def boto3_client(self, id_broker):
"""Retrieve S3 credentials from ID Broker and return a boto3 client.
Arguments:
None.
Returns:
boto3.client -- A boto3 client connected to the AWS environment
"""
try:
r = requests.get(
"https://{}:8444/gateway/dt/knoxtoken/api/v1/token".format(
id_broker),
auth=HTTPKerberosAuth())
url = "https://{}:8444/gateway/aws-cab/cab/api/v1/credentials".format(
id_broker)
headers = {
'Authorization': "Bearer " + r.json()['access_token'],
'cache-control': "no-cache"
}
response = requests.request("GET", url, headers=headers)
ACCESS_KEY = response.json()['Credentials']['AccessKeyId']
SECRET_KEY = response.json()['Credentials']['SecretAccessKey']
SESSION_TOKEN = response.json()['Credentials']['SessionToken']
client = boto3.client(
's3',
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN,
)
logging.debug("S3 credential found and boto3 client instantiated")
except:
logging.error("Unable to get S3 credentails")
return client
def _do_request(self, requests_method, request_url, body, params, headers,
expected_status_code, stream, verify, timeout):
auth = HTTPKerberosAuth() if self.has_kerberos() else None
response = requests_method(request_url,
data=body,
params=params,
headers=headers,
stream=stream,
verify=verify,
timeout=timeout or self.default_timeout_sec,
auth=auth)
if self.logger.isEnabledFor(logging.DEBUG):
for hdr, hdr_content in list(response.request.headers.items()):
self.logger.debug('request header: %s: %s' %
(hdr, hdr_content))
self.logger.debug(
'reply: "%s %s" %s' %
(response.status_code, response.reason, response.content))
for hdr, hdr_content in list(response.headers.items()):
self.logger.debug('response header: %s: %s' %
(hdr, hdr_content))
if response.status_code != expected_status_code:
self._raise_client_error(response, request_url)
if stream:
return StreamedResponse(response)
response_json = response.json()
if response.history:
response_json['history'] = response.history
return response_json
def parse(self, inventory, loader, path, cache=True):
super(InventoryModule, self).parse(inventory, loader, path)
self.config_data = self._read_config_data(path)
auth_type = self.get_option("authentication")
if auth_type in ("basic", "ntlm"):
username = self.get_option("username")
password = self.get_option("password")
if not (username and password):
raise AnsibleError(("Username and password are required for "
"{} authentication.").format(auth_type))
if auth_type == "basic":
self._auth = (username, password)
elif auth_type == "ntlm":
if HAS_REQNTLM_AUTH:
self._auth = HTTPNTLMAuth(username, password)
else:
raise AnsibleError(
"The library 'requests_ntlm' is required for "
"NTLM authentication.")
elif auth_type == "kerberos":
if HAS_REQKRB_AUTH:
self._auth = HTTPKerberosAuth()
else:
raise AnsibleError(
"The library 'requests_kerberos' is required for "
"Kerberos authentication.")
self._build_inventory()
def _handle_idbroker_ha(fs=None):
fs = validate_fs(fs)
idbrokeraddr = get_conf().get(_CNF_CAB_ADDRESS % fs) if fs else None
response = None
if fs:
id_broker_addr = get_conf().get(_CNF_CAB_ADDRESS % fs)
if id_broker_addr:
id_broker_addr_list = id_broker_addr.split(',')
for id_broker_addr in id_broker_addr_list:
try:
response = requests.get(id_broker_addr +
'dt/knoxtoken/api/v1/token',
auth=HTTPKerberosAuth(),
verify=False)
except Exception as e:
if 'Name or service not known' in str(e):
LOG.warn('IDBroker %s is not available for use' %
id_broker_addr)
# Check response for None and if response code is successful (200) or authentication needed (401)
if (response is not None) and (response.status_code
in (200, 401)):
idbrokeraddr = id_broker_addr
break
return idbrokeraddr
else:
return idbrokeraddr
else:
return idbrokeraddr
def krb_sign_on(url, cookiejar=None):
"""
Perform Kerberos-backed single-sign on against a provided
(protected) URL.
It is assumed that the current session has a working Kerberos
ticket.
