GithubHelp home page GithubHelp logo

irods_auth_plugin_kerberos's Introduction

iRODS

The Integrated Rule-Oriented Data System (iRODS) is open source data management software used by research, commercial, and governmental organizations worldwide.

iRODS is released as a production-level distribution aimed at deployment in mission critical environments. It virtualizes data storage resources, so users can take control of their data, regardless of where and on what device the data is stored.

The development infrastructure supports exhaustive testing on supported platforms; plugin support for microservices, storage resources, authentication mechanisms, network protocols, rule engines, new API endpoints, and databases; and extensive documentation, training, and support services.

Core Competencies

  • iRODS implements data virtualization, allowing access to distributed storage assets under a unified namespace, and freeing organizations from getting locked in to single-vendor storage solutions.
  • iRODS enables data discovery using a metadata catalog that describes every data object, collection, and every storage resource in the iRODS Zone.
  • iRODS automates data workflows, with a rule engine framework that permits any action to be initiated by any trigger on any server or client in the Zone.
  • iRODS enables secure collaboration, so users only need to log in to their home Zone to access data hosted on a remote Zone.

History

iRODS has a 25+ year history of funded projects.

Funders have included DARPA, NSF, DOD, DOE, LC, NARA, NASA, NOAA, USPTO, and LLNL.

https://irods.org/history

License

iRODS is released under a 3-clause BSD License.

Reporting Security Vulnerabilities

See SECURITY.md for details.

Links to elsewhere...

irods_auth_plugin_kerberos's People

Contributors

adetorcy avatar alanking avatar hcjiv1 avatar jassigill2000 avatar kellerb avatar swooshycueb avatar tempoz avatar trel avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

kript kth-pdc jassigill2000 alanking swooshycueb trel korydraughn stefan-wolfsheimer joergsteinkamp

irods_auth_plugin_kerberos's Issues

Investigate 1000 second sleep in test hook

This can possibly be removed as the comment claims it was added to address an issue with VMs in Ubuntu 14:

irods_auth_plugin_kerberos/irods_consortium_continuous_integration_test_hook.py

Line 330 in d590b98

time.sleep(1000) # On Ubuntu 14: 'kadmin: GSS-API (or Kerberos) error while initializing kadmin interface' seen without. possibly clock skew issue w/ VMs spawning from old template and updating clocks while krb system initializes

Makes tests artificially long.

changing packaging/irods_auth_plugin_krb.list.template to 4.1.9 causes build to break

Hi Folks,

We've upgraded our zone federation master to 4.1-stable (via packages we built in our CI that identify as 4.1.9, and found (of course) that we needed the kerberos plugin. Trying to install this we get

dpkg -i irods-auth-plugin-krb-1.2.deb 
(Reading database ... 234426 files and directories currently installed.)
Unpacking irods-auth-plugin-krb (from irods-auth-plugin-krb-1.2.deb) ...
Local iRODS is 4.1.9
This plugin requires iRODS 4.1.8
dpkg: error processing irods-auth-plugin-krb-1.2.deb (--install):
 subprocess new pre-installation script returned error exit status 1
Errors were encountered while processing:
 irods-auth-plugin-krb-1.2.deb

So we set our CI to build this, only we modify the REQUIRED_VERSION="4.1.8" line in packaging/irods_auth_plugin_krb.list.template to 4.1.9;

cat packaging/irods_auth_plugin_krb.list.template | sed  s/4\.1\.8/4.1.9/g > packaging/irods_auth_plugin_krb.list.template
 ./packaging/build.sh

However this gives;

+------------------------------------+
| iRODS Plugin Build Script          |
+------------------------------------+
Tue Jun 28 14:52:41 UTC 2016


Build Environment...
Detected OS                         [Ubuntu]
Detected OS Version                 [12.04]
Detected Plugin Name                [irods_auth_plugin_krb]
Detected EPM Package Name           [irods-auth-plugin-krb]
Detected Plugin Version to Build    [1.2]
Detected Plugin Version Integer     [12]
Detected Project Directory          [/builds/upstream/irods_auth_plugin_kerberos]
Detected Packaging Directory        [/builds/upstream/irods_auth_plugin_kerberos/packaging]
Detected Target Build Directory     [/builds/upstream/irods_auth_plugin_kerberos/build]
Detected EPM List File              [/builds/upstream/irods_auth_plugin_kerberos/packaging/irods_auth_plugin_krb.list]
Detected CPUs                       [16]
Compile Command                     [make -j 19]

