krbticket 1.0.6

Kerberos Ticket Manager

Kerberos Ticket Manager

Simple kinit wrapper to update Kerberos ticket periodically for long running application.

Getting Started

Periodical kerberos ticket update

from krbticket import KrbTicket

ticket = KrbTicket.init("<principal>", "<keytab path>")
ticket.updater_start()

If keytab path is not specifyed, kinit uses KRB5_KTNAME env, or /etc/krb5.keytab to find a keytab file. see: kerberos(1) and kinit(1).

Ticket Updater Strategies

To avoid a credential cache (ccache) corruption by concurrent updates from multiple processes, KrbTicketUpdater has a few update strategies:

• SimpleKrbTicketUpdater: for single updater process, or multiple updaters w/ per process ccache. (default)
• MultiProcessKrbTicketUpdater: for multiple updater processes w/ exclusive file lock
• SingleProcessKrbTicketUpdater: for multiple updater processes w/ exclusive file lock to restrict the number of updater processes to one against the ccache

from krbticket import KrbTicket, SingleProcessKrbTicketUpdater

ticket = KrbTicket.init("<principal>", "<keytab path>", updater_class=SingleProcessKrbTicketUpdater)
ticket.updater_start()

Retry

krbticket supports retry feature utilizing retrying which provides various retry strategy. To change the behavior, pass the options using retry_options of KrbConfig. The dafault values are:

• wait_exponential_multiplier = 1000
• wait_exponential_max = 30000
• stop_max_attempt_number = 10

from krbticket import KrbTicket

retry_options = {
  'wait_exponential_multiplier': 1000,
  'wait_exponential_max': 10000,
  'stop_max_attempt_number': 5
}
ticket = KrbTicket.init("<principal>", "<keytab path>", retry_options=retry_options)
ticket.updater_start()

Update Interval

TBD

Test

docker run --rm -p 88:88 ksauzz/docker-krb5:0.0.1
pip install -r requirements-test.txt -r requirements.txt
KRB5_CONFIG=tests/conf/krb5.conf.local pytest