You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/12/09 22:49:00 UTC
[jira] [Commented] (AIRFLOW-987) `airflow kerberos` ignores
--keytab and --principal arguments
[ https://issues.apache.org/jira/browse/AIRFLOW-987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16714144#comment-16714144 ]
ASF GitHub Bot commented on AIRFLOW-987:
----------------------------------------
ashb closed pull request #4238: [AIRFLOW-987] pass kerberos cli args keytab and principal to kerberos…
URL: https://github.com/apache/incubator-airflow/pull/4238
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/bin/cli.py b/airflow/bin/cli.py
index 5ddac2f886..5e4e9961ef 100644
--- a/airflow/bin/cli.py
+++ b/airflow/bin/cli.py
@@ -1334,12 +1334,12 @@ def kerberos(args): # noqa
)
with ctx:
- airflow.security.kerberos.run()
+ airflow.security.kerberos.run(principal=args.principal, keytab=args.keytab)
stdout.close()
stderr.close()
else:
- airflow.security.kerberos.run()
+ airflow.security.kerberos.run(principal=args.principal, keytab=args.keytab)
@cli_utils.action_logging
@@ -1678,8 +1678,7 @@ class CLIFactory(object):
help="Delete a variable"),
# kerberos
'principal': Arg(
- ("principal",), "kerberos principal",
- nargs='?', default=conf.get('kerberos', 'principal')),
+ ("principal",), "kerberos principal", nargs='?'),
'keytab': Arg(
("-kt", "--keytab"), "keytab",
nargs='?', default=conf.get('kerberos', 'keytab')),
diff --git a/airflow/security/kerberos.py b/airflow/security/kerberos.py
index 43c9fcccdc..b91241bc1d 100644
--- a/airflow/security/kerberos.py
+++ b/airflow/security/kerberos.py
@@ -27,11 +27,13 @@
log = LoggingMixin().log
-def renew_from_kt():
+def renew_from_kt(principal, keytab):
# The config is specified in seconds. But we ask for that same amount in
# minutes to give ourselves a large renewal buffer.
+
renewal_lifetime = "%sm" % configuration.conf.getint('kerberos', 'reinit_frequency')
- principal = configuration.conf.get('kerberos', 'principal').replace(
+
+ cmd_principal = principal or configuration.conf.get('kerberos', 'principal').replace(
"_HOST", socket.getfqdn()
)
@@ -39,9 +41,9 @@ def renew_from_kt():
configuration.conf.get('kerberos', 'kinit_path'),
"-r", renewal_lifetime,
"-k", # host ticket
- "-t", configuration.conf.get('kerberos', 'keytab'), # specify keytab
+ "-t", keytab, # specify keytab
"-c", configuration.conf.get('kerberos', 'ccache'), # specify credentials cache
- principal
+ cmd_principal
]
log.info("Reinitting kerberos from keytab: " + " ".join(cmdv))
@@ -55,8 +57,8 @@ def renew_from_kt():
if subp.returncode != 0:
log.error("Couldn't reinit from keytab! `kinit' exited with %s.\n%s\n%s" % (
subp.returncode,
- b"\n".join(subp.stdout.readlines()),
- b"\n".join(subp.stderr.readlines())))
+ "\n".join(subp.stdout.readlines()),
+ "\n".join(subp.stderr.readlines())))
sys.exit(subp.returncode)
global NEED_KRB181_WORKAROUND
@@ -66,10 +68,10 @@ def renew_from_kt():
