Yesterday I set up a S4U2Proxy configuration for HTTP to HTTP delegation. Today, I tested it.

I took Alexander’s approach to testing using CGI. Here’s my test page, that just fetches a token from Keystone using Curl:

#!/usr/bin/bash
OS_AUTH_URL=https://ayoungdevstack20.cloudlab.freeipa.org/keystone/krb
OS_PROJECT_NAME=demo

TOKEN=`curl   \
-H "Content-Type:application/json" \
--negotiate -u : \
-d  '{ "auth": { "identity": { "methods": []}, "scope": { "project": { "domain": { "name": "Default" }, "name": "demo" } } } }' \
-X POST $OS_AUTH_URL/v3/auth/tokens   `

echo "Content-type: application/json"
echo ""
echo $TOKEN
exit 0

I saved this in: /var/www/cgi-bin/s4u2test/kerberos-token-get.sh and created a configuration file for it in

/etc/httpd/conf.d/s4u2test.conf:

KrbConstrainedDelegationLock ipa

<Directory /var/www/cgi-bin/s4u2test/>
  WSGIProcessGroup keystone_krb_wsgi
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms IPA.CLOUDLAB.FREEIPA.ORG
  Krb5KeyTab /etc/httpd/conf/openstack.keytab
  KrbSaveCredentials on
  KrbLocalUserMapping on
  KrbConstrainedDelegation on
  Require valid-user
</Directory>>

Then hit from a web browser: GET https://ayoungdevstack20.cloudlab.freeipa.org/cgi-bin/s4u2test/kerberos-token-get.sh
which returned

{"token": {"methods": [], "roles": [{"id": "a18fd6adab1e4f238dd8da598615c3ce", "name": "Member"}, {"id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": ....

To test it out, I tried a couple things. First, I performed a kinit as a couple different users, and those that did not have a role on the “demo” project get:

{"error": {"message": "User caspian has no access to project 5d15013cbebd4b1e95ad3b5785c866f7", "code": 401, "title": "Unauthorized"}}

When I comment out the line in /etc/httpd/conf.d/s4u2test.conf
# KrbConstrainedDelegation on

And restart the web server I get: Internal Server Error.
Reenable, and it works again.