Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade GSSAPI support to the 'gssapi' (not 'python-gssapi') module #584

Closed
quantology opened this issue Sep 8, 2015 · 8 comments
Closed

Upgrade GSSAPI support to the 'gssapi' (not 'python-gssapi') module #584

quantology opened this issue Sep 8, 2015 · 8 comments

Comments

@quantology
Copy link

@quantology quantology commented Sep 8, 2015

[Maintainer edit: the action required on this ticket is to change Paramiko's GSSAPI functionality to use the API of gssapi, vs right now where it uses the API of python-gssapi. Then update setup.py.]

It looks like paramiko/ssh_gss.py refers to an older version of gssapi. See from https://github.com/paramiko/paramiko/blob/master/paramiko/ssh_gss.py#L253, all the references to gssapi.C_* fail.

Note that gssapi 0.6.* has these attributes (https://github.com/sigmaris/python-gssapi/blob/master/gssapi/__init__.py#L6), but the new gssapi (v >= 1.0, https://github.com/pythongssapi/python-gssapi/tree/master/gssapi/raw) doesn't appear to have these flags anywhere I can find.

Specifically, when I call connect in client.py, I get the following:

/home/mtartre/.conda/envs/std/lib/python3.4/site-packages/paramiko/ssh_gss.py in __init__(self,     auth_method, gss_deleg_creds)
    251 
    252         if self._gss_deleg_creds:
--> 253             self._gss_flags = (gssapi.C_PROT_READY_FLAG,
    254                                gssapi.C_INTEG_FLAG,
    255                                gssapi.C_MUTUAL_FLAG,

AttributeError: 'module' object has no attribute 'C_PROT_READY_FLAG'

I wish I could help fix this, but I'm out of my depth when it comes to C bindings like this. I'd be happy to test any ideas anyone has.

References:

@bitprophet
Copy link
Member

@bitprophet bitprophet commented Sep 8, 2015

Thanks for the report!

@linuxluser
Copy link

@linuxluser linuxluser commented Sep 16, 2015

The gssapi module which paramiko GSSAPI support was built with now states:

There is a newer project which has superseded this one, https://github.com/pythongssapi/python-gssapi. Please use that package if suitable for your needs, as this project is unlikely to be developed further.

It looks like the dependency that Paramiko's GSSAPI support was built with seems to be deprecated in favor of a new fork of this module with the same name. If you pip install gssapi you will get the latest version which is now completely incompatible with what Paramiko currently expects to be using when you import gssapi.

Old python-gssapi module: https://github.com/sigmaris/python-gssapi
New python-gssapi module: https://github.com/pythongssapi/python-gssapi

I believe this means that the GSSAPI support in Paramiko will have to be revised. Until then it is referring to a zombified module.

@bitprophet
Copy link
Member

@bitprophet bitprophet commented Sep 18, 2015

Swell, and by swell, I mean my forehead is swelling up from hitting my desk. Programming! :( Thanks for looking into that, @linuxluser. I don't remember if our setup.py pins that dependency to a specific version, but that sounds like step 1, with step 2 being porting to the newer, not-unsupported version.

@bitprophet bitprophet added this to the 1.13.4 / 1.14.3 / 1.15.3 milestone Sep 30, 2015
@bitprophet
Copy link
Member

@bitprophet bitprophet commented Sep 30, 2015

OK, I'd forgotten that because GSSAPI is an optional feature, we went the "document it and do not add to setup.py" route.

This means there's technically nothing we can do to "pin" to the older iteration of the library; we just need people to make sure they pip install python-gssapi and NOT pip install gssapi.

Which, to be fair, is what our docs say - python-gssapi - so anybody doing pip install gssapi is technically incorrect. I'm assuming that installing the latest python-gssapi (0.6.4) is still functional.

Going to rename this ticket to reflect this.

@bitprophet bitprophet changed the title Broken GSSAPI bindings Upgrade GSSAPI support to the 'gssapi' (not 'python-gssapi') module Sep 30, 2015
@bitprophet bitprophet added this to the 2.0 milestone Sep 30, 2015
@bitprophet bitprophet removed this from the 1.13.4 / 1.14.3 / 1.15.3 milestone Sep 30, 2015
@bitprophet bitprophet removed this from the 2.0 milestone Apr 24, 2016
@bitprophet bitprophet added this to the 3.0 milestone Apr 24, 2016
@bitprophet bitprophet added this to the 3.0 milestone Apr 24, 2016
@bitprophet bitprophet removed this from the 2.0 milestone Apr 24, 2016
@bitprophet
Copy link
Member

@bitprophet bitprophet commented Dec 13, 2016

#861 implements optional support for both GSSAPI third party modules (it uses a simple heuristic to figure out which of the two was imported), so as long as I can get some other folks testing and confirming it's kosher (please note in here) that means this can actually be just another feature release for the 2.x line. Updating milestone.

@bitprophet bitprophet added this to the 2.2 milestone Dec 13, 2016
@bitprophet bitprophet removed this from the 3.0 milestone Dec 13, 2016
@deepeshreja
Copy link

@deepeshreja deepeshreja commented Jul 12, 2017

I've tested out the proposed patch and it works as expected.

@bitprophet bitprophet removed this from the 2.2 milestone Aug 16, 2017
@bitprophet bitprophet added this to the 2.4.0 milestone Aug 16, 2017
@bitprophet bitprophet added this to the 2.4.0 milestone Aug 16, 2017
@bitprophet bitprophet removed this from the 2.2 milestone Aug 16, 2017
@pwilthew
Copy link

@pwilthew pwilthew commented Jan 3, 2018

The proposed fix works for me! Thank you.

openstack-gerrit pushed a commit to openstack/rally that referenced this issue Feb 25, 2018
It fails on fedora25 with system gssapi package installed with the
following error:

AttributeError: 'module' object has no attribute 'GSSException'

It happens because of: paramiko/paramiko#584
that will be fixed with paramiko/paramiko#861
that is not released or even merged yet.

It's better to isolate the venv from system libraries that may be
incompatible with paramiko.

Change-Id: I98af75bb01fa42a2902a850de1b974abc982d432
@bitprophet
Copy link
Member

@bitprophet bitprophet commented Oct 16, 2018

Closing this in favor of the various PRs that have been opened (latest seems to be #1311). Will still allow conversations here (esp if I'm unable to get to it before yet another PR is opened...sob...but I hope to get to this relatively soon, famous last words notwithstanding).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants