<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Authentication — Bcfg2 1.3.0 documentation</title>
<link rel="stylesheet" href="../../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../',
VERSION: '1.3.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../../_static/jquery.js"></script>
<script type="text/javascript" src="../../_static/underscore.js"></script>
<script type="text/javascript" src="../../_static/doctools.js"></script>
<script type="text/javascript" src="../../_static/sidebar.js"></script>
<link rel="shortcut icon" href="../../_static/favicon.ico"/>
<link rel="top" title="Bcfg2 1.3.0 documentation" href="../../index.html" />
<link rel="up" title="Guides" href="../guides.html" />
<link rel="next" title="Bootstrap" href="bootstrap.html" />
<link rel="prev" title="Guides" href="../guides.html" />
<link rel="stylesheet" href="../../_static/bcfg2.css" type=""/>
</head>
<body>
<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../../index.html"><img src="../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="bootstrap.html" title="Bootstrap"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="../guides.html" title="Guides"
accesskey="P">previous</a> |</li>
<li><a href="../../index.html">home</a> | </li>
<!--<li><a href="../../search.html">search</a> | </li>-->
<li><a href="../../help/index.html">help</a> | </li>
<li><a href="../../contents.html">documentation </a> »</li>
<li><a href="../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../index.html" >Appendix</a> »</li>
<li><a href="../guides.html" accesskey="U">Guides</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="authentication">
<span id="appendix-guides-authentication"></span><h1>Authentication<a class="headerlink" href="#authentication" title="Permalink to this headline">¶</a></h1>
<div class="section" id="scenarios">
<h2>Scenarios<a class="headerlink" href="#scenarios" title="Permalink to this headline">¶</a></h2>
<ol class="arabic">
<li><p class="first">Cluster nodes that are frequently rebuilt</p>
<p>Default settings work well; machines do not float, and a per-client
password is not required.</p>
</li>
<li><p class="first"><a class="reference internal" href="nat_howto.html#appendix-guides-nat-howto"><em>NAT HOWTO</em></a></p>
</li>
</ol>
<blockquote>
<div><ul>
<li><p class="first">Build client records in advance with <tt class="docutils literal"><span class="pre">bcfg2-admin</span></tt>, setting a uuid
for each new client.</p>
</li>
<li><p class="first">Set the address attribute for each to the address of the NAT.</p>
</li>
<li><p class="first">Optionally, set a per-client password for each, and set into secure
mode.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">This will require the use of the uuid and password from each
client, and will require that they come through the NAT address.</p>
</div>
</li>
</ul>
</div></blockquote>
</div>
<div class="section" id="building-bcfg2-conf-automatically">
<h2>Building bcfg2.conf automatically<a class="headerlink" href="#building-bcfg2-conf-automatically" title="Permalink to this headline">¶</a></h2>
<p>This is a <a class="reference internal" href="../../server/plugins/generators/cfg.html#server-plugins-generators-cfg-cheetah"><em>Cheetah template</em></a> that automatically constructs
per-client bcfg2.conf from the per-client metadata:</p>
<div class="highlight-python"><pre>[communication]
protocol = xmlrpc/ssl
#if $self.metadata.uuid != None
user = $self.metadata.uuid
#end if
#if $self.metadata.password != None
password = $self.metadata.password
#else
password = my-password-foobat
#end if
[components]
bcfg2 = https://localhost:6789</pre>
</div>
<p>In this setup, this will cause any clients that have uuids established
to be set to use them in <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt>. It will also cause any clients
with passwords set to use them instead of the global password.</p>
</div>
<div class="section" id="how-authentication-works">
<h2>How Authentication Works<a class="headerlink" href="#how-authentication-works" title="Permalink to this headline">¶</a></h2>
<ol class="arabic simple">
<li>First, the client is associated with a client record. If the client
specifies a uuid, it uses this instead of the results of a dns or
address lookup.</li>
<li>Next, the ip address is verified against the client record. If the
address doesn’t match, then the client must be set to
floating=’true’</li>
<li>Finally, the password is verified. If the client is set to secure
mode, the only its per-client password is accepted. If it is not set
to secure mode, then either the global password or per-client password
will be accepted</li>
</ol>
<p>Failure during any of these stages results in authentication
failure. Note that clients set into secure mode that do not have
per-client passwords set will not be able to connect.</p>
</div>