Returns a Requests `CookieJar`, which can be accessed as a
dictionary, but most importantly passed directly into a request or
session via the `cookies` keyword argument.
If a cookiejar-like object (such as a dictionary) is passed as the
cookiejar keword argument, this is passed on to the Session.
"""
kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
with requests.Session() as s:
krb_auth_url = _init_session(s=s,
url=url,
cookiejar=cookiejar,
auth_url_fragment=u"auth/integrated/")
# Perform actual Kerberos authentication
log.info("Performing Kerberos authentication against %s" %
krb_auth_url)
r2 = s.get(krb_auth_url,
auth=kerberos_auth,
timeout=DEFAULT_TIMEOUT_SECONDS)
return _finalise_login(s, auth_results=r2)
def get_comments(advisory_id):
"""5.2.10.2. GET /api/v1/comments?filter[key]=value
Retrieve all advisory comments
Example request body:
{"filter": {"errata_id": 11112, "type": "AutomatedComment"}}
Returns an array of comments ordered in descending order
(newest first). The array may be empty depending on the filters
used. The meaning of each attribute is documented under GET
/api/v1/comments/{id} (see Erratum.get_comment())
Included for reference:
5.2.10.2.1. Filtering
The list of comments can be filtered by applying
filter[key]=value as a query parameter. All attributes of a
comment - except advisory_state - can be used as a filter.
This is a paginated API. Reference documentation:
https://errata.devel.redhat.com/developer-guide/api-http-api.html#api-pagination
"""
body = {"filter": {"errata_id": advisory_id, "type": "Comment"}}
res = requests.get(constants.errata_get_comments_url,
verify=ssl.get_default_verify_paths().openssl_cafile,
auth=HTTPKerberosAuth(),
json=body)
if res.status_code == 200:
return res.json().get('data', [])
elif res.status_code == 401:
raise exceptions.ErrataToolUnauthorizedException(res.text)
else:
return False
def put_request(self, suffix_url, xml_file):
"""Make a oozie put request"""
status = False
file_h = open(os.path.join(self.cfg_mgr.saves, xml_file))
data = file_h.read()
http_headers = {'Content-Type': 'application/xml'}
url = self.oozie_url + suffix_url
self.logger.info(url)
response = requests.post(url,
data=data,
headers=http_headers,
auth=HTTPKerberosAuth())
if 200 <= response.status_code and response.status_code < 300:
my_json = json.dumps(response.json())
res_val = response.json()
# self.logger.info(json.dumps(response.json(),
# indent=4, sort_keys=True))
msg = "\n\n\t\tGo here: https://{0}:8888/oozie/" \
"list_oozie_workflow/{1}/\n".\
format(self.cfg_mgr.workflow_host, res_val['id'])
self.logger.info(msg)
status = True
else:
self.logger.error("Error submitting job. Error code: "
"{status}".format(status=response.status_code))
self.logger.error(response.text)
return status
def splunk_login():
