You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by bo...@apache.org on 2017/03/28 23:50:17 UTC
incubator-airflow git commit: [AIRFLOW-840] Make ticket renewer
python3 compatible
Repository: incubator-airflow
Updated Branches:
refs/heads/master 82eb20e9f -> 6393366a7
[AIRFLOW-840] Make ticket renewer python3 compatible
The return from the subprocess is in bytes when
the universal
newlines is set to False (default). This will fail
in Py3 and
works fine in Py2. And with a working unit test.
Closes #2158 from abij/AIRFLOW-840
Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/6393366a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/6393366a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/6393366a
Branch: refs/heads/master
Commit: 6393366a781c0c6c5806a830d419929296d71a08
Parents: 82eb20e
Author: Alexander Bij <Al...@godatadriven.com>
Authored: Tue Mar 28 16:50:10 2017 -0700
Committer: Bolke de Bruin <bo...@xs4all.nl>
Committed: Tue Mar 28 16:50:10 2017 -0700
----------------------------------------------------------------------
airflow/security/kerberos.py | 25 ++++++++++++++++---------
scripts/ci/kdc.conf | 5 +++--
scripts/ci/krb5.conf | 1 -
scripts/ci/setup_kdc.sh | 9 ++++-----
tests/__init__.py | 1 +
tests/security/__init__.py | 15 +++++++++++++++
tests/security/kerberos.py | 39 +++++++++++++++++++++++++++++++++++++++
7 files changed, 78 insertions(+), 17 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6393366a/airflow/security/kerberos.py
----------------------------------------------------------------------
diff --git a/airflow/security/kerberos.py b/airflow/security/kerberos.py
index 08e5ed3..bac5c46 100644
--- a/airflow/security/kerberos.py
+++ b/airflow/security/kerberos.py
@@ -25,7 +25,7 @@ from airflow import configuration
LOG = logging.getLogger(__name__)
-NEED_KRB181_WORKAROUND=None
+NEED_KRB181_WORKAROUND = None
def renew_from_kt():
@@ -33,20 +33,21 @@ def renew_from_kt():
# minutes to give ourselves a large renewal buffer.
renewal_lifetime = "%sm" % configuration.getint('kerberos', 'reinit_frequency')
principal = configuration.get('kerberos', 'principal').replace("_HOST", socket.getfqdn())
+
cmdv = [configuration.get('kerberos', 'kinit_path'),
"-r", renewal_lifetime,
"-k", # host ticket
"-t", configuration.get('kerberos', 'keytab'), # specify keytab
"-c", configuration.get('kerberos', 'ccache'), # specify credentials cache
principal]
- LOG.info("Reinitting kerberos from keytab: " +
- " ".join(cmdv))
+ LOG.info("Reinitting kerberos from keytab: " + " ".join(cmdv))
subp = subprocess.Popen(cmdv,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
close_fds=True,
- bufsize=-1)
+ bufsize=-1,
+ universal_newlines=True)
subp.wait()
if subp.returncode != 0:
LOG.error("Couldn't reinit from keytab! `kinit' exited with %s.\n%s\n%s" % (
@@ -67,11 +68,14 @@ def renew_from_kt():
def perform_krb181_workaround():
cmdv = [configuration.get('kerberos', 'kinit_path'),
- "-R",
- "-c", configuration.get('kerberos', 'ccache')]
+ "-c", configuration.get('kerberos', 'ccache'),
+ "-R"] # Renew ticket_cache
+
LOG.info("Renewing kerberos ticket to work around kerberos 1.8.1: " +
" ".join(cmdv))
+
ret = subprocess.call(cmdv)
+
if ret != 0:
principal = "%s/%s" % (configuration.get('kerberos', 'principal'), socket.getfqdn())
fmt_dict = dict(princ=principal,
@@ -89,12 +93,15 @@ def perform_krb181_workaround():
def detect_conf_var():
"""Return true if the ticket cache contains "conf" information as is found
- in ticket caches of Kerboers 1.8.1 or later. This is incompatible with the
+ in ticket caches of Kerberos 1.8.1 or later. This is incompatible with the
Sun Java Krb5LoginModule in Java6, so we need to take an action to work
around it.
"""
- with open(configuration.get('kerberos', 'ccache'), "rb") as f:
- return "X-CACHECONF:" in f.read()
+ ticket_cache = configuration.get('kerberos', 'ccache')
+
+ with open(ticket_cache, 'rb') as f:
+ # Note: this file is binary, so we check against a bytearray.
