Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support kerberos authentication for private git repos #17782

Open
pdaverh opened this issue Sep 3, 2020 · 6 comments
Open

Support kerberos authentication for private git repos #17782

pdaverh opened this issue Sep 3, 2020 · 6 comments
Assignees
@vitaliy-guliy
Labels
area/git/oauth-services OAuth support to authenticate developers with their GitHub, GitLab, Bitbucket etc...accounts area/plugins kind/enhancement A feature request - must adhere to the feature request template. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Milestone
7.x (Later, Futur...

Comments

@pdaverh
Copy link

pdaverh commented Sep 3, 2020

Is your enhancement related to a problem? Please describe.

Currently, Eclipse Che does not allow credentials known to the cluster to authenticate private git repo access.

Describe the solution you'd like

Instead of user/password authentication for private git repos, I would like Che to leverage kerberos token already known to the cluster. When a project is added to a Che workspace, the git credentials for the source repository should be based on the kerberos credentials of the user running the workspace.

Describe alternatives you've considered

An alternative is to use SSH keys for private git repos, but that will not work in the environment.

Additional context
@pdaverh pdaverh added the kind/enhancement A feature request - must adhere to the feature request template. label Sep 3, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Sep 3, 2020
@ericwill ericwill added area/git area/plugins and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Sep 3, 2020
@l0rd
Copy link
Contributor

l0rd commented Sep 4, 2020

@pdaverh this documentation article describes how to inject git credential store files using secrets. Wouldn't that work?

@ericwill ericwill mentioned this issue Sep 10, 2020
Closed
29 tasks
@ericwill ericwill added this to the 7.x (Later, Future, Never) milestone Sep 18, 2020
@ericwill ericwill mentioned this issue Oct 1, 2020
Closed
27 tasks
@vitaliy-guliy
Copy link
Contributor

@pdaverh I successfully created and injected git credentials store file to my Che deployment as @l0rd mentioned in the previous comment.
Then, after creating a workspace, file /home/theia/.git-credentials/credentials was automatically created and I was able to clone my private git repository without entering login and password.

Could you give us a bit more details about your case you are trying to solve?

It looks like it's not a question to Che, but configuration issue.

@pdaverh
Copy link
Author

pdaverh commented Oct 8, 2020

The issue is specific to kerberos tokens, as they are different than traditional git credentials.

@l0rd
Copy link
Contributor

l0rd commented Oct 12, 2020
edited
Loading

@vitaliy-guliy please have a look at https://www.openshift.com/blog/kerberos-sidecar-container

The article explains how a kerberos token is requested/refreshed using the command line tool kinit and how it can be automated using keytab files.

I believe that including kinit in the terminal container (where git is) and mounting a keytab file as a secret would already allow a current Che user to use Kerberos auth for git.

The article goes also into the details of a sidecar approach to automatically refresh the Kerberos tokens. This sidecar approach can be easily implemented with a kerberos plugin for Che. But that goes beyond the scope of this issue and may be discussed later.

So for now I would only document how we can currently configure a Che workspace to:

  • Mount kerberos config and keytab file (using the approach described here)
  • Include kinit in the workspace container where git is installed
  • Manually generate the kerberos token using kinit

@vitaliy-guliy ping me if you need help to setup a git repo using Kerberos auth.

@ericwill ericwill modified the milestones: 7.20, 7.22 Oct 13, 2020
@ericwill
Copy link
Contributor

@vitaliy-guliy please have a look at https://www.openshift.com/blog/kerberos-sidecar-container

The article explains how a kerberos token is requested/refreshed using the command line tool kinit and how it can be automated using keytab files.

I believe that including kinit in the terminal container (where git is) and mounting a keytab file as a secret would already allow a current Che user to use Kerberos auth for git.

The article goes also into the details of a sidecar approach to automatically refresh the Kerberos tokens. This sidecar approach can be easily implemented with a kerberos plugin for Che. But that goes beyond the scope of this issue and may be discussed later.

So for now I would only document how we can currently configure a Che workspace to:

* Mount kerberos config and keytab file (using the approach described [here](https://www.eclipse.org/che/docs/che-7/end-user-guide/mounting-a-secret-as-a-file-or-an-environment-variable-into-a-workspace-container/))

* Include kinit in the workspace container where git is installed

* Manually generate the kerberos token using kinit

@vitaliy-guliy ping me if you need help to setup a git repo using Kerberos auth.

Thanks for the guidance Mario, we'll revisit this issue next sprint (192).

@che-bot
Copy link
Contributor

che-bot commented Apr 26, 2021

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

@che-bot che-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 26, 2021
@l0rd l0rd added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 28, 2021
@l0rd l0rd added area/git/oauth-services OAuth support to authenticate developers with their GitHub, GitLab, Bitbucket etc...accounts and removed area/git labels Jan 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vitaliy-guliy vitaliy-guliy

Labels
area/git/oauth-services OAuth support to authenticate developers with their GitHub, GitLab, Bitbucket etc...accounts area/plugins kind/enhancement A feature request - must adhere to the feature request template. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
7.x (Later, Future, Never)
Development

No branches or pull requests
5 participants
@l0rd @vitaliy-guliy @ericwill @che-bot @pdaverh