#2151 koji-gc: support request_kerberos
Merged 3 years ago by tkopecek. Opened 3 years ago by tkopecek.
tkopecek/koji issue2143  into  master

file modified
+3 -40
@@ -30,11 +30,6 @@ 

  import koji.policy

  from koji.util import LazyDict, LazyValue, to_list

  

- try:

-     import krbV

- except ImportError:  # pragma: no cover

-     krbV = None

- 

  

  def _(args):

      """Stub function for translation"""
@@ -51,14 +46,6 @@ 

                        help=_("use alternate configuration file"))

      parser.add_option("--keytab", help=_("specify a Kerberos keytab to use"))

      parser.add_option("--principal", help=_("specify a Kerberos principal to use"))

-     parser.add_option("--krbservice", default="host",

-                       help=_("the service name of the principal being used by the hub"))

-     parser.add_option("--krb-rdns", action="store_true", default=False,

-                       help=_("get reverse dns FQDN for krb target"))

-     parser.add_option("--krb-canon-host", action="store_true", default=False,

-                       help=_("get canonical hostname for krb target"))

-     parser.add_option("--krb-server-realm",

-                       help=_("the realm of server Kerberos principal"))

      parser.add_option("--runas", metavar="USER",

                        help=_("run as the specified user (requires special privileges)"))

      parser.add_option("--user", help=_("specify user"))
@@ -137,10 +124,6 @@ 

          # name, alias, type

          ['keytab', None, 'string'],

          ['principal', None, 'string'],

-         ['krbservice', None, 'string'],

-         ['krb_rdns', None, 'boolean'],

-         ['krb_canon_host', None, 'boolean'],

-         ['krb_server_realm', None, 'string'],

          ['runas', None, 'string'],

          ['user', None, 'string'],

          ['password', None, 'string'],
@@ -368,18 +351,6 @@ 

                 (ret, koji.API_VERSION)))

  

  

- def has_krb_creds():

-     if krbV is None:

-         return False

-     try:

-         ctx = krbV.default_context()

-         ccache = ctx.default_ccache()

-         ccache.principal()

-         return True

-     except krbV.Krb5Error:

-         return False

- 

- 

  def activate_session(session):

      """Test and login the session is applicable"""

      global options
@@ -392,17 +363,9 @@ 

      elif options.user:

          # authenticate using user/password

          session.login()

-     elif has_krb_creds() or (options.keytab and options.principal):

-         try:

-             if options.keytab and options.principal:

-                 session.krb_login(principal=options.principal, keytab=options.keytab,

-                                   proxyuser=options.runas)

-             else:

-                 session.krb_login(proxyuser=options.runas)

-         except krbV.Krb5Error as e:

-             error(_("Kerberos authentication failed: %s (%s)") % (e.args[1], e.args[0]))

-         except socket.error as e:

-             warn(_("Could not connect to Kerberos authentication service: '%s'") % e.args[1])

+     elif koji.requests_kerberos:

+         session.gssapi_login(principal=options.principal, keytab=options.keytab,

+                           proxyuser=options.runas)

      if not options.noauth and not session.logged_in:

          error(_("Error: unable to log in, no authentication methods available"))

      ensure_connection(session)

LGTM from the first glance.

Any ideas why it might not work?

20/04/15 16:12:25 rack-na/koji, Infrastructure NA1 INTGDC (id 801)
[root@koji:~] koji --keytab /etc/krb5.keytab --principal host/koji.int.na.intgdc.com@INTGDC.COM hello
bună ziua, host/koji.int.na.intgdc.com!

You are using the hub at https://koji.intgdc.com/kojihub
Authenticated via GSSAPI

20/04/15 16:12:28 rack-na/koji, Infrastructure NA1 INTGDC (id 801)
[root@koji:~] koji-gc --keytab /etc/krb5.keytab --principal host/koji.int.na.intgdc.com@INTGDC.COM --purge -n
Traceback (most recent call last):
  File "/sbin/koji-gc", line 936, in <module>
    rv = main(args)
  File "/sbin/koji-gc", line 402, in main
    activate_session(session)
  File "/sbin/koji-gc", line 351, in activate_session
    session.krb_login(principal=options.principal, keytab=options.keytab, proxyuser=options.runas)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2310, in krb_login
    if self.gssapi_login(principal, keytab, ccache, proxyuser=proxyuser):
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2467, in gssapi_login
    raise AuthError('unable to obtain a session')
koji.AuthError: unable to obtain a session

Hmm, I'm not able to reproduce it. Can you try debug mode (-d)? Or

KRB5_TRACE=/dev/stdout koji-gc --keytab /etc/krb5.keytab --principal host/koji.int.na.intgdc.com@INTGDC.COM -n
[16208] 1587033759.561401: Requesting TGT krbtgt/FEDORAPROJECT.ORG@INTGDC.COM using TGT krbtgt/INTGDC.COM@INTGDC.COM

Hmm, why does it use FEDORAPROJECT,ORG there?

Ugh, just realized that gc.conf had wrong hub URL.

This PR looks good!

@tkopecek just one thing, koji does not seem to create trashcan tag by default...

No, we don't create it. Some people are not using kojira at all, so such tag doesn't make any sense for them. But we should emphasize it in kojira docs.

Hmm, is koji-gc automatically called from kojira?

ouch, s/kojira/koji-gc/g

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

3 years ago

When the service first starts up, we could add some pre-flight checks to make this easier for new users:

  • Verify that the user account has the correct permissions
  • Ensure the "trashcan" tag exists

And if these pre-flight checks fail, immediately stop the daemon with a human-readable error message that describes the problem and the remedy.

I've tested this PR, and koji-gc can successfully authenticate with a keytab in my environment.

:thumbsup: I've created #2190 for trashcan tag and extended #2189 for permission check (it is not that easy as koji-gc requires more permissions than just the admin one).

@tkopecek do we still want to krbV in koji-utils? as https://pagure.io/koji/issue/1906 has been applied to cli

@julian8628 Makes sense, let's drop it from here.

1 new commit added

  • replace krb_login with gssapi_login
3 years ago

Metadata Update from @jcupova:
- Pull-request tagged with: testing-done

3 years ago

Commit 8f2d02c fixes this pull-request

Pull-Request has been merged by tkopecek

3 years ago

I've tested this in a Kerberos environment and koji-gc can authenticate and run without error.