdbf32150c14b5d9790
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6296
Reviewed-by: Chetan Risbud <crisbud@redhat.com>
Tested-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Diffstat (limited to 'swiftkerbauth/kerbauth_utils.py')
-rw-r--r-- | swiftkerbauth/kerbauth_utils.py | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/swiftkerbauth/kerbauth_utils.py b/swiftkerbauth/kerbauth_utils.py index 507580e..8490d83 100644 --- a/swiftkerbauth/kerbauth_utils.py +++ b/swiftkerbauth/kerbauth_utils.py @@ -16,7 +16,7 @@ import re import random import grp -import subprocess +from subprocess import Popen, PIPE from time import time from swiftkerbauth import TOKEN_LIFE, RESELLER_PREFIX @@ -87,7 +87,7 @@ def get_groups(username): # because group names from Active Directory may contain spaces, and # we wouldn't be able to split the list of group names into its # elements. - p = subprocess.Popen(['id', '-G', username], stdout=subprocess.PIPE) + p = Popen(['id', '-G', username], stdout=PIPE) if p.wait() != 0: raise RuntimeError("Failure running id -G for %s" % username) (p_stdout, p_stderr) = p.communicate() @@ -104,3 +104,12 @@ def get_groups(username): groups = [username] + groups groups = ','.join(groups) return groups + + +def run_kinit(username, password): + """Runs kinit command as a child process and returns the status code.""" + kinit = Popen(['kinit', username], + stdin=PIPE, stdout=PIPE, stderr=PIPE) + kinit.stdin.write('%s\n' % password) + kinit.wait() + return kinit.returncode |