4. Intro
E nviron ment
Active Directory
Kerberos
Windows + Mac + Linux clients
Linux servers (almost all Debian)
MySQL
Jira + Confluence installed via shell scripts from tarball
5. Intro
E nviron ment
Jira
889 users, 406 groups, 335.726 tickets
109 active projects, 91 retired
Jira Agile (aka Greenhopper) active for 27 projects
Started 07.09.2010
Confluence
662 users, 168 groups, 203 spaces, 32.678 pages*
Team
Calendars, Balsamiq, Gliffy, Linking, Redirection, Cont
ent Formatting, ...
Started 13.04.2011
SELECT COUNT(
*
* )
FROM CONTENT
WHERE CONTENTTYPE = "page"
AND CONTENT_STATUS = "current"
AND PREVVER IS NULL
8. Jira and LAMP
D oes t h e j o b o kay. . .
•
•
•
•
Apache does Kerberos auth
Apache calls „Loginproxy“
Loginproxy identifies pwd
Loginproxy redirects
• AD sync via php cron
• Groups + users + membership
9. Jira and LAMP
D oes t h e j o b o kay. . .
Pro:
• Utilizes our Apache Kerberos voodoo
• Works quite stable...
Con:
• Pretty complicated piece of custom SW
• Awkward cron job
• Utilizes some deprecated legacy stuff
• ...sometimes not reliable, hard to debug
• External Jira clients hard or impossible
to use
http://talljerome.com/images/wrkpstr_wrongtool.jpg
10. Confluence and native kerberization
Least comp licated in t h eor y
•
•
•
•
•
No proxy
Directly call Tomcat
Kerberos via SPNEGO
Custom http authenticator
Some handish keytab handling
• AD sync via Python cron
• Groups + users + membership
11. Confluence and native kerberization
Least comp licated in t h eor y
Pro:
• Simple design
• Feels like „we tamed the monster“
Con:
• We could only reproduce it once
• All other instances refused to work
• Customized SPNEGO lib
• Auth errors nearly impossible to
debug
http://ih3.redbubble.net/image.3818192.2622/flat,550x550,075,f.jpg
12. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
•
•
•
•
Apache does Kerberos auth
Apache reverse proxy
Rewrite rules + write header
Custom http authenticator
• AD sync via standard AD directory
13. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
Pro:
• Reuse of given Apache expertise
• Reuse of http authenticator
• Little application customizing
• Easy handling of SSL
• No custom AD synchronization
• Least customized stack
Con:
• AD/LDAP config is a pain
• Hard to find the right vhost
configuration
http://www.mantiburi.com/files/5113/7329/5814/my-little-pony.png
15. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...
<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
16. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...
<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
17. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...
<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
18. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...
<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
19. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...
<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
20. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER "%{RU}e" env=RU
...
<Location />
AuthType Kerberos
AuthName confluence_%_user
Krb5Keytab /var/lib/cfg-apache/keytab.http_xyz.nue.bigpoint.net
KrbServiceName HTTP/xyz.nue.bigpoint.net
...
KrbAuthRealm BIGPOINT.LOCAL
<VirtualHost 0.0.0.0:80>
KrbMethodNegotiate on
RewriteEngine On
KrbSaveCredentials on
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
KrbVerifyKDC off
Include "/etc/apache2/vhost-override.d/"
AuthDBMGroupFile /var/lib/cfg-apache/dbmadgroups
</VirtualHost>
Require group confluence_%_user
Order deny,allow
<VirtualHost 0.0.0.0:8080>
Deny from all
RewriteEngine On
Allow from xx.xx.xx.xx 127.0.0.1
RewriteRule /.* https://confluence-test2.bigpoint.net$0 [R]
ProxyPass ajp://localhost/
Include "/etc/apache2/vhost-override.d/"
Satisfy any
</VirtualHost>
</Location>
...
21. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
<Server port="8001" shutdown="SHUTDOWN" debug="0" address="127.0.0.1">
<Service name="Tomcat-Standalone">
<Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" packetSize="20000" />
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<Manager pathname="" />
</Context>
</Host>
</Engine>
</Service>
</Server>
22. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
public class RemoteUserAuthenticator extends ConfluenceAuthenticator {
...
public Principal getUser(HttpServletRequest request, HttpServletResponse response) {
...
String remoteUser = request.getHeader("remote_user");
...
Principal user = getUser(remoteUser);
...
// Modify session signaling that we are authenticated now.
request.getSession().setAttribute(DefaultAuthenticator.LOGGED_IN_KEY, user);
request.getSession().setAttribute(DefaultAuthenticator.LOGGED_OUT_KEY, null);
log.debug("Logged in via SSO with User " + remoteUser);
return user;
}
}
https://github.com/Bigpoint/remoteuser-confluence-authenticator
23. Proxy Solution
M o st eff ic ient way fo r u s in p rac t ic e
"ldap.group.filter": "(&(objectCategory=Group)(|(cn=confluence*)(cn=balsamiq*)(cn=AllEmployees)))“
...
"ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
25. Next Steps
We are n o t t h ere yet . . .
•
•
•
•
•
•
Test instances – done
Confluence production – done
Jira production + reverse proxy – todo
Jira production + AD – todo
Integrate production instances – todo
Better understanding of AD integration – todo
• In general
• Better automation would be great (e.g. Chef)