Learn more about these different git repos.
Other Git URLs
#1906 deprecated usage of krb code, this issue should remove it finally.
PR #2244
Metadata Update from @tkopecek: - Custom field Size adjusted to None
Metadata Update from @jcupova: - Issue tagged with: testing-ready
Metadata Update from @mfilip: - Issue untagged with: testing-ready
'Testing ready' tag was temporarily removed because of conflict in QE build. Will be tagged again soon
Metadata Update from @jcupova: - Issue untagged with: testing-ready - Issue tagged with: no_qe
Metadata Update from @jcupova: - Issue untagged with: no_qe - Issue tagged with: testing-ready
My first concern is that we need to be careful with RHEL6. I see that python-requests-kerberos is available there via EPEL. Testing for this should include verifying kerberos auth for a client still works in such an environment.
python-requests-kerberos
Second, we should preserve krb_login() as a wrapper for gssapi_login(). I know of a bunch of old scripts that call this, and there are probably a bunch more that I don't know about.
krb_login()
gssapi_login()
Third, I'm a little concerned about removing some of thekrb* configuration values. While the current code does not check them anymore, it's a little unclear (e.g. #2250) whether we can/should try to honor some of them with the gssapi code.
krb*
Third, part two. Some of our code will error if the config contains an unknown option (e.g. kojid, kojira, kojivmd). Perhaps this is appropriate here if the option means something that can no longer be honored, but I do wonder if we want something like the legacy_opts check in kojira.
legacy_opts
Third, part 3. OTOH, the removal of these options isn't quite complete. The koji-sidetag-cleanup and koji-shadow scripts still have cmdline options like --krb-canon-host, --krb-server-realm, and --krb-rdns.
koji-sidetag-cleanup
koji-shadow
--krb-canon-host
--krb-server-realm
--krb-rdns
Metadata Update from @mfilip: - Issue tagged with: testing-done
notice that, rhel6 (builder/utils/client/web) with keytab/principal won't work. there's no python-requests-kerberos-0.9.0+ in el6
python-requests-kerberos-0.9.0+
EPEL6 has python-requests-kerberos-0.7.0-2.el6. My request above was to verify that gssapi auth will work on RHEL6+EPEL, which is an easy setup for folks to access.
It works with kinit:
[root@brew-builder-rhel6 ~]# kinit yzhu@REDHAT.COM Password for yzhu@REDHAT.COM: # koji -d hello 2020-07-15 13:59:13,209 [DEBUG] koji: Opening new requests session 2020-07-15 13:59:13,220 [DEBUG] koji: Opening new requests session successfully connected to hub tervehdys, yzhu! You are using the hub at https://brewhub.host.qe.eng.pek2.redhat.com/brewhub Authenticated via GSSAPI
but doen't work with keytab
# koji -d hello 2020-07-15 14:01:29,039 [DEBUG] koji: Opening new requests session 2020-07-15 14:01:29,048 [DEBUG] koji: Opening new requests session Traceback (most recent call last): File "/usr/bin/koji", line 337, in <module> rv = locals()[command].__call__(options, session, args) File "/usr/lib/python2.6/site-packages/koji_cli/commands.py", line 7387, in handle_moshimoshi activate_session(session, options) File "/usr/lib/python2.6/site-packages/koji_cli/lib.py", line 682, in activate_session proxyuser=runas) File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 2497, in gssapi_login 'python-requests-gssapi >= 0.9.0 required for ' ImportError: python-requests-gssapi >= 0.9.0 required for keytab auth
It shows python-requests-gssapi because of https://pagure.io/koji/pull-request/2280
python-requests-gssapi
Commit 9063f33 fixes this issue
Commit f8419e3 fixes this issue
Login to comment on this ticket.