def __init__(self, endpoint, auth=None, capath=True): logger.debug("Initializing service (endpoint: %s, auth: %s", endpoint, auth) self._endpoint = endpoint if auth == 'kerberos': # This step has been extended to work around issue #942 in the # kerberos library where the default principal cannot be # derived without raising an error. An explicit principal has # to be provided. # # This is ignored if PyKerberos is used. from urllib.parse import urlparse import kerberos if 'authGSSClientInquireCred' in dir(kerberos): parse = urlparse(endpoint) kerb_spn = "{0}@{1}".format("HTTP", parse.netloc) _, krb_context = kerberos.authGSSClientInit(kerb_spn) kerberos.authGSSClientInquireCred(krb_context) principal = kerberos.authGSSClientUserName(krb_context) # kerberos.authGSSClientClean(krb_context) auth = HTTPKerberosAuth(principal=principal) else: auth = HTTPKerberosAuth() self._auth = auth self._capath = capath
def get_current_principal(): try: import kerberos rc, vc = kerberos.authGSSClientInit("notempty") rc = kerberos.authGSSClientInquireCred(vc) username = kerberos.authGSSClientUserName(vc) kerberos.authGSSClientClean(vc) return unicode(username) except ImportError: raise RuntimeError('python-kerberos is not available.') except kerberos.GSSError, e: #TODO: do a kinit? raise errors.CCacheError()
def _set_username(self, **kwargs): if self._username is not None: return try: (ret, ctx) = kerberos.authGSSClientInit('*****@*****.**') assert (ret == kerberos.AUTH_GSS_COMPLETE) ret = kerberos.authGSSClientInquireCred(ctx) assert (ret == kerberos.AUTH_GSS_COMPLETE) # XXX What if you have >1 ticket? ret = kerberos.authGSSClientUserName(ctx) if '@' in ret: self._username = ret.split('@')[0] else: self._username = ret except AssertionError: raise ErrataException('Pigeon crap. Did it forget to run kinit?')