Perry Myers wrote:
Adding sct to look at this
On 01/19/2011 10:12 PM, Perry Myers wrote:
The first pass at Matahari right now has zero auth on it, just a username field to connect to a broker but no password. :)
Adam is working to add simple password auth to Matahari so that we have some semblance of security.
But as Dmitri will point out, the real deal here is to get kerberos integrated via IPA. Of course, qpid supports auth via kerberos, but there are some practical matters we need to figure out.
Ignoring for a minute the issue of getting a machine its identity (which Dmitri already covered separately), let's assume that the machine already has a keytab file in place on the filesystem.
Ok, now we've got a keytab, but...
How do we do the equivalent of kinit to load the identity and authenticate to the KDC in an automated fashion? Kerberos tickets generally have an expiration, so the 'kinit' would need to happen on some sort of schedule? How is this done? (Note: crontab/at are not good answers)
Can/should we use keytab/identities that do not require a password to create a ticket? Since we need automation here, adding a password is sort of self-defeating anyhow
What about Windows? If we're going to rely on Kerberos on Windows as well, that means we need to preinstall some MIT kerb software on Windows which means we need to pull it into Fedora and cross compile it along with mingw32-matahari? Or do we just say "if you want to use Matahari/Kerberos on Windows, here go download this MIT kerberos windows installer from http://....%22?
Aside from installing either ipa RPMS on Fedora or MIT kerberos software on Windows, there's the issue of configuring your OS to use a KDC. Do we just declare that that is outside the scope of Matahari install and state "if you want to use Kerberos auth, first make sure your OS has the proper software and configuration to connect to a KDC"?
Dmitri, thoughts? Just trying to figure out the practicalities of making this easy to deploy and use for end-users on both Fedora and Windows platforms.
I have some answers, but I need more time. I will reply later today.