summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Styk <mastyk@redhat.com>2019-09-26 13:25:50 +0200
committerMartin Styk <mastyk@redhat.com>2019-09-26 12:33:56 +0000
commit97e14daecf3858e7d38727e24156eb0762e9c443 (patch)
tree3e414acd61693e5af303a2e31e6c63800d2cddf5
parent9f4ac9788e979e224ede80181ce83a67a2904ced (diff)
Fix Kerberos auth for lab controllers
Change-Id: I02dc555ae38033a3f547fc68fe6e91859e4ece61 Signed-off-by: Martin Styk <mastyk@redhat.com>
-rw-r--r--Common/bkr/common/hub.py29
1 files changed, 20 insertions, 9 deletions
diff --git a/Common/bkr/common/hub.py b/Common/bkr/common/hub.py
index 288d534..babfb28 100644
--- a/Common/bkr/common/hub.py
+++ b/Common/bkr/common/hub.py
@@ -5,14 +5,18 @@
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
-import os
import base64
-import ssl
+import os
+import tempfile
+
+import gssapi
import six
-from six.moves import xmlrpc_client
+import ssl
from six.moves import urllib_parse as urlparse
-import gssapi
+from six.moves import xmlrpc_client
+
from bkr.common.pyconfig import PyConfigParser, ImproperlyConfigured
+
if six.PY2:
from bkr.common.xmlrpc2 import CookieTransport, SafeCookieTransport, retry_request_decorator
if six.PY3:
@@ -138,10 +142,14 @@ class HubProxy(object):
self._hub.auth.login_oauth2(access_token)
def _login_krbv(self):
- """Login using kerberos credentials (uses python-gssapi)."""
+ """
+ Login using kerberos credentials (uses python-gssapi).
+ """
def get_server_principal(service=None, realm=None):
- """Convert hub url to kerberos principal."""
+ """
+ Convert hub url to kerberos principal.
+ """
hostname = urlparse.urlparse(self._hub_url)[1]
# remove port from hostname
hostname = hostname.split(":")[0]
@@ -153,7 +161,6 @@ class HubProxy(object):
service = "HTTP"
return '%s/%s@%s' % (service, hostname, realm)
-
# read default values from settings
principal = self._conf.get("KRB_PRINCIPAL")
keytab = self._conf.get("KRB_KEYTAB")
@@ -167,9 +174,13 @@ class HubProxy(object):
if principal:
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
- store = None # Default ccache
+ store = None # Default ccache
if keytab:
- store = {'client_keytab': keytab}
+ # Make sure we are using always APP ccache or user specified ccache
+ # instead of MIT krb5 default one with keytabs. Default ccache can be occupied by
+ # system application
+ store = {'client_keytab': keytab,
+ 'ccache': ccache or tempfile.NamedTemporaryFile(prefix='krb5cc_bkr_').name}
elif ccache:
store = {'ccache': ccache}