Bug 1472348 - ImportError: Please install python-krbV to use kerberos.
ImportError: Please install python-krbV to use kerberos.
Status: NEW
Product: Fedora
Classification: Fedora
Component: koji (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Mike McLean
Fedora Extras Quality Assurance
:
: 1472106 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-18 09:57 EDT by Miro Hrončok
Modified: 2018-02-16 10:58 EST (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miro Hrončok 2017-07-18 09:57:01 EDT
Description of problem:
Cannot cancel builds.

Version-Release number of selected component (if applicable):
koji-1.13.0-2.fc26.noarch


How reproducible:
Always

Steps to Reproduce:
1. $ koji cancel 20596638
2. $ sudo dnf install python-krbV

Actual results:
ImportError: Please install python-krbV to use kerberos.

...

Last metadata expiration check: 2:24:52 ago on Tue Jul 18 13:30:20 2017.
Package python-krbV-1.0.90-13.fc26.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!


Expected results:
Cancel the build.
Comment 1 Miro Hrončok 2017-07-19 08:15:19 EDT
Simpler reproducer:

$ koji hello
ImportError: Please install python-krbV to use kerberos.
Comment 2 Miro Hrončok 2017-07-19 08:31:43 EDT
The code in https://pagure.io/koji/blob/master/f/koji/__init__.py#_2089 krb_login() has this:


        if principal is None and keytab is None and ccache is None:
            try:
                # Silently try GSSAPI first
                if self.gssapi_login(proxyuser=proxyuser):
                    return True
            except:
                pass
        if not krbV:
            raise PythonImportError(
                "Please install python-krbV to use kerberos."
            )

Note that this has a bare except which you should never do, the exception there is:

UnboundLocalError('local variable 'sinfo' referenced before assignment')

Note that this happens only sometimes:


$ koji hello
नमस्कार, churchyard!

You are using the hub at https://koji.fedoraproject.org/kojihub
Authenticated via GSSAPI

$ koji hello
<class 'UnboundLocalError'>
local variable 'sinfo' referenced before assignment
ImportError: Please install python-krbV to use kerberos.
Comment 3 Miro Hrončok 2017-07-19 08:38:15 EDT
That's here: https://pagure.io/koji/blob/master/f/koji/__init__.py#_2214

Also, what really causes the issue is this (added tarcebacks print to some places to see those):

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2211, in gssapi_login
    sinfo = self._callMethod('sslLogin', [proxyuser], retry=False)
  File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2420, in _callMethod
    return self._sendCall(handler, headers, request)
  File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2333, in _sendCall
    return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2378, in _sendOneCall
    r = self.rsession.post(handler, **callopts)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 535, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
requests_kerberos.exceptions.MutualAuthenticationError: Unable to authenticate <Response [200]>

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2102, in krb_login
    if self.gssapi_login(proxyuser=proxyuser):
  File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2220, in gssapi_login
    raise AuthError('unable to obtain a session')
koji.AuthError: unable to obtain a session
Comment 4 Mikhail 2017-07-20 07:17:43 EDT
Same for me. but I am can't start building package from scratch.

[mikhail@localhost mutter]$ koji build --scratch f26 mutter-3.24.3-4.fc26.src.rpm
ImportError: Please install python-krbV to use kerberos.
[mikhail@localhost mutter]$ sudo dnf install python-krbV
[sudo] password for mikhail: 
Last metadata expiration check: 1:32:52 ago on Чт 20 июл 2017 14:44:37.
Package python-krbV-1.0.90-13.fc26.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
Comment 5 Mikhail 2017-07-21 16:23:50 EDT
Is there any maintainers here?
How do you build packages from scratch if koji not worked?
Comment 6 Miro Hrončok 2017-07-22 05:25:23 EDT
(In reply to Mikhail from comment #5)
> How do you build packages from scratch if koji not worked?

