Add kerberos authentification support in libpepper.py #38
Conversation
…sts_kerberos (related to saltstack#34)
|
This is a clean addition. I decidedly don't want pepper to dep on the requests lib for normal use but this is a good opt-in addition. That said, if we go with option 2 from our discussion in saltstack/salt#24793 we won't need any changes at all in Salt-core or in pepper -- it'll all be contained within a regular Salt auth module. |
|
@whiteinge I'm not sure I understand your point about option 2 and not needing any changes in pepper. In the kerberos scenario, we don't want to send a password over the wire. |
|
Option 2 from the discussion in that ticket:
Only the Kerberos token goes over the wire to get a Salt session token. No password is sent through Salt. Fully compatible with existing Salt semantics for external auth modules, no changes to Salt, salt-api, or pepper needed. |
|
@arthurlogilab where do you want to take this pull req in light of saltstack/salt#25122 ? |
|
@whiteinge this pull req is still necessary for the use case exposed. The communication with the frontal needs to authenticate with kerberos, it's the communication between the frontal and salt-api that uses the shared secret. |
|
Roger that. Merged and cut a new release with the addition: https://github.com/saltstack/pepper/releases/tag/0.3.6. |
requires requests_kerberos (related to #34)
Here is a pull request to start discussion on how to implement this in pepper.
There is documentation missing obviously, I'll add that once we agree on how to do this.
I think a much cleaner way to do this would be to convert all
def req(to use requests and then the "optionnal" keberos authentication would be much more lightweight and I thinkdef reqwould be cleaner.