# TODO: Support kerberos
# https://github.com/requests/requests-kerberos
# TODO: Store creds under ~/.config/splunkinv.conf
# TODO: How long does the session id work? Possible to reuse it and store it persistently?
s = requests.Session()
if SPLUNK_KRB:
kerberos_auth = HTTPKerberosAuth(mutual_authentication=REQUIRED,
sanitize_mutual_error_response=False)
login = s.post(SPLUNK_LOGIN, verify=sslverify, auth=kerberos_auth)
else:
login = s.post(SPLUNK_LOGIN,
verify=sslverify,
data={
'username': SPLUNK_USER,
'password': SPLUNK_PASSWORD
})
if login.status_code == 401:
raise Exception('Login failed: %s' % login.json())
elif not login.ok:
raise Exception('Failure logging in: %s' % login.text)
s.headers.update(
{'Authorization': 'Splunk %s' % login.json()['sessionKey']})
return s
def __get_es_client(self):
if self.auth_type == CMRESHandler.AuthType.NO_AUTH:
if self._client is None:
self._client = Elasticsearch(
hosts=self.hosts,
use_ssl=self.use_ssl,
verify_certs=self.verify_certs,
connection_class=RequestsHttpConnection)
return self._client
if self.auth_type == CMRESHandler.AuthType.BASIC_AUTH:
if self._client is None:
return Elasticsearch(hosts=self.hosts,
http_auth=self.auth_details,
use_ssl=self.use_ssl,
verify_certs=self.verify_certs,
connection_class=RequestsHttpConnection)
return self._client
if self.auth_type == CMRESHandler.AuthType.KERBEROS_AUTH:
if CMR_KERBEROS_SUPPORTED:
# For kerberos we return a new client each time to make sure the tokens are up to date
return Elasticsearch(
hosts=self.hosts,
use_ssl=self.use_ssl,
verify_certs=self.verify_certs,
connection_class=RequestsHttpConnection,
http_auth=HTTPKerberosAuth(mutual_authentication=DISABLED))
else:
raise EnvironmentError(
"Kerberos module not available. Please install \"requests-kerberos\""
)
raise ValueError("Authentication method not supported")
def request(self, api_path, method='GET', **kwargs):
api_endpoint = 'http://{}:{}{}'.format(self.address, self.port,
api_path)
self.logger.info('API Endpoint {}'.format(api_endpoint))
self._validate_configuration()
if method == 'GET':
headers = None
else:
headers = {"Content-Type": "application/json"}
response = None
if self.kerberos_enabled:
from requests_kerberos import HTTPKerberosAuth
response = requests.request(method=method,
url=api_endpoint,
auth=HTTPKerberosAuth(),
headers=headers,
**kwargs)
else:
response = requests.request(method=method,
url=api_endpoint,
headers=headers,
**kwargs)
if response.status_code in (200, 202):
return self.response_class(response)
else:
msg = 'Response finished with status: %s. Details: %s' % (
response.status_code, response.text)
raise APIError(msg)
def post(self, request, *args, **kwargs):
''' this is where we start data exchange '''
url = self.SP_ENDPOINT.format('http://localhost:9000')
user_data = request.POST
logger.debug(f'received POST from user {request.user!r}')
# do we have to set cookies?
cookies = request.COOKIES
with requests.Session() as session:
logger.debug('performing requests lib auth config')
k = HTTPKerberosAuth()
s = HTTPSAMLAuth(chained_auth=k)
logger.debug('starting transaction with service provider')
response = session.post(url,
data=user_data,
cookies=cookies,
auth=s)
logger.debug(f'SP response status: {response.status_code}')
return self.render_to_response({
'last_stop': True,
'sp_response': {
'header': response.headers,
'status_code': response.status_code,
# 'content': str(response.text),
'content': response.text,
# 'content': response.content,
},
})
def get_brew_build(nvr, product_version='', session=None):
"""5.2.2.1. GET /api/v1/build/{id_or_nvr}
Get Brew build details.
https://errata.devel.redhat.com/developer-guide/api-http-api.html#api-get-apiv1buildid_or_nvr
:param str nvr: A name-version-release string of a brew rpm/image build
:param str product_version: The product version tag as given to ET
when attaching a build
:param requests.Session session: A python-requests Session object,
used for for connection pooling. Providing `session` object can
yield a significant reduction in total query time when looking up
many builds.
