Got a meeting "invitation" from a fearful client regarding how to setup a node in rundeck that uses winrm.
To survive the meeting, I buried my head into the rundeck and xebialabs overthere code for the whole afternoon :( and here's what I figured out -
1. rundeck has a winrm plugin (OTWinRMNodeExecutor class). And the plugin looks for the domain mapping in the $RUNDECK_BASE/krb/domain.properties file. This file could be a simple name/value mapping, with name being the shortened domain name (such as "ABC"), and value being the full qualified domain name (such as "ABC.MYCOMPANYNAME.COM")
the winrm plugin also looks for the $RUNDECK_BASE/krb/realm_kdc.properties file. This file again has a name/value mapping, with name being the realm name(usually the upper case domain name), and the value being the pdc host.
2. Based on the domain name of a node, the plugin would set the following 2 system properties -
java.security.krb5.realm - the realm name( the all upper case host domain name)
java.security.krb5.kdc - the kdc host name (the kdc defined in the realm_kdc.properties file for the particular domain)
3. the plugin would then invoke the xebialabs overthere CifsConnectionBuilder to make the winrm connection, and pass in all bunch of connection options.
4. CifsConnectionBuilder creates a CifsWinRmConnection which then creates an ApacheHttpComponentsHttpClientHttpConnector and passes in the username & password from the plugin options. ApacheHttpComponentsHttpClientHttpConnector, as the name indicates, is the center of the implementation -
- it checks if the username is of a format "username@domainName". If so, kerberos authentication is considered enabled.
- it creates a httpclient, and registers the KERBEROS and SPNEGO authentication schemes
- it sets the credentials with "httpclient.getCredentialsProvider().setCredentials(...)" for the KERBEROS and SPNEGO schemes
- and of course, it sends SOAP requests and receives responses
5. Both of these documents are great read, although not sure how up-to-date the 2nd link is -
- http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html#SetProps
- http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html
Hopefully now I can answer a question or two to survive till the next meeting :(
Hi YC, Thanks for your post.
ReplyDeleteI've been struggling with this implementation since a while and I'm wondering if you saw the following issue: no matter what I provide in the configuration to force kerberos, the Authorization header sent to WinRM is always in Basic. Did you saw this, or do you have an idea where it could come from ?
Thanks,
J