Add kerberos support to authentication pip (when supported) #4854
Conversation
|
Hi @cryvate! Thanks for this PR! :) I personally haven't used Kerberos so, I genuinely can't review the code in this PR. The rest looks fine to me. Could you add documentation regarding this new support -- in some appropriate file in the docs/ directory? There's a tox job for generating the docs so, |
|
Having a reference to |
|
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
|
Any chance to have this in the next pip version? Thanks |
|
I don't see why not, I will have look at rebasing/merging and adding the docs |
|
Let me cheerfully encourage you to do the rebase/merge job! :-) This would be very useful for us in working with our internal nexus-based pypi repo! |
|
OK, let's do this then. Better late than never! |
| Kerberos Authentication | ||
| ++++++++++++++++++++++++++++ | ||
|
|
||
| Starting with v10.0, pip supports using a Kerberos ticket to authenticate |
There was a problem hiding this comment.
This version number should be changed to the release it will actually be in.
|
Any updates on this? Thanks |
|
None yet @suic86. |
|
@cryvate and @pradyunsg - can I somehow help to move this forward? |
|
I think #5948 is likely a better way to go about this. |
|
Will #5948 allow support of Kerberos? I do not know the ins-and-outs of the
keyring package nor of Kerberos to be honest, but since we need pykerberos
etc. here and keyring does not have those as dependencies I am sceptical it
will allow support of Kerberos without other evidence. I cannot find any
reference to Kerberos or tickets on the keyring package's source or the mailing list.
Maybe it will 'just work' (especially for tokens) but I do not see how?
|
|
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
|
IMO kerberos support and keyring aren't the same thing. |
Set logging configuration for vendored kerberos using dictConfig instead of by hand.
|
Keyring is effectively a way to have pluggable authentication backends for HTTP requests, so it should be possible to write a keyring backend for Kerberos. |
|
@dstufft I am not sure I agree. Keyring seems to fundamentally serve as a username-and-password middleware that allows writing and retrieving to various backends for keyrings (stores of username and password), however this is not sufficient to support Kerberos:
Fundamentally, Kerberos is not a username-and-password system (though it uses them at one stage) and thus not a HTTP basic authentication protocol we can support without changing our Auth classes. I might be misunderstanding, but I suggest reading the outline of the Kerberos protocol on Wikipedia before thinking it is 'just another username-and-password or username-and-token system.' |
|
@dstufft and @pradyunsg: Is there any chance that this is going to be merged soon? Thanks |
|
This would be very useful for me too. |
|
I would also find this helpful |
|
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
| try: | ||
| from pip._vendor.requests_kerberos import HTTPKerberosAuth | ||
| from pip._vendor.requests_kerberos import kerberos_ as ik | ||
| _KERBEROS_AVAILABLE = True |
There was a problem hiding this comment.
Is there some reason other that pip._vendor.requests_kerberos might result in ImportErrors, outside of them being missing?
If not, please import these unconditionally at the top of the file, since pip does vendoring to ensure that vendored packages are always available. Basically, in not-broken installations of pip, this variable will always be True, which makes it redundant.
There was a problem hiding this comment.
"If py/winkerberos is not installed, the behaviour is the same as before": requests_kerberos on its own will not make kerberos work, one has to have either py/winkerberos installed (which we cannot vendor because they are compiled/platform dependent?). requests_kerberos in that case will fail with an ImportError.
pradyunsg
dismissed
their stale review
Ah, and the relevant change was commited and pushed in the same minute. :)
|
I spent some time thinking about this. I don't think that there's anyone on the pip team, who has expertise in Kerberos. In this situation, it's not reasonable to believe that we would be maintaining this support for Kerberos. I, personally, did not know it existed till this PR came along. However, there's clearly a user base for this feature. So, here's my proposal:
If other @pypa/pip-committers and @pypa/pip-helpers are OK with this, let's go down this route. I'll also say this: If Related: In case it becomes a conditional dependency, and a user passes |
That all sounds reasonable, I will rework the PR for this. |
Great! Thanks! ^>^ |
|
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
|
Gentle nudge to see if there's interest in moving this forward. If no one expresses interest to take this forward in the coming week, I'll close this PR when I come around to it. I'll note that my comment above still stands even if I close this PR. |
|
I'll close this given @pradyunsg's comment above. If there's any interest in picking this back up (this applies to anyone interested), please feel free to open a new PR. |
lock
bot
added
the
auto-locked
Closes #6708
Kerberos has seen widespread adoption in many academic institutions, corporations and other organisations. By:
try ... except ImportErrorI have a server running that has kerberos authentication running (with/without possibility of interactive password authentication) and there is
pypi.orgthat has no authentication (for downloads). Consider the matrix of options:testing, password:pip10pip10)The possible outcomes are as follows: