krbcontext / python-krbcontext Goto Github PK

View Code? Open in Web Editor NEW

25.0 4.0 10.0 134 KB

A Kerberos context manager

Home Page: https://krbcontext.github.io/

License: GNU General Public License v3.0

Makefile 3.43% Python 92.64% Shell 3.93%

kerberos gssapi

python-krbcontext's Introduction

krbcontext

krbcontext provides a Kerberos context that you can put code inside, which requires a valid ticket in credential cache.

Documentation

Usage and API can be found from krbcontext.github.io.

Contribution

Welcome contributions, whatever idea, issue report, or a patch. Before making a pull request, please make sure your code passes checks. Run

tox

Sign-off commit

Every commit must be signed off with your name and email address. This can be done by specifying option -s to git commit, for example:

git commit -s -m "commit message"

The sign-off means you have read and agree to Developer Certificate of Origin. Nitrate uses version 1.1:

Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

Report an Issue

If you have any issues, please report one.

IRC

#krbcontext on freenode.net

python-krbcontext's People

Contributors

Stargazers

Watchers

Forkers

gtfd333 prussia msimacek gp1314 zeekling cheewaphat jlhanzlik mre-fog dschall eubnara

python-krbcontext's Issues

Can not init with password

I use the username and password for kdc authentication, but I can't authenticate successfully.

init_with_password() take error message：

File "gssapi/raw/creds.pyx", line 158, in gssapi.raw.creds.acquire_cred
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639053): Can't find client principal [email protected] in cache collection

My code

@patch('gssapi.raw.store_cred_into')
@patch('gssapi.raw.acquire_cred_with_password')
@patch('gssapi.creds.Credentials')
def get_krb_context(store_cred_into, acquire_cred_with_password, Credentials):
    context = krbContext(using_keytab=False,principal='test',password='test')
    context.init_with_password()
    store_cred_into.assert_not_called()
    acquire_cred_with_password.assert_not_called()
    return context

Version Information
gssapi 1.6.1
krbcontext 0.10

Current default ccache depends on what is configured in user's system, that is configured in /etc/krb5.conf generally. MEMORY type ccache would be useful and faster than current behavior, as there is no need to do file operation and probably could avoid potential I/O and permission problems

setup wheels fails in python 3.6.2 centos linux 7

Using a pristine virtual environment

python -V
Python 3.6.2 :: Continuum Analytics, Inc.
cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)

Building wheels for collected packages: krbcontext
  Running setup.py bdist_wheel for krbcontext ... error
  Complete output from command /opt/miniconda2/envs/kerberosexp/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-9eec7gwe/krbcontext/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /tmp/tmp6m15r8fypip-wheel- --python-tag cp36:
  running bdist_wheel
  running build
  running build_py
  creating build
  creating build/lib
  creating build/lib/krbcontext
  copying krbcontext/__init__.py -> build/lib/krbcontext
  copying krbcontext/context.py -> build/lib/krbcontext
  installing to build/bdist.linux-x86_64/wheel
  running install
  running install_lib
  creating build/bdist.linux-x86_64
  creating build/bdist.linux-x86_64/wheel
  creating build/bdist.linux-x86_64/wheel/krbcontext
  copying build/lib/krbcontext/__init__.py -> build/bdist.linux-x86_64/wheel/krbcontext
  copying build/lib/krbcontext/context.py -> build/bdist.linux-x86_64/wheel/krbcontext
  running install_egg_info
  running egg_info
  writing krbcontext.egg-info/PKG-INFO
  writing dependency_links to krbcontext.egg-info/dependency_links.txt
  writing requirements to krbcontext.egg-info/requires.txt
  writing top-level names to krbcontext.egg-info/top_level.txt
  reading manifest file 'krbcontext.egg-info/SOURCES.txt'
  reading manifest template 'MANIFEST.in'
  writing manifest file 'krbcontext.egg-info/SOURCES.txt'
  Copying krbcontext.egg-info to build/bdist.linux-x86_64/wheel/krbcontext-0.10-py3.6.egg-info
  running install_scripts
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/tmp/pip-build-9eec7gwe/krbcontext/setup.py", line 71, in <module>
      'Topic :: System :: Systems Administration',
    File "/opt/miniconda2/envs/kerberosexp/lib/python3.6/distutils/core.py", line 148, in setup
      dist.run_commands()
    File "/opt/miniconda2/envs/kerberosexp/lib/python3.6/distutils/dist.py", line 955, in run_commands
      self.run_command(cmd)
    File "/opt/miniconda2/envs/kerberosexp/lib/python3.6/distutils/dist.py", line 974, in run_command
      cmd_obj.run()
    File "/opt/miniconda2/envs/kerberosexp/lib/python3.6/site-packages/wheel/bdist_wheel.py", line 232, in run
      self.distinfo_dir)
    File "/opt/miniconda2/envs/kerberosexp/lib/python3.6/site-packages/wheel/bdist_wheel.py", line 399, in egg2dist
      distribution=self.distribution)
    File "/opt/miniconda2/envs/kerberosexp/lib/python3.6/site-packages/wheel/metadata.py", line 176, in pkginfo_to_dict
      new_requirements = sorted(convert_requirements(requirements))
    File "/opt/miniconda2/envs/kerberosexp/lib/python3.6/site-packages/wheel/metadata.py", line 231, in convert_requirements
      parsed_requirement = pkg_resources.Requirement.parse(req)
    File "/opt/miniconda2/envs/kerberosexp/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2974, in parse
      req, = parse_requirements(s)
  ValueError: not enough values to unpack (expected 1, got 0)

