#1991 Remove deprecated krbV code
Closed: Fixed 3 years ago by mikem. Opened 4 years ago by tkopecek.

#1906 deprecated usage of krb code, this issue should remove it finally.


Metadata Update from @tkopecek:
- Custom field Size adjusted to None

3 years ago

Metadata Update from @jcupova:
- Issue tagged with: testing-ready

3 years ago

Metadata Update from @mfilip:
- Issue untagged with: testing-ready

3 years ago

'Testing ready' tag was temporarily removed because of conflict in QE build. Will be tagged again soon

Metadata Update from @jcupova:
- Issue tagged with: testing-ready

3 years ago

Metadata Update from @jcupova:
- Issue untagged with: testing-ready
- Issue tagged with: no_qe

3 years ago

Metadata Update from @jcupova:
- Issue untagged with: no_qe
- Issue tagged with: testing-ready

3 years ago

My first concern is that we need to be careful with RHEL6. I see that python-requests-kerberos is available there via EPEL. Testing for this should include verifying kerberos auth for a client still works in such an environment.

Second, we should preserve krb_login() as a wrapper for gssapi_login(). I know of a bunch of old scripts that call this, and there are probably a bunch more that I don't know about.

Third, I'm a little concerned about removing some of thekrb* configuration values. While the current code does not check them anymore, it's a little unclear (e.g. #2250) whether we can/should try to honor some of them with the gssapi code.

Third, part two. Some of our code will error if the config contains an unknown option (e.g. kojid, kojira, kojivmd). Perhaps this is appropriate here if the option means something that can no longer be honored, but I do wonder if we want something like the legacy_opts check in kojira.

Third, part 3. OTOH, the removal of these options isn't quite complete. The koji-sidetag-cleanup and koji-shadow scripts still have cmdline options like --krb-canon-host, --krb-server-realm, and --krb-rdns.

Metadata Update from @mfilip:
- Issue tagged with: testing-done

3 years ago

notice that, rhel6 (builder/utils/client/web) with keytab/principal won't work. there's no python-requests-kerberos-0.9.0+ in el6

notice that, rhel6 (builder/utils/client/web) with keytab/principal won't work. there's no python-requests-kerberos-0.9.0+ in el6

EPEL6 has python-requests-kerberos-0.7.0-2.el6. My request above was to verify that gssapi auth will work on RHEL6+EPEL, which is an easy setup for folks to access.

It works with kinit:

[root@brew-builder-rhel6 ~]# kinit yzhu@REDHAT.COM
Password for yzhu@REDHAT.COM:
# koji -d hello
2020-07-15 13:59:13,209 [DEBUG] koji: Opening new requests session
2020-07-15 13:59:13,220 [DEBUG] koji: Opening new requests session
successfully connected to hub
tervehdys, yzhu!

You are using the hub at https://brewhub.host.qe.eng.pek2.redhat.com/brewhub
Authenticated via GSSAPI

but doen't work with keytab

# koji -d hello
2020-07-15 14:01:29,039 [DEBUG] koji: Opening new requests session
2020-07-15 14:01:29,048 [DEBUG] koji: Opening new requests session
Traceback (most recent call last):
  File "/usr/bin/koji", line 337, in <module>
    rv = locals()[command].__call__(options, session, args)
  File "/usr/lib/python2.6/site-packages/koji_cli/commands.py", line 7387, in handle_moshimoshi
    activate_session(session, options)
  File "/usr/lib/python2.6/site-packages/koji_cli/lib.py", line 682, in activate_session
    proxyuser=runas)
  File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 2497, in gssapi_login
    'python-requests-gssapi >= 0.9.0 required for '
ImportError: python-requests-gssapi >= 0.9.0 required for keytab auth

It shows python-requests-gssapi because of https://pagure.io/koji/pull-request/2280

Login to comment on this ticket.

Metadata
Related Pull Requests
  • #2244 Merged 3 years ago