http://docs.python-requests.org/en/master/user/advanced/#session-objects
:return: An initialized Build object with the build details
:raises exceptions.BrewBuildException: When build not found
"""
if session is None:
session = requests.session()
res = session.get(constants.errata_get_build_url.format(id=nvr),
verify=ssl.get_default_verify_paths().openssl_cafile,
auth=HTTPKerberosAuth())
if res.status_code == 200:
return brew.Build(nvr=nvr,
body=res.json(),
product_version=product_version)
else:
raise exceptions.BrewBuildException("{build}: {msg}".format(
build=nvr, msg=res.text))
def sweep(ctx):
advisory = ctx.obj['advisory']
target_releases = ctx.obj['target_release']
target_releases_str = ''
#target_releases_string="target_release=3.4.z&target_release=3.5.z&target_release=3.6.z"
for r in target_releases:
target_releases_str += 'target_release={0}&'.format(r)
query_url = 'https://bugzilla.redhat.com/buglist.cgi?bug_status=MODIFIED&classification=Red%20Hat&f1=component&f2=component&f3=component&f4=cf_verified&keywords=UpcomingRelease&keywords_type=nowords&known_name=All%203.x%20MODIFIED%20Bugs&list_id=8111122&o1=notequals&o2=notequals&o3=notequals&o4=notequals&product=OpenShift%20Container%20Platform&query_based_on=All%203.x%20MODIFIED%20Bugs&query_format=advanced&short_desc=%5C%5Bfork%5C%5D&short_desc_type=notregexp&{0}&v1=RFE&v2=Documentation&v3=Security&v4=FailedQA&version=3.0.0&version=3.1.0&version=3.1.1&version=3.2.0&version=3.2.1&version=3.3.0&version=3.3.1&version=3.4.0&version=3.4.1&version=3.5.0&version=3.5.1&version=3.6.0&version=3.6.1&version=3.7.0&version=3.7.1&version=unspecified'.format(
target_releases_str)
click.echo(query_url)
new_bugs = check_output(
['bugzilla', 'query', '--ids',
'--from-url="{0}"'.format(query_url)]).splitlines()
flag_bugs(ctx, new_bugs)
refresh_bugs(ctx, new_bugs)
# post back to errata api
for bug in new_bugs:
click.echo("Adding Bug #{0}".format(bug))
payload = {'bug': bug}
requests.post(ERRATA_ADD_BUG_URL % advisory,
auth=HTTPKerberosAuth(),
json=payload)
def test(self):
try:
if self.kerberos:
kerberos_auth = HTTPKerberosAuth()
url = "http://{0}/webhdfs/v1/?op=GETDELEGATIONTOKEN".format(self.endpoint)
resp = requests.get(url, auth=kerberos_auth)
if resp.status_code == 200:
result = resp.json()
self.delegationToken = result['Token']['urlString']
self.auth = "delegation=" + self.delegationToken + "&"
return (True, "")
elif resp.status_code == 401:
return (False, "{0} => Response code: {1} (May be you need to perform 'kinit' on the remote host)".format(url, resp.status_code))
else:
return (False, "{0} => Response code: {1}".format(url, resp.status_code))
else:
url = "http://{0}/webhdfs/v1/?{1}op=GETFILESTATUS".format(self.endpoint, self.auth)
resp = requests.get(url)
if resp.status_code == 200:
return (True, "")
elif resp.status_code == 401:
return (False, "{0} => Response code: {1} (May be KERBEROS authentication must be used)".format(url, resp.status_code))
else:
return (False, "{0} => Response code: {1}".format(url, resp.status_code))
except Exception as e:
if self.kerberos:
return (False, "{0} => Error: {1}. Are you sure this cluster is secured by Kerberos ?".format(url, str(e)))
else:
return (False, "{0} => Error: {1}".format(url, str(e)))
def mentioned_trend(baseurl,mysqlhostIP, mysqlUserName = '******', mysqlPassword = '', dbname = 'btv_v2'):
list_key_words = list()
# 存储评论数据
# 连接数据库
print(base64.b64decode(b'Q29weXJpZ2h0IChjKSAyMDEyIERvdWN1YmUgSW5jLiBBbGwgcmlnaHRzIHJlc2VydmVkLg==').decode())
sqlConn=MySQLdb.connect(host=mysqlhostIP, user=mysqlUserName, passwd=mysqlPassword, db = dbname, charset='utf8')
sqlcursor = sqlConn.cursor()
sqlcursor.execute('''CREATE TABLE IF NOT EXISTS key_kk(pk bigint NOT NULL PRIMARY KEY AUTO_INCREMENT, keywords varchar(50)) DEFAULT CHARSET=utf8;''')
print '新建库成功'
os.popen('kinit -k -t /home/ctvit/ctvit.keytab ctvit')
kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
tablename = "DATA:WEIBO_POST_Keywords"
r = requests.get(baseurl + "/" + tablename + "/*", auth=kerberos_auth, headers = {"Accept" : "application/json"})
if issuccessful(r) == False:
print "Could not get messages from HBase. Text was:\n" + r.text
# quit()
bleats = json.loads(r.text)
box = list()
for row in bleats['Row']:
# print 000
# count+=1
message = ''
lineNumber = ''
username = ''
for cell in row['Cell']:
columnname = base64.b64decode(cell['column'])
value = cell['$']
if value == None:
print 'none'
continue
if columnname == "base_info:match":
key_word = base64.b64decode(value)
