Add Kerberos support for authentication with a flag (and appropriate dependencies being available) #11090
Conversation
Set logging configuration for vendored kerberos using dictConfig instead of by hand.
| Kerberos Authentication | ||
| ----------------------- | ||
|
|
||
| Starting with vXX.X, pip supports using a Kerberos ticket to authenticate |
There was a problem hiding this comment.
TODO: need to fix this before merge.
| self.auth = MultiDomainBasicAuth(index_urls=index_urls) | ||
| if enable_kerberos: | ||
| try: | ||
| from requests_kerberos import REQUIRED, HTTPKerberosAuth |
There was a problem hiding this comment.
Do we have a benchmark of this import? If it is relatively quick, we should probably just always enable Kerberos whenever requests_kerberos is present in the environment, similar to how we handle keyring support.
There was a problem hiding this comment.
I did this to minimise this change having any impact on existing users that do not wish or want this support. E.g. one could imagine requests_kerberos ends up raising something that is not ImportError (for whatever reason) and then this code would fail. I think going more defensive is not the way (we would want this to bubble up), but we do not want this impacting users that don't want to use kerberos (with pip).
| raise | ||
| self.auth = HTTPKerberosAuth(REQUIRED) | ||
| else: | ||
| self.auth = MultiDomainBasicAuth(index_urls=index_urls) |
There was a problem hiding this comment.
Does this mean that we can’t use Basic Auth when Kerberos is enabled, or does requests_kerberos handle Basic Auth for us?
There was a problem hiding this comment.
That's correct. My previous PR (see OP) did allow this but it requires a bunch more code to be added.
There was a problem hiding this comment.
I do not work in a Kerberos environment anymore, so I am not sure how likely it is people (or CICD) are to use/want this?
There was a problem hiding this comment.
I’ll OK with adding the feature, if someone’s willing to work on it (I don’t use Kerberos either). Let’s keep this open so someone can pick it up if they’re interested.
github-actions
bot
added
the
needs rebase or merge
|
Going to go ahead and close this, since it has merge conflicts that haven't been resolved in a while. Please feel welcome to file a new PR or to reopen and update this one (assuming that's what the existing discussions point toward)! |
This closes #6708 and is tangential to #4475.
This makes Kerberos authentication available with a flag (
--enable-kerberos).This is based on another PR, with the following high level difference:
This means the size of the PR tiny.
I have tested with a Ubuntu 20.04 Kerberos installation that the authentication works. I am happy to have others test it, but won't post the details here publicly.