Skip to content
Permalink
Browse files

Periodically reset kerberos auth token (#1228)

  • Loading branch information...
pschorf authored and dposada committed Oct 7, 2019
1 parent 96247b7 commit 7dbcdf50e3abee1ebc33b07885e93ad2f6b605f0
Showing with 20 additions and 6 deletions.
  1. +3 −3 executor/setup.py
  2. +17 −3 integration/tests/cook/util.py
@@ -4,9 +4,9 @@
from setuptools import setup

test_deps=[
'pytest==3.3.1',
'pytest-timeout==1.2.1',
'pytest-xdist==1.20.1'
'pytest==5.2.0',
'pytest-timeout==1.3.3',
'pytest-xdist==1.30.0'
]

extras = { 'test': test_deps }
@@ -6,6 +6,7 @@
import os
import os.path
import subprocess
import threading
import time
import unittest
import uuid
@@ -163,10 +164,9 @@ class _KerberosUser(_AuthenticatedUser):
def __init__(self, name, impersonatee=None):
super().__init__(name, impersonatee)
self.auth = None
self.auth_token = self._generate_kerberos_ticket_for_user(name)
self.previous_token = None
self.stop_event = None

@functools.lru_cache()
def _generate_kerberos_ticket_for_user(self, username):
"""
Get a Kerberos authentication ticket for the given user.
@@ -177,16 +177,30 @@ def _generate_kerberos_ticket_for_user(self, username):
.replace('{{COOK_SCHEDULER_URL}}', retrieve_cook_url()))
return subprocess.check_output(subcommand, shell=True).rstrip()

def _reset_auth_header(self, stop):
global session
if not stop.is_set():
logger.info(f'Refreshing kerberos tickets for {self.name}')
session.headers['Authorization'] = self._generate_kerberos_ticket_for_user(self.name)
threading.Timer(60.0, lambda: self._reset_auth_header(stop)).start()
else:
logger.info(f'Stopping kerberos ticket refresh for {self.name}')

def __enter__(self):
global session
super().__enter__()
assert self.previous_token is None
assert self.stop_event is None
self.previous_token = session.headers.get('Authorization')
session.headers['Authorization'] = self.auth_token
self.stop_event = threading.Event()
self._reset_auth_header(self.stop_event)

def __exit__(self, ex_type, ex_val, ex_trace):
global session
super().__exit__(ex_type, ex_val, ex_trace)
if self.stop_event is not None:
self.stop_event.set()
self.stop_event = None
if self.previous_token is None:
del session.headers['Authorization']
else:

0 comments on commit 7dbcdf5

Please sign in to comment.
You can’t perform that action at this time.