#1 Raise Python error if error is returned from krb5 functions
Closed 5 years ago Opened 5 years ago by cqi.

It would benefit caller to know why can't get realm from credential cache.


Which error case are you most interested in?

if(krb5_cc_get_principal) happens when a credential has expired, so there is actually no credential left as it was cleaned up but the cache itself wasn't yet (so this happens during regular use).

if(krb5_unparse_name_flags) is the only real error that doesn't return an exception. I'll make sure that that gets fixed indeed.

I can also add an explicit "check if credential is expired" function.

Which error case are you most interested in?

From rpkg's point of view, I care about if credential cache is initialized and whether it is expired. Generally, it could raise an error, once each krb5 function returns error code internally. The error code could be exposed within the error object so that caller is able to determine what error it is and then takes corresponding actions.

For instance, get_user_for_realm returns None. If this is because an error, it would be better raise an error instead of return None.

$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
$ ipython
In [1]: import cccolutils
In [2]: print cccolutils.get_user_for_realm('EXAMPLE.COM')
None

Well, in the case you showed, that's because there are no current credentials (aka, you have no credentials at all).
This is not an error as far as I understand, and there are no kerberos errors: the collection is just empty, which means the for() loop will just end immediately.

Do you mean you want a different output between "there are no caches" and "there are caches, but none with the correct realm"?

Note that in the cases where I get an error code back from krb5 I do throw a RuntimeError.
I can change this into making/using another error and/or add the krb error code in an argument.

Can cccolutils also work on non cache collection? I tried to kinit without using cache collection and then call get_user_for_realm, it is able to get user name from principal.

Do you mean you want a different output between "there are no caches" and "there are caches, but none with the correct realm"?

Yes.

Can cccolutils also work on non cache collection? I tried to kinit without using cache collection and then call get_user_for_realm, it is able to get user name from principal.

It's wired, I cannot replicate. Probably related to unclean environment. Anyway, can you help confirm this? :)

This can be closed.

@puiterwijk changed the status to Closed

5 years ago

Login to comment on this ticket.

Metadata