[Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi

Robbie Harwood rharwood at redhat.com
Thu Jul 23 19:29:23 UTC 2015 

Some comments from Solly and I inline:

Michael Šimáček <msimacek at redhat.com> writes:

> On 2015-07-22 15:47, Simo Sorce wrote:
>> Comments inline.
>>
>> ----- Original Message -----
>>> From: "Michael Simacek" <msimacek at redhat.com>
>>> To: freeipa-devel at redhat.com
>>> Sent: Tuesday, July 21, 2015 8:02:26 AM
>>> Subject: [Freeipa-devel] [PATCH] Port from python-kerberos library to	python-gssapi
>>>
>>> diff --git a/ipalib/util.py b/ipalib/util.py
>>> index 649a487..aea3ba9 100644
>>> --- a/ipalib/util.py
>>> +++ b/ipalib/util.py
>>> @@ -63,15 +63,15 @@ def json_serialize(obj):
>>>
>>>   def get_current_principal():
>>>       try:
>>> -        import kerberos
>>> -        rc, vc = kerberos.authGSSClientInit("notempty")
>>> -        rc = kerberos.authGSSClientInquireCred(vc)
>>> -        username = kerberos.authGSSClientUserName(vc)
>>> -        kerberos.authGSSClientClean(vc)
>>> +        import gssapi
>>> +        cred = gssapi.raw.acquire_cred(usage='initiate').creds
>>> +        name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False,
>>> +                                       mechs=False).name
>>> +        username = gssapi.raw.display_name(name, name_type=False).name
>>
>> Same as above.
>> Create a credential and inquire it with the high level api
>
> Done, but I still use raw.display_name as I don't see how to get it from 
> high-level API (besides parsing repr).

I believe one can call `str()`.  See
http://pythonhosted.org/gssapi/gssapi.html#gssapi.names.Name

> @@ -548,14 +552,12 @@ class KerbTransport(SSLTransport):
>          service = "HTTP@" + host.split(':')[0]
>  
>          try:
> -            (rc, vc) = kerberos.authGSSClientInit(service=service,
> -                                                  gssflags=self.flags)
> -        except kerberos.GSSError, e:
> -            self._handle_exception(e)
> -
> -        try:
> -            kerberos.authGSSClientStep(vc, "")
> -        except kerberos.GSSError, e:
> +            name = gssapi.Name(service, gssapi.NameType.hostbased_service)
> +            sec_context = gssapi.SecurityContext(name=name, flags=self.flags)
> +            # gssapi defers errors to next step, we want them now
> +            sec_context.__DEFER_STEP_ERRORS__ = False

As a class-level flag, this should probably be used as such.  Preferable
to using it would be to check complete, though - is there a reason not
to do that here?

Otherwise, looks good!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150723/0904e8d8/attachment.sig>

More information about the Freeipa-devel mailing list