Add Kerberos support for authentication with a flag (and appropriate dependencies being available)

docs/html/cli/pip_install.rst

@@ -225,6 +225,28 @@ overridden by using ``--cert`` option or by using ``PIP_CERT``,
 ``REQUESTS_CA_BUNDLE``, or ``CURL_CA_BUNDLE`` environment variables.
 
 
+.. _`Kerberos Authentication`:
+
+Kerberos Authentication
+-----------------------
+
+Starting with vXX.X, pip supports using a Kerberos ticket to authenticate
+with servers. To use Kerberos one must:
+
+- Install ``requests_kerberos`` into the same environment as ``pip`` (tested with 0.14.0).
+- Run ``pip`` with the flag ``--enable-kerberos``. Your system administrator
+  can also set this in the config files or an environment variable, see
+  :ref:`Configuration`.
+- Have a valid Kerberos ticket.
+
+Note that setting this flag *enforces* the connection uses Kerberos.
+
+Bugs reported with pip in relation to Kerberos will likely not
+be addressed directly by pip's maintainers. Pull Requests to fix Kerberos
+only bugs will be considered, and merged (subject to normal review processes).
+Note that there may be delays due to the lack of developer resources for
+reviewing such pull requests.
+
 .. _`Caching`:
 
 Caching

news/11090.feature.rst

@@ -0,0 +1 @@
+Add kerberos support for authentication with the ``--enable-kerberos`` flag.

src/pip/_internal/cli/cmdoptions.py

@@ -262,6 +262,16 @@ class PipOption(Option):
     help="Disable prompting for input.",
 )
 
+enable_kerberos: Callable[..., Option] = partial(
+    Option,
+    # Enable kerberos
+    "--enable-kerberos",
+    dest="enable_kerberos",
+    action="store_true",
+    default=False,
+    help="Enable Kerberos authentication.",
+)
+
 proxy: Callable[..., Option] = partial(
     Option,
     "--proxy",
@@ -1027,6 +1037,7 @@ def check_list_path_option(options: Values) -> None:
         quiet,
         log,
         no_input,
+        enable_kerberos,
         proxy,
         retries,
         timeout,

src/pip/_internal/cli/req_command.py

@@ -93,6 +93,7 @@ def _build_session(
             retries=retries if retries is not None else options.retries,
             trusted_hosts=options.trusted_hosts,
             index_urls=self._get_index_urls(options),
+            enable_kerberos=options.enable_kerberos,
         )
 
         # Handle custom ca-bundles from the user

src/pip/_internal/network/session.py

@@ -266,6 +266,7 @@ def __init__(
         cache: Optional[str] = None,
         trusted_hosts: Sequence[str] = (),
         index_urls: Optional[List[str]] = None,
+        enable_kerberos: bool = False,
         **kwargs: Any,
     ) -> None:
         """
@@ -281,8 +282,23 @@ def __init__(
         # Attach our User Agent to the request
         self.headers["User-Agent"] = user_agent()
 
+        no_prompt = MultiDomainBasicAuth(prompting=False, index_urls=index_urls)
+        prompt = MultiDomainBasicAuth(prompting=True, index_urls=index_urls)
+        prompt.passwords = no_prompt.passwords  # share same dict of passwords
+
         # Attach our Authentication handler to the session
-        self.auth = MultiDomainBasicAuth(index_urls=index_urls)
+        if enable_kerberos:
+            try:
+                from requests_kerberos import REQUIRED, HTTPKerberosAuth
+            except ImportError:
+                logger.critical(
+                    "Are you sure you `requests_kerberos` and its dependencies "
+                    "are available in the same environment as pip?"
+                )
+                raise
+            self.auth = HTTPKerberosAuth(REQUIRED)
+        else:
+            self.auth = MultiDomainBasicAuth(index_urls=index_urls)
 
         # Create our urllib3.Retry instance which will allow us to customize
         # how we handle retries.