Koji special permissions for --runas

Mike Bonnet mikeb at redhat.com
Wed Apr 21 13:18:19 UTC 2010 

On 04/21/2010 04:09 AM, Greg Trahair wrote:
> Hi Mike,
> 
> Thanks for the response.  This indeed worked like a charm, although, it
> didn't seem to work in hub.conf, but in the python options.
> 
> I plan to try again today to get it working in hub.conf, but here's what
> I had (obviously the .. are values on my system:
> 
> hub.conf (didn't work):
> ProxyDNs = /C=.../ST=.../O=.../OU=.../CN=.../emailAddress=... at ... |
> /C=.../ST=.../O=.../OU=.../CN=.../emailAddress=...
> 
> pythonOptions (worked):
> PythonOption ProxyDNs
> "/C=.../ST=.../O=.../OU=.../CN=.../emailAddress=...|/C=.../ST=.../O=.../
> OU=.../CN=.../emailAddress=..."
> 
> Can you give me an example of a working hub.conf with multiple builders?

You shouldn't need to add builders to ProxyDNs, you should be creating a
different certificate for each builder with a different CN, which will
be used as the unique username.  ProxyDNs is really only designed to
allow the web UI perform actions as other users.

Is there a reason you need to add builders to ProxyDNs?

> Regards,
> Greg
> 
> 
> -----Original Message-----
> From: buildsys-bounces at lists.fedoraproject.org
> [mailto:buildsys-bounces at lists.fedoraproject.org] On Behalf Of Mike
> Bonnet
> Sent: Tuesday, April 20, 2010 5:33 PM
> To: Discussion of Fedora build system
> Subject: Re: Koji special permissions for --runas
> 
> On 04/20/2010 09:24 AM, Greg Trahair wrote:
>> Hi,
>>
>>  
>>
>> I'm trying to use the --runas parameter and get the following error:
>>
>>  
>>
>> AuthError: /C=blah/ST=blah/O=blah/OU=blah/CN=<user>/emailAddress=blah
> is
>> not authorized to login other users
>>
>>  
>>
>> The user that I'm trying to submit the build from is kojiadmin (with
>> admin permissions).
>>
>>  
>>
>> The reason that I'd like this, is that I want to use a post-commit
>> trigger to submit a build using the kojiadmin user, but still
> submitting
>> the build as the user that committed the change to SVN.
>>
>>  
>>
>> In auth.py:364 I see some mention of a proxyuser, but I don't know how
>> to use it.
>>
>>  
>>
>> Can anyone help?
> 
> If you're using SSL auth, you need to put the full DN of the client
> certificate you're logging in with (the DN is printed in the AuthError)
> into the ProxyDN= config entry in hub.conf.  This establishes that the
> client using that DN is authorized to log in as another user.
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys

More information about the buildsys mailing list