+ return b'X-CACHECONF:' in f.read()
def run():
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6393366a/scripts/ci/kdc.conf
----------------------------------------------------------------------
diff --git a/scripts/ci/kdc.conf b/scripts/ci/kdc.conf
index 30e1d47..1ae1cb4 100644
--- a/scripts/ci/kdc.conf
+++ b/scripts/ci/kdc.conf
@@ -17,8 +17,9 @@ kdc_tcp_ports = 88
[realms]
TEST.LOCAL = {
#master_key_type = aes256-cts
- acl_file = /var/kerberos/krb5kdc/kadm5.acl
+ acl_file = /etc/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
- admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+ admin_keytab = /var/krb5kdc/kadm5.keytab
+ max_renewable_life = 7d 0h 0m 0s
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6393366a/scripts/ci/krb5.conf
----------------------------------------------------------------------
diff --git a/scripts/ci/krb5.conf b/scripts/ci/krb5.conf
index a971bf4..287a96e 100644
--- a/scripts/ci/krb5.conf
+++ b/scripts/ci/krb5.conf
@@ -27,5 +27,4 @@ forwardable = true
[realms]
TEST.LOCAL = {
kdc = localhost:88
- kdc = localhost:88
}
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6393366a/scripts/ci/setup_kdc.sh
----------------------------------------------------------------------
diff --git a/scripts/ci/setup_kdc.sh b/scripts/ci/setup_kdc.sh
index c4f5d8c..9cb7eca 100755
--- a/scripts/ci/setup_kdc.sh
+++ b/scripts/ci/setup_kdc.sh
@@ -24,18 +24,17 @@ PASS="airflow"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-cp ${DIR}/kdc.conf /etc/krb5kdc/kdc.conf
-
ln -sf /dev/urandom /dev/random
+cp ${DIR}/kdc.conf /etc/krb5kdc/kdc.conf
cp ${DIR}/kadm5.acl /etc/krb5kdc/kadm5.acl
-
cp ${DIR}/krb5.conf /etc/krb5.conf
-# create admin
+# create kerberos database
echo -e "${PASS}\n${PASS}" | kdb5_util create -s
-
+# create admin
echo -e "${PASS}\n${PASS}" | kadmin.local -q "addprinc ${ADMIN}/admin"
+# create airflow
echo -e "${PASS}\n${PASS}" | kadmin.local -q "addprinc -randkey airflow"
echo -e "${PASS}\n${PASS}" | kadmin.local -q "addprinc -randkey airflow/${FQDN}"
kadmin.local -q "ktadd -k ${KRB5_KTNAME} airflow"
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6393366a/tests/__init__.py
----------------------------------------------------------------------
diff --git a/tests/__init__.py b/tests/__init__.py
index 0c0a01b..20f8c48 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -23,4 +23,5 @@ from .jobs import *
from .impersonation import *
from .models import *
from .operators import *
+from .security import *
from .utils import *
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6393366a/tests/security/__init__.py
----------------------------------------------------------------------
diff --git a/tests/security/__init__.py b/tests/security/__init__.py
new file mode 100644
index 0000000..ff7556d
--- /dev/null
+++ b/tests/security/__init__.py
@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from .kerberos import *
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/6393366a/tests/security/kerberos.py
----------------------------------------------------------------------
diff --git a/tests/security/kerberos.py b/tests/security/kerberos.py
new file mode 100644
index 0000000..bc7f6b0
--- /dev/null
+++ b/tests/security/kerberos.py
@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import unittest
+
+from airflow import configuration
+from airflow.security.kerberos import renew_from_kt
+
+
+@unittest.skipIf('KRB5_KTNAME' not in os.environ,
+ 'Skipping Kerberos API tests due to missing KRB5_KTNAME')
+class KerberosTest(unittest.TestCase):
+ def setUp(self):
+ configuration.load_test_config()
+
+ if not configuration.conf.has_section("kerberos"):
+ configuration.conf.add_section("kerberos")
+
+ configuration.conf.set("kerberos",
+ "keytab",
+ os.environ['KRB5_KTNAME'])
+
+ def test_renew_from_kt(self):
+ """
+ We expect no result, but a successful run. No more TypeError
+ """
+ self.assertIsNone(renew_from_kt())