Building...
make -C krb
make[1]: Entering directory `/builds/upstream/irods_auth_plugin_kerberos/krb'
g++ -DRODS_SERVER  -I/usr/include/irods -I/usr/include/irods/jansson/src -I/usr/include/irods/boost -I/usr/include/irods/jansson/src -fPIC -c -g -o .objs/libkrb.o libkrb.cpp
Building Auth Plugins
g++ -DRODS_SERVER  -I/usr/include/irods -I/usr/include/irods/jansson/src -I/usr/include/irods/boost -I/usr/include/irods/jansson/src  -fPIC "-Wl,-E" -shared -o .././libkrb.so  .objs/libkrb.o /usr/lib/libirods_client.a -lgssapi_krb5
make[1]: Leaving directory `/builds/upstream/irods_auth_plugin_kerberos/krb'

Creating Package...
Running EPM :: Generating Ubuntu DEBs
epm: Product names should only contain letters and numbers!
epm: Error - missing %product, %copyright, %vendor, %license,
     %readme, or %version attributes in list file!

How do we get this plugin to make a package for 4.1-stable? Our production system is usable for non kerberised id's, but not for those that use Kerberos..

packaging appears to assume /etc/irods//service_account.config present

Hi Folks,

When attempting to install this via packaging with the icommands, dev and runtime packages for a client, it failed to install with what I believe are two separate reasons.

First, it expects files to be present that are not there until the other packages are installed
Second, and more problematically, the post install script /var/lib/dpkg/info/irods-auth-plugin-krb.postinst expects /etc/irods/service_account.config to be present to set ownership and permissions, however this file is not created/added by the icommands or auth plugin package, only the cat or resource packages (I presume);

root@bc-29-2-01:~# dpkg -i irods-*.deb
Selecting previously unselected package irods-auth-plugin-krb.
(Reading database ... 265003 files and directories currently installed.)
Unpacking irods-auth-plugin-krb (from irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb) ...
Traceback (most recent call last):
  File "<string>", line 1, in <module>
IOError: [Errno 2] No such file or directory: '/var/lib/irods/VERSION.json'
dpkg: error processing irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb (--install):
 subprocess new pre-installation script returned error exit status 1
Selecting previously unselected package irods-dev.
Unpacking irods-dev (from irods-dev-4.1.8-ubuntu12-x86_64.deb) ...
Selecting previously unselected package irods-icommands.
Unpacking irods-icommands (from irods-icommands-4.1.8-ubuntu12-x86_64.deb) ...
Selecting previously unselected package irods-runtime.
Unpacking irods-runtime (from irods-runtime-4.1.8-ubuntu12-x86_64.deb) ...
Setting up irods-dev (4.1.8) ...
Setting up irods-icommands (4.1.8) ...
###########################################################
#
# The iCommands have been installed into your path.
# 
# They require your environment to be configured
# for communication with an iRODS server.
#
# Place the following configuration information into
# your irods_environment.json file and edit as appropriate:
#
#    ~/.irods/irods_environment.json
#
###########################################################

{
    "irods_host": "FULLY.QUALIFIED.DOMAIN.NAME",
    "irods_port": 1247,
    "irods_default_resource": "demoResc",
    "irods_home": "/tempZone/home/USERNAME",
    "irods_cwd": "/tempZone/home/USERNAME",
    "irods_user_name": "USERNAME",
    "irods_zone_name": "tempZone",
    "irods_client_server_negotiation": "request_server_negotiation",
    "irods_client_server_policy": "CS_NEG_REFUSE",
    "irods_encryption_key_size": 32,
    "irods_encryption_salt_size": 8,
    "irods_encryption_num_hash_rounds": 16,
    "irods_encryption_algorithm": "AES-256-CBC",
    "irods_default_hash_scheme": "SHA256",
    "irods_match_hash_policy": "compatible"
}


Setting up irods-runtime (4.1.8) ...
Processing triggers for man-db ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Errors were encountered while processing:
 irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb

then, even after removing (inc purging) and reading we get a different, and not verbose error;

root@bc-29-2-01:~# dpkg -i irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb 
(Reading database ... 283670 files and directories currently installed.)
Unpacking irods-auth-plugin-krb (from irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb) ...
Setting up irods-auth-plugin-krb (1.2) ...
dpkg: error processing irods-auth-plugin-krb (--install):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 irods-auth-plugin-krb

This was the package from your downloads site, and was on Ubuntu 12.

Can I ask that the permissions are set only if the file exists, and that there is a test for installing with the icommands please?
We can't use Kerberos with V4 on our test clients until this is resolved (unless you want us to switch to run-in-place) :-).