if columnname == "base_info:hot":
hot = base64.b64decode(value)
print 'hot',hot
# if ("北京卫视春晚" not in key_word) and ("北京台的春晚" not in key_word) and ("BTV春晚" not in key_word) and ("BTV春晚" not in key_word) and ("bTV春晚" not in key_word):
# break
# if columnname == "base_info:cdate":
# cdate = base64.b64decode(value)
# cdate = cdate.split('T')[0]
# print 'date',cdate
# if cdate not in box:
# box.append(cdate)
# for i in box:
# print i
# print 'ppp',type(key_word)
# print '11',key_word
# if key_word not in list_key_words:
# list_key_words.append(key_word)
#
# tempData = []
# for i in list_key_words:
# print 'key',i
# tempData.append(str(i))
# sqlcursor.execute('''insert into key_kk(keywords) values (%s)''',tempData)
# sqlConn.commit()
# tempData = []
sqlConn.close()
def login(self, username, password):
preinturl='https://sp2010.ger.ith.intel.com/sites/XMM7360/Lists/7360_Preint/Default.aspx'
import requests
from requests_kerberos import HTTPKerberosAuth, REQUIRED
kerberos_auth = HTTPKerberosAuth(mutual_authentication=REQUIRED, sanitize_mutual_error_response=False)
r = requests.get(preinturl, auth=kerberos_auth,verify=False)
print(r.text.encode('utf-8'))
def main():
with get(f"https://rhevm.abc.idm.lab.eng.brq.redhat.com/ovirt-engine/api/vms/{config['machine_id']}/statistics",
auth=HTTPKerberosAuth(), headers={'accept': 'application/json'}) as response:
if response.ok:
result = loads(response.text)
else:
return False
def __get_token_gss(self):
"""
Sends a request to get an auth token from the server and stores it as a class attribute. Uses Kerberos authentication.
:returns: True if the token was successfully received. False otherwise.
"""
if not EXTRA_MODULES['requests_kerberos']:
raise MissingModuleException('The requests-kerberos module is not installed.')
url = build_url(self.auth_host, path='auth/gss')
result = self._send_request(url, get_token=True, auth=HTTPKerberosAuth())
if not result:
self.logger.error('Cannot retrieve authentication token!')
return False
if result.status_code != codes.ok: # pylint: disable-msg=E1101
exc_cls, exc_msg = self._get_exception(headers=result.headers,
status_code=result.status_code,
data=result.content)
raise exc_cls(exc_msg)
self.auth_token = result.headers['x-rucio-auth-token']
return True
def _create_requests_session(self):
"""
Creates a Requests Session and authenticates to base API URL with HTTP Basic Auth or Kerberos Auth.
We're using a Session to persist cookies across all requests made from the Session instance.
:return s: Requests Session.
"""
s = requests.Session()
# Kerberos Auth
if self.auth == 'kerberos':
self.principal = ticket._get_kerberos_principal()
s.auth = HTTPKerberosAuth(mutual_authentication=DISABLED)
s.verify = False
# HTTP Basic Auth
if isinstance(self.auth, tuple):
username, password = self.auth
self.principal = username
s.params.update({'user': username, 'pass': password})
# Try to authenticate to auth_url.
try:
r = s.get(self.auth_url)
logging.debug("Create requests session: status code: {0}".format(
r.status_code))
r.raise_for_status()
# Special case for RT. A 200 status code is still returned if authentication failed. Have to check r.text.
if '200' not in r.text:
raise requests.RequestException
logging.info("Successfully authenticated to {0}".format(
self.ticketing_tool))
return s
except requests.RequestException as e:
logging.error("Error authenticating to {0}".format(self.auth_url))
s.close()
def get_facts_puppetdb(self, apiurl, facts, hostgroup):
url = '%s/facts' % apiurl
if 'v3' in apiurl:
query_base = '["and",["or",%s],["in", "certname", ["extract", "certname", ["select-facts", ["and", ["=", "name", "hostgroup"], ["~", "value", "%s"]]]]]]'
else:
query_base = '["and",["or",%s],["in", "certname", ["extract", "certname", ["select_facts", ["and", ["=", "name", "hostgroup"], ["~", "value", "%s"]]]]]]'
query_facts = ','.join(['["=","name","%s"]' % fact for fact in facts])
query = query_base % (query_facts, hostgroup)
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json, version=2'
}
payload = {'query': query}
logging.info("Getting facts from '%s', query: '%s'" % (url, query))
r = requests.get(url,
params=payload,
headers=headers,
auth=HTTPKerberosAuth())
if r.status_code == requests.codes.ok:
logging.info("Request code: '%s'" % r.status_code)
return json.loads(r.text)
else:
logging.error("The request failed with code '%s'" % r.status_code)
return None
def advisory_drop_cli(advisory):
"""Drop advisory
Advisories can only be dropped by the creators, and program management.