I so far only needed to scratch build existing Fedora packages, I've used:

    fedpkg build --srpm --scratch

And that worked for me.
Comment 7 Mikhail 2017-07-22 06:58:10 EDT
If I build with koji as you suggest above, my builded package accidentally not push into the Fedora repository?
Comment 8 Miro Hrončok 2017-07-24 06:15:13 EDT
The --scratch option makes sure of that.
Comment 9 Qixiang Wan 2017-07-27 05:34:50 EDT
FYI: I'm working around this with running koji-1.13 with python2:

$ python2 `which koji` cancel <task_id>

It seems "python-krbV is unlikely to ever support python 3" (https://bugzilla.redhat.com/show_bug.cgi?id=1024834). So koji need to switch to an alternative of python-krbV to make it work under python3 with kerberos authentication.
Comment 10 Petr Viktorin 2017-07-27 05:58:21 EDT
FWIW, the recommended alternative to python-krbV is python-gssapi.
Comment 11 Miro Hrončok 2017-07-27 06:16:48 EDT
Note that Koji already uses "from requests_kerberos import HTTPKerberosAuth" and krbV is only used as a fallback if that fails, see comment #3.
Comment 12 Miro Hrončok 2017-07-28 03:55:30 EDT
*** Bug 1472106 has been marked as a duplicate of this bug. ***
Comment 13 Miro Hrončok 2017-07-28 03:56:57 EDT
Apparently also happens on Fedora 25.

Upstream issue and fix for the bad error message (but not the actual problem): https://pagure.io/koji/issue/519
Comment 14 Jan Hutař 2017-08-07 05:06:19 EDT
Yes, running with python2 as suggested in comment #9 workarounds the issue for me.

On python3 with fix from https://pagure.io/koji/issue/519 I have been getting "AuthError: unable to obtain a session".
Comment 15 David Moreau Simard 2017-08-15 10:36:01 EDT
I've also ran into this issue on F26, I believe after resolving a packaging conflict involving krb5-libs when doing a dnf update.

Reinstalling krb5-libs, koji packages and python-krbV did not resolve the problem.

For some reason, re-authenticating with kinit and then running the koji command worked without needing to use the python2 workaround.
Comment 16 Dominik 'Rathann' Mierzejewski 2017-08-23 11:14:51 EDT
Same here.
Comment 17 Dan Horák 2017-09-07 02:51:23 EDT
it's even worse when dealing with secondary koji instance as the ppc-koji binary is a shell wrapper, one must use eg.

python2 /usr/bin/koji --profile ppc cancel qt5-qtwebview-5.7.1-1.fc25

to kill a job ...
Comment 18 Miro Hrončok 2017-11-28 13:37:34 EST
Mike, could you please respond?
Comment 19 Mike McLean 2017-12-01 12:54:42 EST
The root problem here is that gssapi auth is failing.

The masked error should have been fixed in commit 56b023b158ce9437469acc8d73db1cd9f65aad55, which was included in 1.14.

If gssapi auth fails and krbV is not installed, you should see the underlying error now.

The only way I can replicate an error is to destroy my fp.org krb ticket. If I do that, I get an AuthError message, which is reasonable. I expect that you guys are getting a different error.

If forcing python2 helps, it is because it allows Koji to fall back to krbV, which really only dodges the issue of gssapi auth failing.

Does anyone know what's causing the failure from comment 3?
Comment 20 Mike McLean 2017-12-01 12:57:59 EST
Side note: if you want to force py2 in Koji 1.14, you can do so in your koji config on a per-profile basis. 

See: https://docs.pagure.org/koji/release_notes_1.14/#allow-profiles-to-request-a-specific-python-version

Of course all that does is make the workaround easier, but it will at least help you with tools that invoke Koji themselves.
Comment 21 Miro Hrončok 2017-12-01 17:04:49 EST
(In reply to Mike McLean from comment #19)
> The only way I can replicate an error is to destroy my fp.org krb ticket. If
> I do that, I get an AuthError message, which is reasonable. I expect that
> you guys are getting a different error.