<div class="section" id="ssl-cert-based-client-authentication">
<h2>SSL Cert-based client authentication<a class="headerlink" href="#ssl-cert-based-client-authentication" title="Permalink to this headline">¶</a></h2>
<p>SSL-based client authentication is supported. This requires several
things:</p>
<ol class="arabic simple">
<li>Certificate Authority (to sign all keys)</li>
<li>Server key and cert signed by the CA</li>
<li>Client key and cert signed by the CA</li>
</ol>
<p>A variety of CAs can be used, but these keys can be simply generated
using the following set of steps:</p>
<ol class="arabic">
<li><p class="first">Setup a CA</p>
<p><a class="reference external" href="http://www.flatmtn.com/article/setting-openssl-create-certificates">http://www.flatmtn.com/article/setting-openssl-create-certificates</a></p>
</li>
<li><p class="first">Create keys for each client and server, signing them with the CA
signing cert</p>
<p><a class="reference external" href="http://www.flatmtn.com/article/setting-ssl-certificates-apache">http://www.flatmtn.com/article/setting-ssl-certificates-apache</a></p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p>The client CN must be the FQDN of the client (as returned by a
reverse DNS lookup of the ip address. Otherwise, you will end up
with an error message on the client that looks like:</p>
<div class="highlight-python"><pre>Server failure: Protocol Error: 401 Unauthorized
Failed to download probes from bcfg2
Server Failure</pre>
</div>
<p>You will also see an error message on the server that looks
something like:</p>
<div class="last highlight-python"><pre>cmssrv01 bcfg2-server[9785]: Got request for cmssrv115 from incorrect address 131.225.206.122
cmssrv01 bcfg2-server[9785]: Resolved to cmssrv115.fnal.gov</pre>
</div>
</div>
</li>
<li><p class="first">Distribute the keys and certs to the appropriate locations</p>
</li>
<li><p class="first">Copy the ca cert to clients, so that the server can be authenticated</p>
</li>
</ol>
<p>Clients authenticating themselves with a certificate will be
authenticated that way first; clients can be setup to either
authenticate solely with certs, use certs with a fallback to password,
or password only. Also a bootstrap mode will be added shortly; this
will allow a client to authenticate with a password its first time,
requiring a certificate all subsequent times. This behavior can be
controlled through the use of the auth attribute in
<tt class="docutils literal"><span class="pre">Metadata/clients.xml</span></tt>:</p>
<div class="highlight-python"><pre><Clients>
<Client name='testclient' auth='cert'/>
</Clients></pre>
</div>
<p>Allowed values are:</p>
<blockquote>
<div><table border="1" class="docutils">
<colgroup>
<col width="26%" />
<col width="74%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head"><strong>Auth Type</strong></th>
<th class="head"><strong>Meaning</strong></th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>cert</td>
<td>Certificates must be used</td>
</tr>
<tr class="row-odd"><td>cert+password</td>
<td>Certificate or password may be used</td>
</tr>
<tr class="row-even"><td>bootstrap</td>
<td>Password can be used for one client run,
after that certificate is required</td>
</tr>
</tbody>
</table>
</div></blockquote>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Authentication</a><ul>
<li><a class="reference internal" href="#scenarios">Scenarios</a></li>
<li><a class="reference internal" href="#building-bcfg2-conf-automatically">Building bcfg2.conf automatically</a></li>
<li><a class="reference internal" href="#how-authentication-works">How Authentication Works</a></li>
<li><a class="reference internal" href="#ssl-cert-based-client-authentication">SSL Cert-based client authentication</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="../guides.html"
title="previous chapter">Guides</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="bootstrap.html"
title="next chapter">Bootstrap</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../_sources/appendix/guides/authentication.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="bootstrap.html" title="Bootstrap"
>next</a> |</li>
<li class="right" >
<a href="../guides.html" title="Guides"
>previous</a> |</li>
<li><a href="../../index.html">home</a> | </li>
<!--<li><a href="../../search.html">search</a> | </li>-->
<li><a href="../../help/index.html">help</a> | </li>
<li><a href="../../contents.html">documentation </a> »</li>
<li><a href="../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../index.html" >Appendix</a> »</li>
<li><a href="../guides.html" >Guides</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2009-2013, Narayan Desai.
Last updated on Mar 20, 2013.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
</div>
</body>
</html>
distrib
>
Fedora
>
17
>
i386
>
media
>
updates
>
by-pkgid
>
b50d8ee6d7871fcc13c0677a9364ed59
>
files
>
317
