Bug 1455425 - replace python-krbV usage with something better maintained
Summary: replace python-krbV usage with something better maintained
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Beaker
Classification: Retired
Component: general
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: 27.0
Assignee: Martin Styk
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks: 1455424
TreeView+ depends on / blocked
 
Reported: 2017-05-25 06:30 UTC by Dan Callaghan
Modified: 2019-04-11 07:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-11 07:50:54 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Beaker Project Gerrit 6458 0 'None' MERGED Switch from cracklib to pwquality 2020-01-31 13:30:45 UTC

Description Dan Callaghan 2017-05-25 06:30:56 UTC
Currently python-krbV works but is basically unmaintained. In particular it has not been ported to Python 3 which means our usage of it blocks porting the bkr client to Python 3 (bug 1455424).

The preferred alternative is python-kerberos, originally from CalendarServer, forked by Apple, then abandoned, and lately resurrected by Apple.

However python-kerberos does not expose all of the Kerberos API. In particular it lacks support for kinit operations.

The other alternative is python-gssapi. For example FreeIPA switched from python-krbV to python-gssapi a few years ago:
https://pagure.io/freeipa/c/aad73fad601f576dd83b758f4448839b4e8e87df

python-gssapi wraps GSSAPI, not Kerberos directly, but the operations we need on the client side are exposed well enough that we can switch to it. python-gssapi ships in RHEL7, but not RHEL6 (we would need to supply our own build for RHEL6).

Comment 1 Dan Callaghan 2017-05-25 06:34:14 UTC
I would feel more comfortable doing this if we also had the dogfood tests covering Kerberos: bug 1275493. Currently the tests all use password authentication and all this Kerberos-related code is never exercised except by manual testing (and, every single one of our internal users every day, of course).

Comment 2 Dan Callaghan 2017-05-25 07:39:03 UTC
I got python-gssapi built for RHEL6, and whipped up a patch to switch over the client pieces (actually the LC too since it shares that code) while I was procrastinating some other stuff this afternoon.

https://gerrit.beaker-project.org/5701

However I think I have hit a snag... When using keytab for authentication, on RHEL6 it fails like this (works on RHEL7):

Traceback (most recent call last):
[...]
  File "/home/dcallagh/work/beaker/Common/bkr/common/hub.py", line 161, in _login_krbv
    creds = gssapi.Credentials(name=name, store=store, usage='initiate')
  File "/usr/lib64/python2.6/site-packages/gssapi/creds.py", line 64, in __new__
    store=store)
  File "/usr/lib64/python2.6/site-packages/gssapi/creds.py", line 140, in acquire
    raise NotImplementedError("Your GSSAPI implementation does "
NotImplementedError: Your GSSAPI implementation does not have support for manipulating credential stores

And indeed I see during the build of python-gssapi that it warns me some GSSAPI extensions are not supported, I guess due to the quite old krb5 libraries in RHEL6:

Skipping the cred_store extension because it is not supported by your GSSAPI implementation...
Skipping the cred_imp_exp extension because it is not supported by your GSSAPI implementation...
Skipping the iov_mic extension because it is not supported by your GSSAPI implementation...
Skipping the rfc6680_comp_oid extension because it is not supported by your GSSAPI implementation...
Skipping the password_add extension because it is not supported by your GSSAPI implementation...

So I think this is effectively stalled until the client is no longer supported on RHEL6...

Comment 3 Dan Callaghan 2017-05-25 07:40:52 UTC
Oh and it's actually worse than that, since this code is called by the LC as well. This is stalled until *all* of Beaker is off RHEL6 and onto RHEL7.

Comment 4 georgeevelyn 2018-10-05 10:26:14 UTC
python-krbV has no python3 support, so its renewal helps projects move to python3. pykerberos is a very minimum execution calculated for use in calendar server and not intended for consumption by other applications. if you have the issue with your Apple device you may contact https://www.appletechnicalsupportnumbers.com/


Note You need to log in before you can comment on or make changes to this bug.