Use Anonymous user to obtain FAST armor ccache

The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-12-02 06:48:35 -05:00
parent b109f5d850
commit b6741d81e1
12 changed files with 91 additions and 27 deletions
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -43,6 +43,7 @@ import ipapython.errors
 from ipaserver.install import sysupgrade
 from ipalib import api
 from ipalib import errors
+from ipalib.constants import ANON_USER
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
@@ -167,6 +168,7 @@ class HTTPInstance(service.Service):
        self.step("adding URL rewriting rules", self.__add_include)
        self.step("configuring httpd", self.__configure_http)
        self.step("setting up httpd keytab", self._request_service_keytab)
+        self.step("retrieving anonymous keytab", self.request_anon_keytab)
        self.step("setting up ssl", self.__setup_ssl)
        if self.ca_is_configured:
            self.step("configure certmonger for renewals",
@@ -333,6 +335,17 @@ class HTTPInstance(service.Service):
            os.chown(nss_path, 0, pent.pw_gid)
            tasks.restore_context(nss_path)

+    def request_anon_keytab(self):
+        parent = os.path.dirname(paths.ANON_KEYTAB)
+        if not os.path.exists(parent):
+            os.makedirs(parent, 0o755)
+        self.run_getkeytab(self.api.env.ldap_uri, paths.ANON_KEYTAB, ANON_USER)
+
+        pent = pwd.getpwnam(self.service_user)
+        os.chmod(parent, 0o700)
+        os.chown(parent, pent.pw_uid, pent.pw_gid)
+        os.chown(paths.ANON_KEYTAB, pent.pw_uid, pent.pw_gid)
+
    def __setup_ssl(self):
        db = certs.CertDB(self.realm, subject_base=self.subject_base)
        if self.pkcs12_info:
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -33,6 +33,7 @@ from ipaserver.install import installutils
 from ipapython import ipautil
 from ipapython import kernel_keyring
 from ipalib import api
+from ipalib.constants import ANON_USER
 from ipalib.install import certmonger
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
@@ -381,13 +382,13 @@ class KrbInstance(service.Service):
        shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)

    def get_anonymous_principal_name(self):
-        princ = "WELLKNOWN/ANONYMOUS"
-        return "%s@%s" % (princ, self.realm)
+        return "%s@%s" % (ANON_USER, self.realm)

    def add_anonymous_principal(self):
        # Create the special anonymous principal
        princ_realm = self.get_anonymous_principal_name()
        installutils.kadmin_addprinc(princ_realm)
+        self._ldap_mod("anon-princ-aci.ldif", self.sub_dict)

    def __convert_to_gssapi_replication(self):
        repl = replication.ReplicationManager(self.realm,
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1757,6 +1757,7 @@ def upgrade_configuration():
            krb.stop()
        krb.start()
    enable_anonymous_principal(krb)
+    http.request_anon_keytab()

    if not ds_running:
        ds.stop(ds_serverid)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -539,7 +539,7 @@ class Service(object):
        except errors.DuplicateEntry:
            pass

-    def _run_getkeytab(self):
+    def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
        """
        backup and remove old service keytab (if present) and fetch a new one
        using ipa-getkeytab. This assumes that the service principal is already
@@ -549,16 +549,15 @@ class Service(object):
            * self.dm_password is not none, then DM credentials are used to
              fetch keytab
        """
-        self.fstore.backup_file(self.keytab)
+        self.fstore.backup_file(keytab)
        try:
-            os.unlink(self.keytab)
+            os.unlink(keytab)
        except OSError:
            pass

-        ldap_uri = self.api.env.ldap_uri
        args = [paths.IPA_GETKEYTAB,
-                '-k', self.keytab,
-                '-p', self.principal,
+                '-k', keytab,
+                '-p', principal,
                '-H', ldap_uri]
        nolog = tuple()

@@ -570,6 +569,9 @@ class Service(object):
                 '-w', self.dm_password])
            nolog += (self.dm_password,)

+        if retrieve:
+            args.extend(['-r'])
+
        ipautil.run(args, nolog=nolog)

    def _request_service_keytab(self):
@@ -580,7 +582,7 @@ class Service(object):
                "name, keytab, and username")

        self._add_service_principal()
-        self._run_getkeytab()
+        self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)

        pent = pwd.getpwnam(self.service_user)
        os.chown(self.keytab, pent.pw_uid, pent.pw_gid)