Skip to main content

Versatile Data Kit SDK plugin adds Kerberos/GSSAPI support.

Project description

monthly download count for vdk-kerberos-auth

The plugin provides GSSAPI Kerberos authentication on data job startup. The plugin also adds Kerberos/GSSAPI support for HTTP requests.

Usage

To install the plugin, run:

pip install vdk-kerberos-auth

After it's install what happens:

  1. Upon installation and if KEYTAB_FILENAME and KEYTAB_PRINCIPAL are configured, it will try to authenticate ("kinit") at the start of very VDK command.
  2. Then when a client needs to talk to kerberos provision server they would use KerberosClient class to generate header: With requests library, you'd use https://pypi.org/pypi/requests-kerberos. The following can be used if another http library does not support kerberos to generate Authorization header:
auth = KebrerosClient("http@server.fqdn.com")
headers['Authorization'] =  auth.read_kerberos_auth_header()

Known issues

The plugin dependency requests-kerberos==0.12.0 may fail to install on Ubuntu with the following error:

  src/kerberosbasic.h:17:10: fatal error: gssapi/gssapi.h: No such file or directory
     17 | #include <gssapi/gssapi.h>
        |          ^~~~~~~~~~~~~~~~~
  compilation terminated.

If this is the case, install libkrb5-dev with the command below and try reinstalling the plugin:

sudo apt-get install -y libkrb5-dev

Configuration

The following environment variables can be used to configure this plugin:

name description
KRB_AUTH Specifies the Kerberos authentication type to use. Possible values are 'minikerberos' and 'kinit'. If left empty, the authentication is disabled.
KEYTAB_FILENAME Specifies the name of the keytab file. If left empty, the name of the keytab file is assumed to be the same as the name of the data job with '.keytab' suffix.
KEYTAB_FOLDER Specifies the folder containing the keytab file. If left empty, the keytab file is expected to be located inside the data job folder.
KEYTAB_PRINCIPAL Specifies the Kerberos principal. If left empty, the principal will be the job name prepended with 'pa__view_'.
KEYTAB_REALM Specifies the Kerberos realm. This value is used only with the 'minikerberos' authentication type. The default value is 'default_realm'.
KERBEROS_KDC_HOST Specifies the name of the Kerberos KDC (Key Distribution Center) host. This value is used only with the 'minikerberos' authentication type.

Testing

In order to run the tests you need pytest and docker and kerberos client (kadmin).

You can use helper script ../build-plugin.sh to build and test locally.

On Mac OS kadmin may miss some options needed. In this case you can use kadmin in docker to run the tests

export VDK_TEST_USE_KADMIN_DOCKER=true
cd /source/projects/vdk-plugins/vdk-kerberos-auth
../build-plugin.sh

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vdk-kerberos-auth-0.3.1156222304.tar.gz (13.9 kB view details)

Uploaded Source

File details

Details for the file vdk-kerberos-auth-0.3.1156222304.tar.gz.

File metadata

File hashes

Hashes for vdk-kerberos-auth-0.3.1156222304.tar.gz
Algorithm Hash digest
SHA256 b67b73ddb40f0a2ea726bdf1b03f6ee003fb44ac0bcabb5248ca5a027ade4951
MD5 058f59b207619de06e7fbecf83e3ad7a
BLAKE2b-256 58ae8188a2ca176f387d05eeeb0f9681873c5a9b0c68da08b02308fd6f55eb95

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page