Question on Authentication for a koji server
Nathan Blackham
kemotaha at gmail.com
Tue Mar 16 04:07:15 UTC 2010
On Mon, 2010-03-15 at 16:30 -0400, Mike McLean wrote:
> On 03/15/2010 01:02 PM, Nathan Blackham wrote:
> > I am trying to use kerberos all around, but I am looking at fall back
> > methods. Also looking at automation of bringing up new build nodes. It
> > seems easier to have the automation with certificates, but that is just
> > after an initial look.
>
> I was about to write that on the koji side it's all equal work, though
> depending on your situation creating a host ssl key might be easier then
> creating a krb host principal (if for example, you aren't a kerberos admin).
>
> However, I realized that setting the krb_principal for the host entry in
> the db might be a slight hassle. While the addHost call supports
> specifying it, the cli command doesn't handle that optional arg. (I
> think I'll fix that now).
>
> Even so, the code still sets a default krb_principal for the host based
> on the HostPrincipalFormat hub config option and its hostname. If you
> still to a standard naming scheme this should allow automation. Plus if
> you really need to, you could call addHost via the call subcommand to
> specify that third arg.
>
> That being said -- are you bringing so many hosts online that human
> intervention is really a barrier? I'm curious why you need this.
No it is not the number of hosts. Initially it won't be that many. I
just am on the mindset, that if it takes longer than a few minutes, and
it is something that can be easily scripted/automated, why not spend the
extra time to make sure that you don't have to do it again.
Nathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/buildsys/attachments/20100315/0afe6fb9/attachment.bin
More information about the buildsys
mailing list