2:23 a.m.
= System Wide Change: Kerberos in Python modernization =
https://fedoraproject.org/wiki/Changes/kerberos-in-python-modernization
Change owner(s):
* Robbie Harwood <rharwood at fp dot o>
Replace usage of python-krbV and pykerberos with python-gssapi in all
Fedora packages to enable their removal from Fedora. rharwood will
author all necessary code changes; no new code from maintainers is
required.
== Detailed Description ==
Replace older, clunkier, less user-friendly python interfaces to
Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface,
which is widely standardized, implemented by both MIT and Heimdal
Kerberos, and much more user-friendly.
As part of this effort, python-requests-gssapi will be introduced to
fedora to enable transition off of python-requests-kerberos (which
requires pykerberos). Its package review (completed as of 2018-01-03)
was rhbz#1527682
Please note that I will be providing all patches necessary to all
affected components; no work is expected from other maintainers, other
than normal review and backport handling.
== Scope ==
* Proposal owners:
rharwood (responsible for providing patches and new package)
* Other developers:
maintainers of affected packages are expected to perform code review
* Release engineering:
#7219: https://pagure.io/releng/issue/7219
* List of deliverables:
N/A
* Policies and guidelines:
N/A
* Trademark approval:
N/A
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
3:35 a.m.
On Fri, 2018-01-05 at 09:23 +0100, Jan Kurik wrote:
== Detailed Description ==
Replace older, clunkier, less user-friendly python interfaces to
Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface,
which is widely standardized, implemented by both MIT and Heimdal
Kerberos, and much more user-friendly.
As part of this effort, python-requests-gssapi will be introduced to
fedora to enable transition off of python-requests-kerberos (which
requires pykerberos). Its package review (completed as of 2018-01-03)
was rhbz#1527682
In affected components, presumably this should fix authentication to
services where GSSAPI needs to fall back from Kerberos to GSS-NTLMSSP.
If possible, it would be nice to include that fallback in any testing
that gets done.
4:10 a.m.
On 5 January 2018 at 09:35, David Woodhouse <dwmw2(a)infradead.org> wrote:
On Fri, 2018-01-05 at 09:23 +0100, Jan Kurik wrote:
>
>
> == Detailed Description ==
> Replace older, clunkier, less user-friendly python interfaces to
> Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface,
> which is widely standardized, implemented by both MIT and Heimdal
> Kerberos, and much more user-friendly.
>
> As part of this effort, python-requests-gssapi will be introduced to
> fedora to enable transition off of python-requests-kerberos (which
> requires pykerberos). Its package review (completed as of 2018-01-03)
> was rhbz#1527682
In affected components, presumably this should fix authentication to
services where GSSAPI needs to fall back from Kerberos to GSS-NTLMSSP.
If possible, it would be nice to include that fallback in any testing
that gets done.
Note that python-requests-kerberos is a fairly common library used in
the Windows managed by Ansible world.
Although many use the basic ntlm auth the single sign on aspect of the
Kerberos library is useful.
There is a general transition to CredSSP recommended for windows
Ansible users (which is somewhat waiting on me in Fedora... Christmas
was busy... and only covers ntlm not kerberos at this time) but we
will want to avoid dropping that for the time being or at least
provide some guidance or a pull request for python-winrm to use
python-requests-gssapi instead of (or in addition to)
python-requests-kerberos.
I've cc'd jborean as he's responsible for python-requests-credssp and
should probably be aware of the the pykerberos -> python-gssapi stuff
for his development activities.
10:35 a.m.
On Fri, 2018-01-05 at 10:10 +0000, James Hogarth wrote:
On 5 January 2018 at 09:35, David Woodhouse
<dwmw2(a)infradead.org> wrote:
> On Fri, 2018-01-05 at 09:23 +0100, Jan Kurik wrote:
> >
> >
> > == Detailed Description ==
> > Replace older, clunkier, less user-friendly python interfaces to
> > Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface,
> > which is widely standardized, implemented by both MIT and Heimdal
> > Kerberos, and much more user-friendly.
> >
> > As part of this effort, python-requests-gssapi will be introduced to
> > fedora to enable transition off of python-requests-kerberos (which
> > requires pykerberos). Its package review (completed as of 2018-01-03)
> > was rhbz#1527682
>
> In affected components, presumably this should fix authentication to
> services where GSSAPI needs to fall back from Kerberos to GSS-NTLMSSP.
>
> If possible, it would be nice to include that fallback in any testing
> that gets done.
Note that python-requests-kerberos is a fairly common library used in
the Windows managed by Ansible world.
Although many use the basic ntlm auth the single sign on aspect of the
Kerberos library is useful.
There is a general transition to CredSSP recommended for windows
Ansible users (which is somewhat waiting on me in Fedora... Christmas
was busy... and only covers ntlm not kerberos at this time) but we
will want to avoid dropping that for the time being or at least
provide some guidance or a pull request for python-winrm to use
python-requests-gssapi instead of (or in addition to)
python-requests-kerberos.
I've cc'd jborean as he's responsible for python-requests-credssp and
should probably be aware of the the pykerberos -> python-gssapi stuff
for his development activities.
Can we avoid using ntlm_auth in new packages and instead use gssapi
with gss-ntlmssp ?
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
2300
days inactive
2300
days old
3 comments
4 participants
participants (4)
-
David Woodhouse -
James Hogarth -
Jan Kurik -
Simo Sorce