Thanks!

John

tag for 1.6 on 4.1. branch please

Hi folks,

Our build system is reliant on tags for the version to build the right thing, and while the 4-1 branch has been updated for 1.6, the tag hasn't been created yet - can that be done as soon as possible please?

cheers

John

Investigate releasing output name buffers

  • main
  • 4-2-stable

Whenever we use a GSS function such as gss_import_name or gss_display_name, responsibility for the memory allocated for the output buffer is given to the calling application: https://www.gnu.org/software/gss/manual/html_node/Name-Manipulation.html

There are several places throughout the plugin where the output name buffer may not be freed and we should probably do so. This is achieved in most cases by using gss_release_buffer or gss_release_name.

Support for 4.3.0

Hi folks,

I understand that Kerberos support is being moved into the new authentication plugin #54 however, as I understand it, that is not yet released. 4.3.0 is released, however there is no corresponding plugin.

Is there a plan to release the plugin to allow people with it installed in 4.2.7 to upgrade to 4.3.0?

cheers

John

Cannot make it work

Hi,
I 've installed the auth_plugin_kerberos packaged in rpm.
I've followed the documentation, and on the server modified /etc/krb5.conf
with :
[ realms]
EXAMPLE.FR = {
kdc = server.example.fr
admin_server = server.example.fr
}
[domain_realm]
.example.fr = EXAMPLE.FR
example.fr = EXAMPLE.FR

The kdc server is an AD I do not admin, but a simple user "irods"is defined.

On the client, I cannot authenticate I get :
[user@client ] ils
[-] /tmp/tmpix2hj6/krb/libkrb.cpp:1226:irods::error krb_auth_client_response(irods::plugin_context &, rcComm_t *) : status [SYS_SOCK_READ_ERR] errno [Connection reset by peer] -- message [Call to rcAuthResponseFailed.]

failed with error -116104 SYS_SOCK_READ_ERR Connection reset by peer

What does it mean ? Is there some information missing in the doc regarding the necessary configuration, or something else ?

Thanks for any help.
Cheers
Sophie

Kerberos keytab doens't load, KRB auth fails with 4.1.4 and irods-auth-plugin-krb-1.

referenced from irods/irods#2848

It appears that Kerberos authentication doesn't work out-of-the-box with 4.1.x even with the latest release 4.1.4 and irods-auth-plugin-krb-1.2, which I built from the github repo.

Using the settings instructed in docs.irods.org I get the following message client-side

Level 0: DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: Unspecified GSS failure.  Minor code may provide more information

Level 1: DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: 

[-] libkrb.cpp:1194:krb_auth_client_request :  status [KRB_ERROR_ACQUIRING_CREDS]  errno [] -- message [call to rcAuthRequest failed.]

 failed with error -965000 KRB_ERROR_ACQUIRING_CREDS

and in serverside rodsLog the following

Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: Unspecified GSS failure.  Minor code may provide more information
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: 
Aug 24 11:20:45 pid:5371 ERROR: [-] iRODS/server/api/src/rsAuthPluginRequest.cpp:85:rsAuthPluginRequest :  status [KRB_ERROR_ACQUIRING_CREDS]  errno [] -- message []
    [-] libkrb.cpp:1237:krb_auth_agent_request :  status [KRB_ERROR_ACQUIRING_CREDS]  errno [] -- message [Setting up KRB credentials failed.]
        [-] libkrb.cpp:220:krb_setup_creds :  status [KRB_ERROR_ACQUIRING_CREDS]  errno [] -- message [Failed acquiring credentials.]

Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error accepting context: Invalid token was supplied
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error accepting context: Unknown error
Aug 24 11:20:45 pid:5371 ERROR: [-] iRODS/server/core/src/rodsAgent.cpp:346:agentMain :  status [KRB_ACCEPT_SEC_CONTEXT_ERROR]  errno [] -- message [Failed during auth plugin agent start for scheme: "krb".]
    [-] libkrb.cpp:892:krb_auth_agent_start :  status [KRB_ACCEPT_SEC_CONTEXT_ERROR]  errno [] -- message [Failed to establish server side context.]
        [-] libkrb.cpp:783:krb_establish_context_serverside :  status [KRB_ACCEPT_SEC_CONTEXT_ERROR]  errno [] -- message [Error accepting KRB security context for client: "(null)".]

When digging into the Kerberos auth module source code and the workings of the Kerberos client side GSSAPI library, the reason appeared to be that GSS API wasn't provided a Kerberos keytab.

