Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AIRFLOW-2698] Simplify Kerberos code #3563

Merged
merged 1 commit into from Nov 7, 2018
Merged

[AIRFLOW-2698] Simplify Kerberos code #3563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
13 changes: 10 additions & 3 deletions airflow/contrib/auth/backends/kerberos_auth.py
View file
Open in desktop
Expand Up @@ -19,6 +19,7 @@

import logging
import flask_login
from airflow.exceptions import AirflowConfigException
from flask_login import current_user
from flask import flash
from wtforms import (
Expand All @@ -32,7 +33,6 @@

from flask import url_for, redirect

from airflow import settings
from airflow import models
from airflow import configuration
from airflow.utils.db import provide_session
Expand All @@ -58,7 +58,13 @@ def authenticate(username, password):
utils.get_fqdn()
)
realm = configuration.conf.get("kerberos", "default_realm")
user_principal = utils.principal_from_username(username)

try:
user_realm = configuration.conf.get("security", "default_realm")
except AirflowConfigException:
user_realm = realm

user_principal = utils.principal_from_username(username, user_realm)

try:
# this is pykerberos specific, verify = True is needed to prevent KDC spoofing
Expand All @@ -68,7 +74,8 @@ def authenticate(username, password):
raise AuthenticationError()
except kerberos.KrbError as e:
logging.error(
'Password validation for principal %s failed %s', user_principal, e)
'Password validation for user '
'%s in realm %s failed %s', user_principal, realm, e)
raise AuthenticationError(e)

return
Expand Down
33 changes: 6 additions & 27 deletions airflow/security/utils.py
View file
Open in desktop
Expand Up @@ -22,21 +22,6 @@

from airflow.utils.net import get_hostname

# Pattern to replace with hostname
HOSTNAME_PATTERN = '_HOST'


def get_kerberos_principal(principal, host):
components = get_components(principal)
if not components or len(components) != 3 or components[1] != HOSTNAME_PATTERN:
return principal
else:
if not host:
raise IOError("Can't replace %s pattern "
"since host is null." % HOSTNAME_PATTERN)
return replace_hostname_pattern(components, host)


def get_components(principal):
"""
get_components(principal) -> (short name, instance (FQDN), realm)
Expand All @@ -51,33 +36,27 @@ def get_components(principal):
def replace_hostname_pattern(components, host=None):
fqdn = host
if not fqdn or fqdn == '0.0.0.0':
fqdn = get_localhost_name()
fqdn = get_hostname()
return '%s/%s@%s' % (components[0], fqdn.lower(), components[2])


def get_localhost_name():
return get_hostname()


def get_fqdn(hostname_or_ip=None):
# Get hostname
try:
if hostname_or_ip:
fqdn = socket.gethostbyaddr(hostname_or_ip)[0]
if fqdn == 'localhost':
fqdn = get_hostname()
else:
fqdn = get_localhost_name()
fqdn = get_hostname()
except IOError:
fqdn = hostname_or_ip

if fqdn == 'localhost':
fqdn = get_localhost_name()

return fqdn


def principal_from_username(username):
realm = conf.get("security", "default_realm")
if '@' not in username and realm:
def principal_from_username(username, realm):
if ('@' not in username) and realm:
username = "{}@{}".format(username, realm)

return username