feature(core): Improve SASL interface

* Move SASL configuration out of auth_data into its own dictionary which exposes more SASL features (e.g. server service name, client principal, ...) * Remove SASL from auth_data and place it between 'connection' and 'zookeeper protocol level authentication' to simplify connection logic and bring code in line with the protocol stack (SASL wraps Zookeeper, not the other way around). * Consistent exceptions raised, during authentication failure, between SASL and ZK authentication. * New 'SASLException' exception raised in case of SASL intrisinc failures. * Add support for GSSAPI (Kerberos).
python-zk · Dec 11, 2018 · a55f08c · a55f08c
1 parent 2ae392e
commit a55f08c
Show file tree

Hide file tree

Showing 12 changed files with 658 additions and 128 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,3 +1,14 @@
+<a name="2.7.0"></a>
+## 2.7.0 (next)
+
+
+#### Features
+
+* **core:**
+  * Add `GSSAPI` support to which enables kazoo to authenticate against a
+    kerberized Zookeeper using `SASL GSSAPI`.
+
+
 <a name="2.6.0"></a>
 ## 2.6.0 (2018-11-14)
 

diff --git a/ensure-zookeeper-env.sh b/ensure-zookeeper-env.sh
@@ -29,5 +29,4 @@ cd $HERE
 
 # Yield execution to venv command
 
-$*
-
+exec $*
diff --git a/kazoo/client.py b/kazoo/client.py
@@ -102,8 +102,8 @@ class KazooClient(object):
     """
     def __init__(self, hosts='127.0.0.1:2181',
                  timeout=10.0, client_id=None, handler=None,
-                 default_acl=None, auth_data=None, read_only=None,
-                 randomize_hosts=True, connection_retry=None,
+                 default_acl=None, auth_data=None, sasl_options=None,
+                 read_only=None, randomize_hosts=True, connection_retry=None,
                  command_retry=None, logger=None, keyfile=None,
                  keyfile_password=None, certfile=None, ca=None,
                  use_ssl=False, verify_certs=True, **kwargs):
@@ -123,6 +123,9 @@ def __init__(self, hosts='127.0.0.1:2181',
             A list of authentication credentials to use for the
             connection. Should be a list of (scheme, credential)
             tuples as :meth:`add_auth` takes.
+        :param sasl_options:
+            SASL options for the connection. Should be a dict of SASL options
+            passed to the underlying mechs if SASL support is to be used.
         :param read_only: Allow connections to read only servers.
         :param randomize_hosts: By default randomize host selection.
         :param connection_retry:
@@ -275,7 +278,8 @@ def __init__(self, hosts='127.0.0.1:2181',
 
         self._conn_retry.interrupt = lambda: self._stopped.is_set()
         self._connection = ConnectionHandler(
-            self, self._conn_retry.copy(), logger=self.logger)
+            self, self._conn_retry.copy(), logger=self.logger,
+            sasl_options=sasl_options)
 
         # Every retry call should have its own copy of the retry helper
         # to avoid shared retry counts
@@ -303,15 +307,6 @@ def _retry(*args, **kwargs):
         self.Semaphore = partial(Semaphore, self)
         self.ShallowParty = partial(ShallowParty, self)
 
-        # Managing SASL client
-        self.use_sasl = False
-        for scheme, auth in self.auth_data:
-            if scheme == "sasl":
-                self.use_sasl = True
-                # Could be used later for GSSAPI implementation
-                self.sasl_server_principal = "zk-sasl-md5"
-                break
-
         # If we got any unhandled keywords, complain like Python would
         if kwargs:
             raise TypeError('__init__() got unexpected keyword arguments: %s'
@@ -737,12 +732,8 @@ def add_auth(self, scheme, credential):
         """Send credentials to server.
 
         :param scheme: authentication scheme (default supported:
-                       "digest", "sasl"). Note that "sasl" scheme is
-                       requiring "pure-sasl" library to be
-                       installed.
+                       "digest").
         :param credential: the credential -- value depends on scheme.
-                           "digest": user:password
-                           "sasl": user:password
 
         :returns: True if it was successful.
         :rtype: bool

diff --git a/kazoo/exceptions.py b/kazoo/exceptions.py
@@ -43,6 +43,13 @@ class WriterNotClosedException(KazooException):
     """
 
 
+class SASLException(KazooException):
+    """Raised if SASL encountered a (local) error.
+
+    .. versionadded:: 2.7.0
+    """
+
+
 def _invalid_error_code():
     raise RuntimeError('Invalid error code')