From 5405fd7927ef68015c25632951a94bcddb60c33d Mon Sep 17 00:00:00 2001
From: Prashanth Pai <ppai@redhat.com>
Date: Mon, 18 Nov 2013 15:40:47 +0530
Subject: Feature: Support client outside domain

Until now, all clients had to be part of Kerberos domain as authentication
was done by mod_auth_kerb module of httpd by using Kerberos Ticket bundled
with the request.

To suport clients residing outside domain, we introduce a configurable option
called "auth_mode". When auth_mode is set to 'passive', a client residing
outside domain can authenticate itself by sending username(X-Auth-User) and
password(X-Auth-Key) as request headers. This information is gleaned from the
request and kinit is run against it. A successful kinit means the username
and password exists on the Kerberos server.

Change-Id: I1a165bd56bc3a425b00bcfdbf32150c14b5d9790
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6296
Reviewed-by: Chetan Risbud <crisbud@redhat.com>
Tested-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
---
 swiftkerbauth/kerbauth_utils.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'swiftkerbauth/kerbauth_utils.py')

diff --git a/swiftkerbauth/kerbauth_utils.py b/swiftkerbauth/kerbauth_utils.py
index 507580e..8490d83 100644
--- a/swiftkerbauth/kerbauth_utils.py
+++ b/swiftkerbauth/kerbauth_utils.py
@@ -16,7 +16,7 @@
 import re
 import random
 import grp
-import subprocess
+from subprocess import Popen, PIPE
 from time import time
 from swiftkerbauth import TOKEN_LIFE, RESELLER_PREFIX
 
@@ -87,7 +87,7 @@ def get_groups(username):
     # because group names from Active Directory may contain spaces, and
     # we wouldn't be able to split the list of group names into its
     # elements.
-    p = subprocess.Popen(['id', '-G', username], stdout=subprocess.PIPE)
+    p = Popen(['id', '-G', username], stdout=PIPE)
     if p.wait() != 0:
         raise RuntimeError("Failure running id -G for %s" % username)
     (p_stdout, p_stderr) = p.communicate()
@@ -104,3 +104,12 @@ def get_groups(username):
     groups = [username] + groups
     groups = ','.join(groups)
     return groups
+
+
+def run_kinit(username, password):
+    """Runs kinit command as a child process and returns the status code."""
+    kinit = Popen(['kinit', username],
+                  stdin=PIPE, stdout=PIPE, stderr=PIPE)
+    kinit.stdin.write('%s\n' % password)
+    kinit.wait()
+    return kinit.returncode
-- 
cgit