Jira plugin fails with Kerberos authentication

[psss]

After porting the code to Python 3 Jira plugin stopped working. Example config file:

[general]
email = Petr Šplíchal <psplicha@redhat.com>

[osci]
type = jira
project = OSCI
url = https://projects.example.com/

While with Python 2 issues are successfully fetched, Python 3 gives the following error:

 [ ERROR ] 500 Server Error: Internal Server Error for url:
 https://projects.example.com/step-auth-gss

[psss]

@frenzymadness, this is the Jira issue.

[frenzymadness]

It works for me

$ git pull origin master  # pull from my fork
From github.com:frenzymadness/did
 * branch            master     -> FETCH_HEAD
Already up to date.
[lbalhar@localhost did]$ python3 setup.py build
running build
running build_py
creating build
creating build/lib
creating build/lib/did
copying did/base.py -> build/lib/did
copying did/__init__.py -> build/lib/did
copying did/cli.py -> build/lib/did
copying did/utils.py -> build/lib/did
copying did/stats.py -> build/lib/did
creating build/lib/did/plugins
copying did/plugins/confluence.py -> build/lib/did/plugins
copying did/plugins/footer.py -> build/lib/did/plugins
copying did/plugins/header.py -> build/lib/did/plugins
copying did/plugins/nitrate.py -> build/lib/did/plugins
copying did/plugins/__init__.py -> build/lib/did/plugins
copying did/plugins/items.py -> build/lib/did/plugins
copying did/plugins/pagure.py -> build/lib/did/plugins
copying did/plugins/git.py -> build/lib/did/plugins
copying did/plugins/redmine.py -> build/lib/did/plugins
copying did/plugins/jira.py -> build/lib/did/plugins
copying did/plugins/google.py -> build/lib/did/plugins
copying did/plugins/rt.py -> build/lib/did/plugins
copying did/plugins/gitlab.py -> build/lib/did/plugins
copying did/plugins/trac.py -> build/lib/did/plugins
copying did/plugins/sentry.py -> build/lib/did/plugins
copying did/plugins/bugzilla.py -> build/lib/did/plugins
copying did/plugins/wiki.py -> build/lib/did/plugins
copying did/plugins/github.py -> build/lib/did/plugins
copying did/plugins/gerrit.py -> build/lib/did/plugins
copying did/plugins/trello.py -> build/lib/did/plugins
running build_scripts
creating build/scripts-3.7
copying and adjusting bin/did -> build/scripts-3.7
changing mode of build/scripts-3.7/did from 664 to 775
[lbalhar@localhost did]$ PYTHONPATH=build/lib/ bin/did this year
 ERROR  No module named 'googleapiclient'
Status report for this fiscal year (2019-03-01 to 2020-02-29).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Lumír Balhar <lbalhar@redhat.com>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Issues created in osci: 1
    * OSCI-504 - Jenkins installability check failed

* Issues created in tt: 1
    * TT-66 - [TEST] Issue for testing did

$ head bin/did
#!/usr/bin/python3
# coding: utf-8

My configuration contains two jira projects (OSCI and TT) from the internal Jira instance.

[general]
email = Lumír Balhar <lbalhar@redhat.com>

[osci]
type = jira
project = OSCI
url = <internal URL>

[tt]
type = jira
project = TT
url = <internal URL>

I've also tried a test witho your configuration and it also works:

$ PYTHONPATH=build/lib/ bin/did this year
 ERROR  No module named 'googleapiclient'
Status report for this fiscal year (2019-03-01 to 2020-02-29).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Petr Šplíchal <psplicha@redhat.com>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Issues created in osci: 28

… etc …

I am running on Fedora 30, all updates installed. What do you think makes a difference?

[psss]

Interesting. After reinstalling with pip -e . I was able to fetch the stats. But when repeated once more the query failed. Third time worked again. It behaves in some non-deterministic way. Need to investigate more.

[psss]

Works reliably when packaged as rpm though. Perhaps something wrong in the dependencies? Also, when running under venv I need to:

export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt

Otherwise it fails with CERTIFICATE_VERIFY_FAILED. Could this be related?

[lukaszachy]

Does it work for you these days? Since Oct 30 we have troubles to connect also with python2 version.

500 Server Error: Internal Server Error for url:<internal URL>/step-auth-gss

I'm not sure whether direct (as by web browser) access of that URL should work, but it ends up with 500 as well. When I didn't have kinit it was returning 401.

[frenzymadness]

IIRC the URL was working in browser and IMHO it should so it might be a problem in Jira.

[lukaszachy]

Thanks. Looks that gss-api access to Jira instance was cancelled and we are advised to use Local Account (or so was the answer in the Ticket).

[psss]

Interesting, I was able to connect to Jira using the python jira module:

from jira import JIRA

options = {"server": "https://example.com/"}
jira = JIRA(options, kerberos=True)

issue = jira.issue('TT-1')
print(issue.fields.summary)

So it seems kerberos authentication is not turned off... We could possibly update did to use jira python module. Need to check what is the recommended single-sign-on way.

[lukaszachy]

Copying here Standa Zidek's comment from the email:

I was able to fix my scripts just by changing '/step-auth-gss' to '/rest/auth/1/session'

[psss]

I tried that already but it doesn't seem to help.

[lukaszachy]

Hm, I've patched jira.py but for some projects I'm having

DEBUG  Connecting to <internal url>
Traceback (most recent call last):
  File "/usr/local/bin/did", line 42, in <module>
    did.cli.main()
  File "/usr/local/lib/python3.7/site-packages/did/cli.py", line 210, in main
    user_stats.check()
  File "/usr/local/lib/python3.7/site-packages/did/stats.py", line 157, in check
    stat.check()
  File "/usr/local/lib/python3.7/site-packages/did/stats.py", line 157, in check
    stat.check()
  File "/usr/local/lib/python3.7/site-packages/did/stats.py", line 77, in check
    self.fetch()
  File "/usr/local/lib/python3.7/site-packages/did/plugins/jira.py", line 141, in fetch
    self.stats = Issue.search(query, stats=self)
  File "/usr/local/lib/python3.7/site-packages/did/plugins/jira.py", line 104, in search
    batch, listed(data["issues"], "issue")))
KeyError: 'issues'

Returned data are
{'errorMessages': ["The value 'PROJECT' does not exist for the field 'project'."], 'errors': {}}

Funny it worked for one project, but not the others :/ Seems as permission issue.

[thrix]

So we do not have yet any working solution?

[psss]

Only to use login and password. See the internal did wiki for more details.