Kerberos support

[chrahunt]

What's the problem this feature will solve?

pip cannot currently use Kerberos for authentication with web servers that support it, which may be acting as PyPI mirrors or private package repositories.

Describe the solution you'd like

If required dependencies are present, and a request to the configured server fails with headers that indicate Kerberos is supported, then attempt Kerberos authentication.

Alternative Solutions

N/A

Additional context

This is an attempt to progress #4854 by allowing discussion without the noise associated with a PR.

Currently pip only supports basic authentication with credentials provided either via keyring or inclusion in the index/index-url URL itself. Kerberos, as described here, would not be able to use the current basic auth mechanism for negotiation.

[chrahunt]

Related to #4475.

[pradyunsg]

Specifically, how is this not achievable with the keyring support?

The bootstrapping issue with keyring (you'd need keyring and your backend installed) is that's the tradeoff for having a minimal core utility with extensive support for authentication backends.

[chrahunt]

Keyring is a pluggable interface for providing a username and password. Currently we only support using that username/password for basic auth i.e. Authentication http header with Basic and base64 encoded credentials. Kerberos uses a different flow altogether. See wiki.

[cryvate]

It would be great if we could finally get something in so that pip can have Kerberos support.

[pradyunsg]

Oh, I didn't realize this issue existed when I made #4854 (comment).

Anyway, thanks for all the work you've done on this @cryvate! It's much appreciated. ^>^

[pradyunsg]

Edited the PR description to link to here.

[schlamar]

Please see my comment at #4475 (comment)