This script can get run on buildvm with the credentials of the creator of
ART's advisories, so the bot account can drop them.
"""
url = errata_drop_url.format(id=advisory)
data = 'utf8=%E2%9C%93&reason=Dropping+unused+advisory%21&commit=Dropping+unused+advisory'
headers = {"Content-Type": "text/plain"}
r = requests.post(url, auth=HTTPKerberosAuth(), data=data, headers=headers)
if r.status_code == 200:
click.echo(f'Succesfully dropped advisory {advisory}')
sys.exit(0)
elif "ERROR: Validation failed: Previous - Transition DROPPED_NO_SHIP => DROPPED_NO_SHIP is invalid" in r.text:
click.echo(f'Advisory {advisory} already seems dropped')
sys.exit(0)
else:
click.echo(
f'Failed to drop advisory {advisory}. Got status code {r.status_code}'
)
click.echo(r.text)
sys.exit(1)
def rest(self,
endpoint,
data=None,
method='get',
formatjson=True,
params=None):
url = self.protocol + "://" + self.host + ":" + str(
self.port) + "/api/atlas/" + endpoint
header = {
"Accept": "application/json",
"Content-Type": "application/json"
}
if kerberos == True:
auth = HTTPKerberosAuth()
else:
auth = (self.username, self.password)
try:
r = requests.request(method,
url,
headers=header,
auth=auth,
verify=False,
data=data,
params=params)
except:
logger.error("Cannot connect to Atlas")
return (False)
if formatjson:
return (json.loads(r.text))
else:
return (r.text)
def _create_requests_session(self):
"""
Creates a Requests Session and authenticates to base API URL with kerberos-requests.
We're using a Session to persist cookies across all requests made from the Session instance.
:return s: Requests Session.
"""
# TODO: Support other authentication methods.
# Set up authentication for requests session.
s = requests.Session()
if self.auth == 'kerberos':
self.principal = _get_kerberos_principal()
s.auth = HTTPKerberosAuth(mutual_authentication=DISABLED)
s.verify = False
if isinstance(self.auth, tuple):
s.auth = self.auth
# Try to authenticate to auth_url.
try:
r = s.get(self.auth_url)
logging.debug("Create requests session: status code: {0}".format(
r.status_code))
r.raise_for_status()
logging.info("Successfully authenticated to {0}".format(
self.ticketing_tool))
return s
# We log an error if authentication was not successful, because rest of the HTTP requests will not succeed.
# Instead of using e.message, use e.args[0] instead to prevent DeprecationWarning for exception.message.
except requests.RequestException as e:
logging.error("Error authenticating to {0}.".format(self.auth_url))
logging.error(e.args[0])
s.close()
def atlasPOST(restAPI, data):
kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
url = "https://" + ATLAS_DOMAIN + restAPI
print(url)
r = requests.post(url, auth=kerberos_auth, verify=False, json=data)
return (json.loads(r.text))
def _create_requests_session(self):
"""
Creates a Requests Session and authenticates to base API URL with kerberos-requests.
We're using a Session to persist cookies across all requests made from the Session instance.
:return s: Requests Session.
"""
# TODO: Support other authentication methods.
# Set up authentication for requests session.
s = requests.Session()
if self.auth == 'kerberos':
self.principal = _get_kerberos_principal()
s.auth = HTTPKerberosAuth(mutual_authentication=DISABLED)
s.verify = self.verify
if isinstance(self.auth, tuple):
s.auth = self.auth
s.verify = self.verify
# Try to authenticate to auth_url.
try:
r = s.get(self.auth_url)
logger.debug("Create requests session: status code: {0}".format(
r.status_code))
r.raise_for_status()
logger.info("Successfully authenticated to {0}".format(
self.ticketing_tool))
return s
except requests.RequestException as e:
logger.error("Error authenticating to {0}".format(self.auth_url))
logger.error(e)
s.close()
def __init__(self):
self.url = Environment().get_spark_livy_url()
self.auth = None
if Environment().is_kerberos_enabled():
from requests_kerberos import HTTPKerberosAuth, REQUIRED
self.auth = HTTPKerberosAuth(mutual_authentication=REQUIRED,
sanitize_mutual_error_response=False)
def set_kerberos_auth(self, service="HTTP"):
"""Set up kerberos auth for the client, based on the current ticket."""
mutual_auth = conf.KERBEROS.MUTUAL_AUTHENTICATION.get().upper()
if mutual_auth == 'OPTIONAL':
self._session.auth = HTTPKerberosAuth(
mutual_authentication=OPTIONAL, service=service)
elif mutual_auth == 'REQUIRED':
self._session.auth = HTTPKerberosAuth(
mutual_authentication=REQUIRED, service=service)
elif mutual_auth == 'DISABLED':
self._session.auth = HTTPKerberosAuth(
mutual_authentication=DISABLED, service=service)
else:
self._session.auth = HTTPKerberosAuth(
mutual_authentication=OPTIONAL, service=service)
return self
def _make_request(self, entity, params):
"""
Send a request to Pyxis
:param str entity: entity part to construct a full URL for request.
:param dict params: Pyxis query parameters.
:return: Json response from Pyxis
:rtype: dict
:raises PyxisRequestError: If Pyxis returns error as a response
"""
entity_url = urllib.parse.urljoin(self._api_root, entity)
auth_method = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
response = requests.get(entity_url,
params=params,
auth=auth_method,
timeout=conf.net_timeout)
if response.ok:
return response.json()
# Warn early, in case there is an error in the error handling code below
log.warning("Request to %s gave %r", response.request.url, response)
try:
response_text = response.json()
except ValueError:
response_text = response.text
raise PyxisRequestError(response.status_code, response_text)
def __init__(self,
client_id,
capture_request_history=False,
saml_auth=HTTPKerberosAuth(mutual_authentication=OPTIONAL),
expiration=120,
verify=True):
self.client_id = client_id
self.capture_request_history = capture_request_history
self.history = []
self.expiration = expiration # Defaults to 2 hours (120 min)
self.verify = verify
self.redirect_uri = 'urn:ietf:wg:oauth:2.0:oob'
# DOI SAML service required these headers for single-sign-on. Developers can explicity over-write if needed...
self.saml_headers = {
"User-Agent":
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0E; InfoPath.3)"
}
# DOI SAML service did not support 'REQUIRED' mutual authentication. HTTPKerberosAuth threw a 'mutual authentication exception'. Developers can explicity over-write if needed (or even add NTLM or some other 3rd party auth handler to the SAML communications)
self.saml_auth = saml_auth
### Derived Fields ###
self._verify_cert = True
self._base_url = None # Expected to be - https://host/<instance>/sharing/rest where <instance> is optional
self._oauth_info = None # Derived from the portal "authorize" endpoint
self._saml_code = None # Derived from the SAML login
self._token_data = None # Derived from the portal "token" endpoint
self._token_acquired = None
def set_kerberos_auth(self, mutual_authentication, service, delegate,
force_preemptive, principal, hostname_override,
sanitize_mutual_error_response, send_cbt):
"""Set up kerberos auth for the client, based on the current ticket."""
mutual_authentication_val = OPTIONAL
if mutual_authentication == 'OPTIONAL':
mutual_authentication_val = OPTIONAL
elif mutual_authentication == 'REQUIRED':
mutual_authentication_val = REQUIRED
elif mutual_authentication == 'DISABLED':
mutual_authentication_val = DISABLED
self._session.auth = HTTPKerberosAuth(
mutual_authentication=mutual_authentication_val,
service=service,
delegate=delegate,
force_preemptive=force_preemptive,
principal=principal,
hostname_override=hostname_override,
sanitize_mutual_error_response=sanitize_mutual_error_response,
send_cbt=send_cbt)
return self