[~]$ kinit churchyard@FEDORAPROJECT.ORG
Password for churchyard@FEDORAPROJECT.ORG: 
[~]$ echo $?
0
[~]$ koji cancel 23464856
AuthError: unable to obtain a session
Comment 22 Mike McLean 2017-12-05 10:43:13 EST
Some changes in a pending PR might help shed some light here. Can you try the following?

# git clone https://github.com/mikem23/koji-playground.git
# cd koji-playground/
# git checkout pagure/pr/708
# (kinit)
# PYTHONPATH=. cli/koji -p koji --debug hello
Comment 23 Miro Hrončok 2017-12-05 10:52:22 EST
503 Server Error: Service Temporarily Unavailable for url: https://koji.fedoraproject.org/kojihub

I'll test once the infra move is finished.
Comment 24 Miro Hrončok 2017-12-06 10:11:23 EST
Works!

$ PYTHONPATH=. cli/koji -p koji --debug hello
2017-12-06 16:09:58,145 [DEBUG] koji: Opening new requests session
2017-12-06 16:09:58,145 [DEBUG] koji: Opening new requests session
2017-12-06 16:10:06,360 [DEBUG] koji: Opening new requests session
2017-12-06 16:10:06,361 [DEBUG] koji: gssapi auth failed: MutualAuthenticationError: Unable to authenticate <Response [200]>

2017-12-06 16:10:06,362 [DEBUG] koji: gssapi auth failed: AuthError: unable to obtain a session

2017-12-06 16:10:06,362 [DEBUG] koji: Using server principal: host/koji.fedoraproject.org@FEDORAPROJECT.ORG
successfully connected to hub
hallo, churchyard!

You are using the hub at https://koji.fedoraproject.org/kojihub
Authenticated via Kerberos principal churchyard@FEDORAPROJECT.ORG
Comment 25 Miro Hrončok 2017-12-06 10:12:33 EST
(Except this runs apparently on Python 2 as well.)
Comment 26 Miro Hrončok 2017-12-06 10:14:41 EST
[koji-playground (pagure/pr/708)]$ PYTHONPATH=. python3 cli/koji -p koji --debug hello
Traceback (most recent call last):
  File "cli/koji", line 40, in <module>
    import koji
  File "/home/churchyard/Dokumenty/RedHat/koji-playground/koji/__init__.py", line 2134
    except Exception, e:
                    ^
SyntaxError: invalid syntax
[koji-playground (pagure/pr/708)]$ # edit koji/__init__.py to fix the above
[koji-playground (pagure/pr/708)]$ PYTHONPATH=. python3 cli/koji -p koji --debug hello
2017-12-06 16:13:09,559 [DEBUG] koji: Opening new requests session
2017-12-06 16:13:09,559 [DEBUG] koji: Opening new requests session
2017-12-06 16:13:12,806 [DEBUG] koji: Opening new requests session
2017-12-06 16:13:12,806 [DEBUG] koji: gssapi auth failed: requests_kerberos.exceptions.MutualAuthenticationError: Unable to authenticate <Response [200]>

Traceback (most recent call last):
  File "cli/koji", line 310, in <module>
    rv = locals()[command].__call__(options, session, args)
  File ".../koji-playground/cli/koji_cli/commands.py", line 7038, in handle_moshimoshi
    activate_session(session, options)
  File ".../koji-playground/cli/koji_cli/lib.py", line 571, in activate_session
    session.krb_login(proxyuser=runas)
  File ".../koji-playground/koji/__init__.py", line 2132, in krb_login
    if self.gssapi_login(principal, keytab, ccache, proxyuser=proxyuser):
  File ".../koji-playground/koji/__init__.py", line 2273, in gssapi_login
    raise AuthError('unable to obtain a session')
koji.AuthError: unable to obtain a session
Comment 27 Miro Hrončok 2018-01-19 08:46:58 EST
$ koji hello
AuthError: unable to obtain a session

Still valid.
Comment 28 Donny Davis 2018-02-16 10:58:56 EST
I am also still having this issue on the latest builds. My koji is connected via Freeipa.

Note You need to log in before you can comment on or make changes to this bug.