Bug 1455425
| Summary: | replace python-krbV usage with something better maintained | ||
|---|---|---|---|
| Product: | [Retired] Beaker | Reporter: | Dan Callaghan <dcallagh> |
| Component: | general | Assignee: | Martin Styk <mastyk> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | tools-bugs <tools-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | ClemEvelyn313, mastyk, mjia |
| Target Milestone: | 27.0 | Keywords: | FutureFeature, Patch |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-11 07:50:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1455424 | ||
|
Description
Dan Callaghan
2017-05-25 06:30:56 UTC
I would feel more comfortable doing this if we also had the dogfood tests covering Kerberos: bug 1275493. Currently the tests all use password authentication and all this Kerberos-related code is never exercised except by manual testing (and, every single one of our internal users every day, of course). I got python-gssapi built for RHEL6, and whipped up a patch to switch over the client pieces (actually the LC too since it shares that code) while I was procrastinating some other stuff this afternoon. https://gerrit.beaker-project.org/5701 However I think I have hit a snag... When using keytab for authentication, on RHEL6 it fails like this (works on RHEL7): Traceback (most recent call last): [...] File "/home/dcallagh/work/beaker/Common/bkr/common/hub.py", line 161, in _login_krbv creds = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.6/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.6/site-packages/gssapi/creds.py", line 140, in acquire raise NotImplementedError("Your GSSAPI implementation does " NotImplementedError: Your GSSAPI implementation does not have support for manipulating credential stores And indeed I see during the build of python-gssapi that it warns me some GSSAPI extensions are not supported, I guess due to the quite old krb5 libraries in RHEL6: Skipping the cred_store extension because it is not supported by your GSSAPI implementation... Skipping the cred_imp_exp extension because it is not supported by your GSSAPI implementation... Skipping the iov_mic extension because it is not supported by your GSSAPI implementation... Skipping the rfc6680_comp_oid extension because it is not supported by your GSSAPI implementation... Skipping the password_add extension because it is not supported by your GSSAPI implementation... So I think this is effectively stalled until the client is no longer supported on RHEL6... Oh and it's actually worse than that, since this code is called by the LC as well. This is stalled until *all* of Beaker is off RHEL6 and onto RHEL7. python-krbV has no python3 support, so its renewal helps projects move to python3. pykerberos is a very minimum execution calculated for use in calendar server and not intended for consumption by other applications. if you have the issue with your Apple device you may contact https://www.appletechnicalsupportnumbers.com/ |