Just wanted to follow up this one.


On Wed, Aug 5, 2015 at 4:14 PM, Christos Triantafyllidis <christos.triantafyllidis@gmail.com> wrote:

The following patch is adding support for PAM authentication for the
koji-hub and BasicAuth for the koji-web.

This is useful for our internal use case as it allows us to login without
the overhead of setting up either a CA or a kerberos realm for our users.

The configuration is backwards compatible and hopefully similar to the
other authntication methods.

To active PAM support on hub you define the option:
PAMService = koji
in hub.conf. The value will be the name of the PAM service. Note the call
to the PAM module is done via unpriviledged call thus the use of pam_unix
won't be possible.

Note that activating this option will have as result that username/password
combinations from the DB will no longer be checked (similarly to when
activating kerberos or SSL client auth).

The BasicAuth for koji-web requires 2 changes:
a) To enable WSGIPassAuthorization for /koji/login in httpd configuration.
That passes the authorization variable from the apache to the application.
b) Set the "BasicAuthRealm" option to the Basic Authentication Realm that
will be presented to the user to login.

Finally python-pam package has been added to the hub's dependencies.


Christos Triantafyllidis (1):
  - Added PAM support for hub     - Added BasicAuth support for web

 hub/hub.conf                  |  4 +++-
 hub/kojixmlrpc.py             |  2 ++
 koji.spec                     |  1 +
 koji/auth.py                  | 33 +++++++++++++++++++++++++--------
 koji/server.py                |  2 ++
 www/conf/kojiweb.conf         |  5 +++++
 www/conf/web.conf             |  3 +++
 www/kojiweb/index.py          | 18 +++++++++++++++++-
 www/kojiweb/wsgi_publisher.py |  9 +++++++--
 9 files changed, 65 insertions(+), 12 deletions(-)