I managed to go around the issue by setting an environment variable KRB5_KTNAME in the server to point the keytab. This variable is used by the GSS API Kerberos library to force the loading of a specified keytab file. This works for me.

libkrb.so lacks boost

When using the KRB auth module with kanki-irodsclient, the client fails to load the module because of undefined boost symbols. The KRB auth works flawlessly with irods-icommands since all the icommands binaries happen to come bundled with all necessary boost symbols.

While Kanki on the other hand, is linked against boost, but doesn't carry the same static symbols as the icommands do. I believe its best to include boost in the plugin library itself without depending on the loading executable.

ERROR: [-]  iRODS/lib/core/src/clientLogin.cpp:293:clientLogin :  status [PLUGIN_ERROR]  errno [] -- message []
    [-] iRODS/lib/core/src/irods_krb_object.cpp:34:resolve :  status [PLUGIN_ERROR]  errno [] -- message [Failed to load the KRB auth plugin.]
        [-] iRODS/lib/core/src/irods_auth_manager.cpp:76:init_from_type :  status [PLUGIN_ERROR]  errno [] -- message [Failed to load auth plugin.]
            [-] iRODS/lib/core/src/irods_auth_manager.cpp:55:load_auth_plugin :  status [PLUGIN_ERROR]  errno [] -- message [Failed to load plugin: "krb".]
                [-] iRODS/lib/core/include/irods_load_plugin.hpp:194:load_plugin :  status [PLUGIN_ERROR]  errno [] -- message [failed to open shared object file [/var/lib/irods/plugins/auth/libkrb.so] :: dlerror: is [/var/lib/irods/plugins/auth/libkrb.so: undefined symbol: _ZN5boost6system16generic_categoryEv]]

I forked this repo and made a change into the plugin module linkage fixing this issue for me and made a pull request for the commit, see pull request #12.

Build failed: krbAuthRequest.hpp missing 

g++ -DRODS_SERVER  [...] libkrb.cpp
libkrb.cpp:15:10: fatal error: 'krbAuthRequest.hpp' file not found

Where is this file supposed to be found? 3605720's commit message and #4's title suggest that perhaps git add krbAuthRequest.hpp was forgotten before that was committed...

installing 1.4 with 4.1.10 deb fails as current version is 4.1.9 

dpkg -i irods-auth-plugin-krb-1.4-ubuntu12-x86_64.deb irods-database-plugin-oracle-1.9-ubuntu12-x86_64.deb irods-dev-4.1.10-ubuntu12-x86_64.deb irods-icat-4.1.10-ubuntu12-x86_64.deb 
(Reading database ... 242303 files and directories currently installed.)
Preparing to replace irods-auth-plugin-krb 1.3 (using irods-auth-plugin-krb-1.4-ubuntu12-x86_64.deb) ...
Local iRODS is 4.1.9
This plugin requires iRODS 4.1.10
dpkg: error processing irods-auth-plugin-krb-1.4-ubuntu12-x86_64.deb (--install):
 subprocess new pre-installation script returned error exit status 1
Preparing to replace irods-database-plugin-oracle 1.9 (using irods-database-plugin-oracle-1.9-ubuntu12-x86_64.deb) ...
Unpacking replacement irods-database-plugin-oracle ...
Preparing to replace irods-dev 4.1.9 (using irods-dev-4.1.10-ubuntu12-x86_64.deb) ...
Unpacking replacement irods-dev ...
Preparing to replace irods-icat 4.1.9 (using irods-icat-4.1.10-ubuntu12-x86_64.deb) ...
Upgrading Existing iRODS Installation
Unpacking replacement irods-icat ...
Setting up irods-dev (4.1.10) ...
Setting up irods-icat (4.1.10) ...
 System start/stop links for /etc/init.d/irods already exist.
Configuration Schema Version is already up to date (version=2).
Stopping iRODS server...
Catalog Schema Version is already up to date (version=4).
Starting iRODS server...
Confirming catalog_schema_version... Success
Validating [/usr/local/iRODS/.irods/irods_environment.json]... Success
Validating [/etc/irods/server_config.json]... Success
Validating [/etc/irods/hosts_config.json]... Success
Validating [/etc/irods/host_access_control_config.json]... Success
Validating [/etc/irods/database_config.json]... Success
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up irods-database-plugin-oracle (1.9) ...
Errors were encountered while processing:
 irods-auth-plugin-krb-1.4-ubuntu12-x86_64.deb

re-running the installation of just the plugin works fine, but it looks like the version check is done in slightly the wrong place. Prior installation was 4.1.9-preview6.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.