https://sourceforge.net/p/xcat/wiki/Confluent_auth/Recent changes to Confluent_authenMon, 04 Aug 2014 02:53:54 -0000https://sourceforge.net/p/xcat/wiki/Confluent_auth/<div class="markdown_content"><pre>--- v4 +++ v5 @@ -1,3 +1,5 @@ +[[include ref=Design_Warning]] + Confluent Authentication model --------------------------------- This will be a developer toned document for now, going into more detail </pre> </div>Guang Cheng LiMon, 04 Aug 2014 02:53:54 -0000https://sourceforge.net4e7e04cce014a43e0afb18bcb78ffe4117c4c0a9https://sourceforge.net/p/xcat/wiki/Confluent_auth/<div class="markdown_content"><pre></pre> </div>Jarrod JohnsonFri, 01 Aug 2014 13:36:33 -0000https://sourceforge.netbe6178f96825724929be8a2d54285515afa2ad05https://sourceforge.net/p/xcat/wiki/Confluent_auth/<div class="markdown_content"><pre></pre> </div>Jarrod JohnsonFri, 01 Aug 2014 13:36:20 -0000https://sourceforge.netd79ee60fdde6dad777eac252d83793c2b20d135chttps://sourceforge.net/p/xcat/wiki/Confluent_Auth/<div class="markdown_content"><pre>--- v1 +++ v2 @@ -25,3 +25,13 @@ 1.If client is either root or the owner of the process, they are allowed in. 2.Otherwise, the username and groups are checked against known users/groups 3.If 1 and 2 find no matches, revert to generic passphrase mechanism common with TLS socket. + +TLS Socket +----------------------------------------- +1. If client certificate is provided and verified, then subjectaltname is used if present, else subject to identify user. If certificate does not work, fail. +2. If no client certificate provided, go to generic passphrase mechanism as in unix socket. + +HTTP +---------------------------------------- +1. If and only if over a unix socket, consider evaluating client certificate passed in headers +2. Go to generic passphrase mechanism </pre> </div>Jarrod JohnsonWed, 16 Jul 2014 18:54:16 -0000https://sourceforge.net455f03e343ce285bf4ac52d009a602bf0c03f9e3https://sourceforge.net/p/xcat/wiki/Confluent_Auth/<div class="markdown_content"><h2 id="confluent-authentication-model">Confluent Authentication model</h2> <p>This will be a developer toned document for now, going into more detail<br /> than most any user will care to think about.</p> <p>Confluent does/will offer a number of authentication schemes:<br /> <em>Passphrases in its configuration stores:<br /> -PBKDF transformed passphrase<br /> -Users need not exist in anything outside the service (e.g. /etc/passwd) if not appropriate</em>PAM configuration<br /> -If /etc/pam.d/confluent exists, the above passphrase backend is totally ignored in favor of PAM<br /> -Users and/or groups still must exist in the cfg to be authorized<br /> <em>Certificates<br /> -For TLS direct client to be supported<br /> -Might not be supported for HTTP</em>Console access tokens<br /> -Allowing a client service to authenticate and request a token which is bound to a particular console<br /> *System authentication<br /> -Unix domain socket uses the kernel attested user/password values to correlate to groups</p> <p>To be clear about priorities, the various services are described:</p> <h2 id="unix-socket">UNIX Socket</h2> <p>1.If client is either root or the owner of the process, they are allowed in.<br /> 2.Otherwise, the username and groups are checked against known users/groups<br /> 3.If 1 and 2 find no matches, revert to generic passphrase mechanism common with TLS socket.</p></div>Jarrod JohnsonTue, 15 Jul 2014 21:15:57 -0000https://sourceforge.net24231c4ccba8f09deee24239613eea35cc215300