Add Kerberos (GSSAPI) Authentication Method

This adds GSSAPI as an authentication method for using keytabs and Kerberos SSO to authenticate against the core endpoints. Fix pacifica/pacifica-python-uploader#36 Signed-off-by: David Brown <dmlb2000@gmail.com>
pacifica · Jan 29, 2020 · 217cdd7 · 217cdd7
1 parent 611248b
commit 217cdd7
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 1 deletion.
diff --git a/docs/exampleusage.md b/docs/exampleusage.md
@@ -37,6 +37,7 @@ There are three kinds of authentication types supported.
 
 - clientssl - This is where you have an SSL client key and cert
 - basic     - This is a username and password
+- gssapi    - Use GSSAPI tickets to authenticate
 - None      - Do not perform any authentication
 
 Authentication Type (None): basic

diff --git a/pacifica/cli/configure.py b/pacifica/cli/configure.py
@@ -81,13 +81,14 @@ def configure_auth(global_ini):
 
 - clientssl - This is where you have an SSL client key and cert
 - basic     - This is a username and password
+- gssapi    - Use GSSAPI tickets to authenticate
 - None      - Do not perform any authentication
 """)
     default_auth_type = global_ini.get('authentication', 'type')
     stdout.write('Authentication Type ({}): '.format(default_auth_type))
     stdout.flush()
     strip_input = stdin.readline().strip()
-    if strip_input and strip_input in ['clientssl', 'basic', 'None']:
+    if strip_input and strip_input in ['clientssl', 'basic', 'gssapi', 'None']:
         global_ini.set('authentication', 'type', strip_input)
     auth_type = global_ini.get('authentication', 'type')
     if auth_type == 'clientssl':

diff --git a/pacifica/cli/methods.py b/pacifica/cli/methods.py
@@ -7,6 +7,7 @@
 from getpass import getuser
 from os import environ, getenv
 from os.path import isfile
+import warnings
 from json import loads
 import requests
 from pacifica.uploader.uploader import LOGGER as UP_LOGGER
@@ -142,6 +143,17 @@ def generate_requests_auth(global_ini):
                 global_ini.get('authentication', 'key')
             )
         }
+    elif auth_type == 'gssapi':  # pragma: no cover don't have kerberos available to test with
+        # pylint: disable=import-outside-toplevel
+        try:
+            from requests_gssapi import HTTPSPNEGOAuth
+        except ImportError as ex:
+            warnings.warn('Unable to import requests_gssapi please `pip install requests_gssapi`')
+            raise ex
+        # pylint: enable=import-outside-toplevel
+        ret = {
+            'auth': HTTPSPNEGOAuth()
+        }
     elif auth_type == 'basic':
         ret = {
             'auth': (

diff --git a/tests/methods_test.py b/tests/methods_test.py
@@ -50,6 +50,10 @@ def test_gen_req_auth(self):
             self.assertTrue(generate_requests_auth(conf)
                             ['auth'][0], 'username')
             self.assertTrue(generate_requests_auth(conf)['auth'], 'password')
+        with ConfigClient('gssapi') as conf:
+            with self.assertRaises(ImportError) as excinfo:
+                generate_requests_auth(conf)
+            self.assertTrue('No module named' in excinfo.exception.msg)
 
     def test_verify_type(self):
         """Test the verify_type method to cover everything."""