From fa967f79b5fa0eb42374185a7a0c513ef6eefc24 Mon Sep 17 00:00:00 2001
From: Lubomír Sedlář <lsedlar@redhat.com>
Date: Sep 13 2022 10:38:20 +0000
Subject: Ignore existing kerberos ticket for CTS auth


When there is an existing kerberos ticket, it gets precedence over the
environment variable with path to a keytab. That is not expected and the
user ticket can possibly lack permissions in CTS to be able to run the
compose successfully.

This patch fixes that by setting KRB5CCNAME to a fresh path. That way
there will not be any valid ticket, since the credentials cache does not
exist yet.

JIRA: RHELCMP-9742
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>

---

diff --git a/pungi/compose.py b/pungi/compose.py
index e289a7a..88ef7f6 100644
--- a/pungi/compose.py
+++ b/pungi/compose.py
@@ -102,6 +102,7 @@ def get_compose_info(
             if "$HOSTNAME" in cts_keytab:
                 cts_keytab = cts_keytab.replace("$HOSTNAME", socket.gethostname())
             os.environ["KRB5_CLIENT_KTNAME"] = cts_keytab
+            os.environ["KRB5CCNAME"] = "DIR:%s" % tempfile.mkdtemp()
 
         try:
             # Create compose in CTS and get the reserved compose ID.
@@ -116,6 +117,7 @@ def get_compose_info(
             rv.raise_for_status()
         finally:
             if cts_keytab:
+                shutil.rmtree(os.environ["KRB5CCNAME"].split(":", 1)[1])
                 os.environ.clear()
                 os.environ.update(environ_copy)