PR#1563: use gssapi if correct python-requests-kerberos is available - fm-orchestrator

fm-orchestrator

#1563 use gssapi if correct python-requests-kerberos is available

Merged 4 years ago by mprahl. Opened 4 years ago by breilly.

breilly/fm-orchestrator gssapiauth into master

use gssapi if correct python-requests-kerberos is available

Brendan Reilly • 4 years ago

c349946

module_build_service/builder/KojiModuleBuilder.py

file modified

+4 -4

		`@@ -496,17 +496,17 @@`
		`if authtype == "kerberos":`
		`try:`
		`import krbV`
		`+ # We want to create a context per thread to avoid Kerberos cache corruption`
		`+ ctx = krbV.Context()`
		`except ImportError:`
		`- raise RuntimeError(`
		`- "python-krbV must be installed to authenticate with Koji using Kerberos")`
		`+ # If no krbV, we can assume GSSAPI auth is available`
		`+ ctx = None`
		`keytab = getattr(config, "krb_keytab", None)`
		`principal = getattr(config, "krb_principal", None)`
		`if not keytab and principal:`
		`raise ValueError(`
		`"The Kerberos keytab and principal aren't set for Koji authentication")`
		`log.debug(" keytab: %r, principal: %r" % (keytab, principal))`
		`- # We want to create a context per thread to avoid Kerberos cache corruption`
		`- ctx = krbV.Context()`
		`# We want to use the thread keyring for the ccache to ensure we have one cache per`
		`# thread to avoid Kerberos cache corruption`
		`ccache = "KEYRING:thread:mbs"`

no initial comment

cqi commented on line 18 of module_build_service/builder/KojiModuleBuilder.py 4 years ago

It might not be a good idea to check this version in the code. Instead, the install_requires or Requires: inside RPM spec should be the good place to limit the version. Or, just depend on the koji package since all the things of what krb_login does is ensured by koji.

cqi commented on line 18 of module_build_service/builder/KojiModuleBuilder.py 4 years ago

I also think it is unnecessary to check if requests_kerberos can be imported. Koji krb_login tries to login via gssapi firstly, if fails, then try the krbV. And parameter ctx of krb_login is ignored when login via gssapi.

What MBS should do here, in the get_session method, is just to provide correct context if krbV is importable. Then, krb_login will handle all the things.

mprahl commented 4 years ago

I also think it is unnecessary to check if requests_kerberos can be imported. Koji krb_login tries to login via gssapi firstly, if fails, then try the krbV. And parameter ctx of krb_login is ignored when login via gssapi.
What MBS should do here, in the get_session method, is just to provide correct context if krbV is importable. Then, krb_login will handle all the things.

I like this approach. @breilly, could you please pursue this?