Question on Authentication for a koji server

Nathan Blackham kemotaha at gmail.com
Tue Mar 16 04:07:15 UTC 2010


On Mon, 2010-03-15 at 16:30 -0400, Mike McLean wrote:
> On 03/15/2010 01:02 PM, Nathan Blackham wrote:
> > I am trying to use kerberos all around, but I am looking at fall back
> > methods.  Also looking at automation of bringing up new build nodes.  It
> > seems easier to have the automation with certificates, but that is just
> > after an initial look.
> 
> I was about to write that on the koji side it's all equal work, though 
> depending on your situation creating a host ssl key might be easier then 
> creating a krb host principal (if for example, you aren't a kerberos admin).
> 
> However, I realized that setting the krb_principal for the host entry in 
> the db might be a slight hassle. While the addHost call supports 
> specifying it, the cli command doesn't handle that optional arg. (I 
> think I'll fix that now).
> 
> Even so, the code still sets a default krb_principal for the host based 
> on the HostPrincipalFormat hub config option and its hostname. If you 
> still to a standard naming scheme this should allow automation. Plus if 
> you really need to, you could call addHost via the call subcommand to 
> specify that third arg.
> 
> That being said -- are you bringing so many hosts online that human 
> intervention is really a barrier? I'm curious why you need this.

No it is not the number of hosts.  Initially it won't be that many.  I
just am on the mindset, that if it takes longer than a few minutes, and
it is something that can be easily scripted/automated, why not spend the
extra time to make sure that you don't have to do it again.  

Nathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/buildsys/attachments/20100315/0afe6fb9/attachment.bin 


More information about the buildsys mailing list