  ----------------------------------------
  Failed building wheel for krbcontext
  Running setup.py clean for krbcontext
Failed to build krbcontext

cant seems to use this.

Hoping you can provide me some guidance here using ktab. Seems like your pretty active last week.. so i am hoping for quick answer. I have a SaaS with impersonation needed to run back office processes on behalf of specific users (from application). I have setup ktab and installed all the required kerberos components.. Just cant get your module to work quite right..

Appreciate guidance here.

My test code.

import krbcontext  as krbContext
import os
with krbContext(using_keytab=True,
        principal='[email protected]',
        keytab_file='/home/auser/cert/auser.keytab',
        ccache_file='/tmp/krb5cc_pid_appname'):
    pass

TypeError Traceback (most recent call last)
in ()
4 principal='[email protected]',
5 keytab_file='/home/auser/cert/auser.keytab',
----> 6 ccache_file='/tmp/krb5cc_pid_appname'):
7 pass

TypeError: 'module' object is not callable

pip list | grep krbcontext
krbcontext (0.8)

my kinit ktab works fine

kinit -kt auser.keytab [email protected]
klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: [email protected]

Valid starting Expires Service principal
09/08/2017 18:05:11 09/09/2017 04:05:11 krbtgt/[email protected]
renew until 09/15/2017 18:05:11

Cannot renew expired ticked with FILE ccache

krbcontext is not able to renew an expired ticket when the ccache is of type FILE or DIR. gssapi apparently expect the ccache to be either a valid ccache or a nonexistent file, but krbcontext always creates an empty file, which results in "Bad format in credentials cache" error.

Reproducer (set PRINCIPAL and KEYTAB to valid values):

msimacek ~ % export KRB5CCNAME=/tmp/ccache
msimacek ~ % kinit -kt $KEYTAB $PRINCIPAL -l 0:00:01
msimacek ~ % python -c "import krbcontext;krbcontext.krbcontext(using_keytab=True, principal='$PRINCIPAL', keytab_file='$KEYTAB', ccache_file='/tmp/ccache').__enter__()"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/msimacek/.virtualenvs/pelc/lib/python2.7/site-packages/krbcontext/context.py", line 281, in __enter__
    self._prepare_context()
  File "/home/msimacek/.virtualenvs/pelc/lib/python2.7/site-packages/krbcontext/context.py", line 271, in _prepare_context
    self.init_with_keytab()
  File "/home/msimacek/.virtualenvs/pelc/lib/python2.7/site-packages/krbcontext/context.py", line 175, in init_with_keytab
    creds = gssapi.creds.Credentials(**new_creds_opts)
  File "/home/msimacek/.virtualenvs/pelc/lib/python2.7/site-packages/gssapi/creds.py", line 64, in __new__
    store=store)
  File "/home/msimacek/.virtualenvs/pelc/lib/python2.7/site-packages/gssapi/creds.py", line 148, in acquire
    usage)
  File "gssapi/raw/ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639111): Bad format in credentials cache (filename: /tmp/tmpXcSEhpkrbcontext-tmp-ccache-)

gssapi error

Hello, first of all thank you for your work, when I used this module, the following error occurred
I don't know what caused it, try to solve it, but it doesn't take effect!

raise NotImplementedError("Your GSSAPI implementation does "
NotImplementedError: Your GSSAPI implementation does not have support for manipulating credential stores
And the package version is below:
gssapi==1.6.9
krbcontext==0.10

Info about using krbcontext in snakebite-py3

Hi!

I am trying to replace https://github.com/elukey/snakebite-py3/blob/master/snakebite/kerberos.py with something python3 compatible, and I found krbcontext. I tried to replicate the snakebite's code with your library but didn't get far, is it something possible?

