[rt-users] database authentication (as in RT_SiteConfig.pm) using a kerberos principal

Ruslan Zakirov ruz at bestpractical.com
Wed Jun 27 17:04:49 EDT 2012


Hi,

Looks like you have to configure DatabaseHost, DatabaseUser and
DatabasePassword properly and KRB5CCNAME environment variable. As I
recall we cleanup ENV somewhere. Try putting it directly in
ConnectToDatabase function in RT.pm.

On Mon, Jun 25, 2012 at 9:33 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
> On Mon, Jun 25, 2012 at 4:32 PM, Kevin Falcone <falcone at bestpractical.com>
> wrote:
>>
>> On Sat, Jun 23, 2012 at 04:49:25PM +0200, Natxo Asenjo wrote:
>> >    Using postgresql (or oracle possibly) it is possible to use
>> > kerberos/gssapi to log in the
>> >    database.
>> >
>> >    If I create a kerberos service principal
>> > rt/myserver.domain.tld/MYREALM.TLD I can login the
>> >    postgresql database with a keytab for this principal.
>> >
>> >    How can I tell the request tracker application it has to use this
>> > keytab instead of setting a
>> >    username/password in clear text in a config file? This would be a
>> > huge security improvement
>> >    IMO.
>> >
>> >    With other apps I can use the KRB5CCNAME variable to specify where
>> > the ticket cache file is
>> >    and use that.
>>
>> If DBD::Pg or DBD::Oracle can do it, then RT should be able to
>> leverage that.  You'll need to review the driver documentation for how
>> the configuration needs to be set up.
>>
>
> DBI with the postgres driver can do it (I suppose that is DBD::Pg, correct
> me if I am wrong).
>
> I have created a service principal rt/webserver01.ipa.asenjo.nx and added a
> postgresql login role in the postgresql server with the same name, no
> passwords.
>
> After that I retrieved the keytab for the service principal and saved it in
> a file rt.keytab.
>
> Then I wrote this snippet:
>
> use strict;
> use warnings;
>
> use Authen::Krb5::Easy qw( kinit kdestroy kerror );
>
> my $keytab = '/home/admin/rt.keytab';
> my $ccache = '/tmp/rt.ccache';
> my $principal = 'rt/webserver01.ipa.asenjo.nx';
>
> print $principal, "\n";
>
> $ENV{KRB5CCNAME} = $ccache;
>
> kinit( $keytab, $principal ) || die kerror();
>
> use DBI;
>
> my $dbhost = "postgres.ipa.asenjo.nx";
>
> my $dbh = DBI->connect(
>    "DBI:Pg:dbname=template1;host=$dbhost",$principal,'');
>
> my $sth = $dbh->prepare("select usename from pg_catalog.pg_user") ;
>
> $sth->execute();
>
> # save the postgres roles in value of hash, key not important
> my %postgres_roles;
> while ( my @data = $sth->fetchrow_array() ) {
>         $postgres_roles{$data[0]} = $data[0];
> }
>
> print %postgres_roles;
>
> And I see the list of roles in the postgresql server, so it works using the
> kerberos principal.
>
> So how can I tell rt to look in the kerberos cache file for its kerberos
> credentials?
>
> TIA,
> --
> natxo
>



-- 
Best regards, Ruslan.



More information about the rt-users mailing list