[Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Robbie Harwood
rharwood at redhat.com
Thu Jul 23 19:29:23 UTC 2015
Some comments from Solly and I inline:
Michael Šimáček <msimacek at redhat.com> writes:
> On 2015-07-22 15:47, Simo Sorce wrote:
>> Comments inline.
>>
>> ----- Original Message -----
>>> From: "Michael Simacek" <msimacek at redhat.com>
>>> To: freeipa-devel at redhat.com
>>> Sent: Tuesday, July 21, 2015 8:02:26 AM
>>> Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
>>>
>>> diff --git a/ipalib/util.py b/ipalib/util.py
>>> index 649a487..aea3ba9 100644
>>> --- a/ipalib/util.py
>>> +++ b/ipalib/util.py
>>> @@ -63,15 +63,15 @@ def json_serialize(obj):
>>>
>>> def get_current_principal():
>>> try:
>>> - import kerberos
>>> - rc, vc = kerberos.authGSSClientInit("notempty")
>>> - rc = kerberos.authGSSClientInquireCred(vc)
>>> - username = kerberos.authGSSClientUserName(vc)
>>> - kerberos.authGSSClientClean(vc)
>>> + import gssapi
>>> + cred = gssapi.raw.acquire_cred(usage='initiate').creds
>>> + name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False,
>>> + mechs=False).name
>>> + username = gssapi.raw.display_name(name, name_type=False).name
>>
>> Same as above.
>> Create a credential and inquire it with the high level api
>
> Done, but I still use raw.display_name as I don't see how to get it from
> high-level API (besides parsing repr).
I believe one can call `str()`. See
http://pythonhosted.org/gssapi/gssapi.html#gssapi.names.Name
> @@ -548,14 +552,12 @@ class KerbTransport(SSLTransport):
> service = "HTTP@" + host.split(':')[0]
>
> try:
> - (rc, vc) = kerberos.authGSSClientInit(service=service,
> - gssflags=self.flags)
> - except kerberos.GSSError, e:
> - self._handle_exception(e)
> -
> - try:
> - kerberos.authGSSClientStep(vc, "")
> - except kerberos.GSSError, e:
> + name = gssapi.Name(service, gssapi.NameType.hostbased_service)
> + sec_context = gssapi.SecurityContext(name=name, flags=self.flags)
> + # gssapi defers errors to next step, we want them now
> + sec_context.__DEFER_STEP_ERRORS__ = False
As a class-level flag, this should probably be used as such. Preferable
to using it would be to check complete, though - is there a reason not
to do that here?
Otherwise, looks good!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150723/0904e8d8/attachment.sig>
More information about the Freeipa-devel
mailing list