Thanks in advance!

Fix doc build in readthedocs.io

As per subject

Support credential cache collection

Doesn't work with default ccache specified by KRB5CCNAME

User story

I want to initialize a Kerberos context in default ccache, which is specified by KRB5CCNAME.

For example,

import os
os.environ['KRB5CCNAME'] = '/tmp/mycc'

with krbContext(using_keytab=True, principal='...', keytab_file='...'):
    import subprocess
    subprocess.call(['klist'])

Credential cannot be acquired in ccache /tmp/mycc, and error is raised

GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756032): Principal in credential cache does not match desired name

source is not sync with Pypi

I downloaded krbcontext 0.3.3 from PyPi (https://pypi.python.org/pypi/krbcontext/0.3.3) but I noticed the source code doesn't match what is on the current master branch (different commit). Is what is on master going to be released?

lost gssapi.raw.ext_cred_store module

when i use krbContext to download hdfs files in yarn cluster as below:

with krbContext(using_keytab=True, principal=principal, keytab_file=keytab_path):
            client = KerberosClient('http://{0}:50070'.format(server))
            client.download(os.path.join(HDFS_ROOT, hdfs_path), local_path, overwrite=True)

error happens here:

 with krbContext(using_keytab=True, principal=principal, keytab_file=keytab_path):
  File "/usr/local/anaconda3/lib/python3.5/site-packages/krbcontext/context.py", line 281, in __enter__
    self._prepare_context()
  File "/usr/local/anaconda3/lib/python3.5/site-packages/krbcontext/context.py", line 271, in _prepare_context
    self.init_with_keytab()
  File "/usr/local/anaconda3/lib/python3.5/site-packages/krbcontext/context.py", line 165, in init_with_keytab
    creds = gssapi.creds.Credentials(**creds_opts)
  File "/usr/local/anaconda3/lib/python3.5/site-packages/gssapi/creds.py", line 64, in __new__
    store=store)
  File "/usr/local/anaconda3/lib/python3.5/site-packages/gssapi/creds.py", line 140, in acquire
    raise NotImplementedError("Your GSSAPI implementation does "
NotImplementedError: Your GSSAPI implementation does not have support for manipulating credential stores

then i google it, i found this in gssapi code

then i search for rcred_cred_store

then i search for import_gssapi_extension

OMG, lost one module!!!

>>> import gssapi
>>> import gssapi.raw
>>> import gssapi.raw.ext_cred_store
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named 'gssapi.raw.ext_cred_store'

How do I use krbcontext to call the api of the spark task and get the execution time of the task?

when I use kerberos,these code need adjust，pls how to do it，Thanks guys。

请求url获取相应的json

async def get_json_from_url(url):
async with aiohttp.ClientSession() as session:
try:
async with session.get(url, timeout=10) as resp:
result = await resp.json()
return result
except Exception as e:
print(f"连接报错：{e}")
return

start = de_format_gmt_date(start_time)
end = de_format_gmt_date(end_time)
url = f"http://XXXX:18088/api/v1/applications?minDate={start}&maxDate={end}"
resource_list = await get_json_from_url(url)

Failed to install

Basically, this is the same issue as #30

pip3 -V
WARNING: pip is being invoked by an old script wrapper. This will fail in a future version of pip.
Please see https://github.com/pypa/pip/issues/5599 for advice on fixing the underlying issue.
To avoid this problem you can invoke Python with '-m pip' instead of running pip directly.
pip 20.3.1 from /home/mhj/.local/lib/python3.6/site-packages/pip (python 3.6)

This is the error:

