Skip to content

Rename kerberos_spnego omniauth provider to kerberos

Marin Hannache requested to merge mareo/gitlab:rename-kerberos-spnego-provider into master

What does this MR do and why?

Fixes #241318 (closed) #344071

As discussed in #241318 (comment 409272802), the kerberos_spnego provider was introduced while the old password-based kerberos provider was still available (it has since been removed in %15.0). The introduction of this new provider made Kerberos support unusable for new users because :

  • it brokes the creation of new account when logging in with a new Kerberos principal (#344071)
  • it brokes the addition of new Kerberos identities to users via the admin interface or the account tab of the user profile section (#241318 (closed))

Only existing identities linked to the kerberos provider were still functionning, the only way to add new identities was for an operator to use the rails console or insert entries directly into the database.

This MR:

  1. removes the last remnant of the old kerberos provider, mainly logic related to the Kerberos tab containing fields to input a Kerberos principal and a password on the sign in page.
  2. renames the kerberos_spnego provider to kerberos, fixing issues related to the provider name discrepancy introduced by a hack that was added to maintain compatibility with the old kerberos
  3. fixes the missing icon on the Kerberos auth button.

This MR does not include a database migration to rename or remove the existing kerberos_spnego identities: due to #241318 (closed), the kerberos_spnego identities never worked, they can be safely ignored. Reassigning these identities to the kerberos provider might cause collision with existing identities.

This MR invalidates the instruction in the Kerberos documentation to migrate from the old password-based kerberos provider to the new SPNEGO-based one. This section could be removed since migrating to the ticket-based provider now only requires to setup a keytab, there is no need to remove or rename the kerberos provider in omniauth settings anymore.

Screenshots or screen recordings

gitlab-kerberos

How to set up and validate locally

  1. Setup Kerberos on the GitLab instance (see https://docs.gitlab.com/ee/integration/kerberos.html and GDK Kerberos Howto
  2. Get a TGT
  3. Click the Kerberos auth button

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marin Hannache

Merge request reports