#1104 Force the use of a separte Kerberos cache per thread
Merged 7 months ago by mprahl. Opened 7 months ago by mprahl.

file modified
-1

@@ -77,7 +77,6 @@ 

      # Settings for Kerberos

      KRB_KEYTAB = None

      KRB_PRINCIPAL = None

-     KRB_CCACHE = None

  

      # AMQ prefixed variables are required only while using 'amq' as messaging backend

      # Addresses to listen to

@@ -41,6 +41,7 @@ 

  """

  

  import pkg_resources

+ import os

  from flask import Flask, has_app_context, url_for

  from flask_sqlalchemy import SQLAlchemy

  from sqlalchemy.pool import StaticPool

@@ -69,6 +70,9 @@ 

  

  conf = init_config(app)

  

+ # We want to use a separate Kerberos cache per thread to avoid Kerberos cache corruption

+ os.environ['KRB5CCNAME'] = 'KEYRING:thread:mbs'

+ 

  

  class MBSSQLAlchemy(SQLAlchemy):

      """

@@ -463,18 +463,13 @@ 

          authtype = koji_config.authtype

          log.info("Authenticate session with %r.", authtype)

          if authtype == "kerberos":

-             ccache = getattr(config, "krb_ccache", None)

              keytab = getattr(config, "krb_keytab", None)

              principal = getattr(config, "krb_principal", None)

-             log.debug("  ccache: %r, keytab: %r, principal: %r" % (ccache, keytab, principal))

-             if keytab and principal:

-                 koji_session.krb_login(

-                     principal=principal,

-                     keytab=keytab,

-                     ccache=ccache

-                 )

-             else:

-                 koji_session.krb_login(ccache=ccache)

+             if not keytab and principal:

+                 raise ValueError(

+                     "The Kerberos keytab and principal aren't set for Koji authentication")

+             log.debug("  keytab: %r, principal: %r" % (keytab, principal))

+             koji_session.krb_login(principal=principal, keytab=keytab)

          elif authtype == "ssl":

              koji_session.ssl_login(

                  os.path.expanduser(koji_config.cert),

@@ -284,10 +284,6 @@ 

              'type': None,

              'default': None,

              'desc': ''},

-         'krb_ccache': {

-             'type': None,

-             'default': '/tmp/krb5cc_module_build_service',

-             'desc': ''},

          'messaging': {

              'type': str,

              'default': 'fedmsg',

When using a single Kerberos cache that is shared among threads, Koji logins start failing because the cache gets corrupt. This uses the Linux kernel keyring to store a Kerberos cache per MBS thread.

See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

Pull-Request has been merged by mprahl

7 months ago