Defaulting to user installation because normal site-packages is not writeable
Processing ./krbcontext-0.10.tar.gz
Requirement already satisfied: gssapi in /home/mhj/.local/lib/python3.6/site-packages (from krbcontext==0.10) (1.6.12)
Requirement already satisfied: decorator in /home/mhj/.local/lib/python3.6/site-packages (from gssapi->krbcontext==0.10) (4.4.2)
Building wheels for collected packages: krbcontext
  Building wheel for krbcontext (setup.py) ... error
  ERROR: Command errored out with exit status 1:
   command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-req-build-1t45edxl/setup.py'"'"'; __file__='"'"'/tmp/pip-req-build-1t45edxl/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-hf59qy8_
       cwd: /tmp/pip-req-build-1t45edxl/
  Complete output (50 lines):
  running bdist_wheel
  running build
  running build_py
  creating build
  creating build/lib
  creating build/lib/krbcontext
  copying krbcontext/context.py -> build/lib/krbcontext
  copying krbcontext/__init__.py -> build/lib/krbcontext
  installing to build/bdist.linux-x86_64/wheel
  running install
  running install_lib
  creating build/bdist.linux-x86_64
  creating build/bdist.linux-x86_64/wheel
  creating build/bdist.linux-x86_64/wheel/krbcontext
  copying build/lib/krbcontext/context.py -> build/bdist.linux-x86_64/wheel/krbcontext
  copying build/lib/krbcontext/__init__.py -> build/bdist.linux-x86_64/wheel/krbcontext
  running install_egg_info
  running egg_info
  writing krbcontext.egg-info/PKG-INFO
  writing dependency_links to krbcontext.egg-info/dependency_links.txt
  writing requirements to krbcontext.egg-info/requires.txt
  writing top-level names to krbcontext.egg-info/top_level.txt
  reading manifest file 'krbcontext.egg-info/SOURCES.txt'
  reading manifest template 'MANIFEST.in'
  writing manifest file 'krbcontext.egg-info/SOURCES.txt'
  Copying krbcontext.egg-info to build/bdist.linux-x86_64/wheel/krbcontext-0.10.egg-info
  running install_scripts
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/tmp/pip-req-build-1t45edxl/setup.py", line 71, in <module>
      'Topic :: System :: Systems Administration',
    File "/usr/lib/python3/dist-packages/setuptools/__init__.py", line 129, in setup
      return distutils.core.setup(**attrs)
    File "/usr/lib/python3.6/distutils/core.py", line 148, in setup
      dist.run_commands()
    File "/usr/lib/python3.6/distutils/dist.py", line 955, in run_commands
      self.run_command(cmd)
    File "/usr/lib/python3.6/distutils/dist.py", line 974, in run_command
      cmd_obj.run()
    File "/usr/lib/python3/dist-packages/wheel/bdist_wheel.py", line 257, in run
      self.distinfo_dir)
    File "/usr/lib/python3/dist-packages/wheel/bdist_wheel.py", line 427, in egg2dist
      distribution=self.distribution)
    File "/usr/lib/python3/dist-packages/wheel/metadata.py", line 177, in pkginfo_to_dict
      new_requirements = sorted(convert_requirements(requirements))
    File "/usr/lib/python3/dist-packages/wheel/metadata.py", line 234, in convert_requirements
      parsed_requirement = pkg_resources.Requirement.parse(req)
    File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 2988, in parse
      req, = parse_requirements(s)
  ValueError: not enough values to unpack (expected 1, got 0)
  ----------------------------------------
  ERROR: Failed building wheel for krbcontext
  Running setup.py clean for krbcontext
Failed to build krbcontext
Installing collected packages: krbcontext
    Running setup.py install for krbcontext ... done
  DEPRECATION: krbcontext was installed using the legacy 'setup.py install' method, because a wheel could not be built for it. pip 21.0 will remove support for this functionality. A possible replacement is to fix the wheel build issue reported above. You can find discussion regarding this at https://github.com/pypa/pip/issues/8368.
Successfully installed krbcontext-0.10

Uncaught exception trying to obtain pre-existing credentials with Keytab Auth

The code near line 156 in context.py attempts to get existing credentials before it creates a temporary credentials cache
for keytab auth.

creds = gssapi.creds.Credentials(**creds_opts)

The above line triggers the following error:

File "/usr/local/lib/python3.7/dist-packages/krbcontext-0.10-py3.7.egg/krbcontext/context.py", line 156, in init_with_keytab
  File "/usr/local/lib/python3.7/dist-packages/gssapi-1.6.12-py3.7-linux-x86_64.egg/gssapi/creds.py", line 64, in __new__
    store=store)
  File "/usr/local/lib/python3.7/dist-packages/gssapi-1.6.12-py3.7-linux-x86_64.egg/gssapi/creds.py", line 148, in acquire
    usage)
  File "gssapi/raw/ext_cred_store.pyx", line 186, in gssapi.raw.ext_cred_store.acquire_cred_from
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756032): Principal in credential cache does not match desired name

You can recreate this error by simply:

kinit user1
Use krbContext to authenticate as user2 with user2.keytab. Passing the principal=user2

This error occurs because when gssapi looks into the existing cache with a credential of user and cannot find user2.
There just needs to be a try/catch around this line to resolve the issue.

No module 'pwd' on importing krbcontext

Simply importing the module: krbcontext on Windows

import krbcontext

Gives me the following error.

import pwd
ModuleNotFoundError: No module named 'pwd'

It seems like krbcontext\context.py uses pwd module which seems to be available only on Unix , is there a workaround for this on Windows?