# (From: HUE-640). Kerberos clock have seconds level granularity. Make sure we
# renew the ticket after the initial valid time.
time.sleep(1.5)
- perform_krb181_workaround()
+ perform_krb181_workaround(principal)
-def perform_krb181_workaround():
+def perform_krb181_workaround(principal):
cmdv = [configuration.conf.get('kerberos', 'kinit_path'),
"-c", configuration.conf.get('kerberos', 'ccache'),
"-R"] # Renew ticket_cache
@@ -80,10 +82,8 @@ def perform_krb181_workaround():
ret = subprocess.call(cmdv, close_fds=True)
if ret != 0:
- principal = "%s/%s" % (
- configuration.conf.get('kerberos', 'principal'),
- socket.getfqdn()
- )
+ principal = "%s/%s" % (principal or configuration.conf.get('kerberos', 'principal'),
+ socket.getfqdn())
fmt_dict = dict(princ=principal,
ccache=configuration.conf.get('kerberos', 'principal'))
log.error("Couldn't renew kerberos ticket in order to work around "
@@ -110,11 +110,11 @@ def detect_conf_var():
return b'X-CACHECONF:' in f.read()
-def run():
- if configuration.conf.get('kerberos', 'keytab') is None:
+def run(principal, keytab):
+ if not keytab:
log.debug("Keytab renewer not starting, no keytab configured")
sys.exit(0)
while True:
- renew_from_kt()
+ renew_from_kt(principal, keytab)
time.sleep(configuration.conf.getint('kerberos', 'reinit_frequency'))
diff --git a/tests/security/test_kerberos.py b/tests/security/test_kerberos.py
index c495dd08c4..d3d7bd5b00 100644
--- a/tests/security/test_kerberos.py
+++ b/tests/security/test_kerberos.py
@@ -18,10 +18,14 @@
# under the License.
import os
-import unittest
-
+try:
+ import unittest2 as unittest # PY27
+except ImportError:
+ import unittest
+from argparse import Namespace
from airflow import configuration
from airflow.security.kerberos import renew_from_kt
+from airflow import LoggingMixin
@unittest.skipIf('KRB5_KTNAME' not in os.environ,
@@ -32,13 +36,34 @@ def setUp(self):
if not configuration.conf.has_section("kerberos"):
configuration.conf.add_section("kerberos")
-
- configuration.conf.set("kerberos",
- "keytab",
+ configuration.conf.set("kerberos", "keytab",
os.environ['KRB5_KTNAME'])
+ keytab_from_cfg = configuration.conf.get("kerberos", "keytab")
+ self.args = Namespace(keytab=keytab_from_cfg, principal=None, pid=None,
+ daemon=None, stdout=None, stderr=None, log_file=None)
def test_renew_from_kt(self):
"""
We expect no result, but a successful run. No more TypeError
"""
- self.assertIsNone(renew_from_kt())
+ self.assertIsNone(renew_from_kt(principal=self.args.principal,
+ keytab=self.args.keytab))
+
+ def test_args_from_cli(self):
+ """
+ We expect no result, but a run with sys.exit(1) because keytab not exist.
+ """
+ configuration.conf.set("kerberos", "keytab", "")
+ self.args.keytab = "test_keytab"
+
+ with self.assertRaises(SystemExit) as se:
+ renew_from_kt(principal=self.args.principal,
+ keytab=self.args.keytab)
+
+ with self.assertLogs(LoggingMixin().log) as log:
+ self.assertIn(
+ 'kinit: krb5_init_creds_set_keytab: Failed to find '
+ 'airflow@LUPUS.GRIDDYNAMICS.NET in keytab FILE:{} '
+ '(unknown enctype)'.format(self.args.keytab), log.output)
+
+ self.assertEqual(se.exception.code, 1)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> `airflow kerberos` ignores --keytab and --principal arguments
> -------------------------------------------------------------
>
> Key: AIRFLOW-987
> URL: https://issues.apache.org/jira/browse/AIRFLOW-987
> Project: Apache Airflow
> Issue Type: Bug
> Components: security
> Affects Versions: 1.8.0
> Environment: 1.8-rc5
> Reporter: Ruslan Dautkhanov
> Assignee: Iuliia Volkova
> Priority: Major
> Labels: easyfix, kerberos, security
>
> No matter which arguments I pass to `airflow kerberos`,
> it always executes as `kinit -r 3600m -k -t airflow.keytab -c /tmp/airflow_krb5_ccache airflow`
> So it failes with expected "kinit: Keytab contains no suitable keys for airflow@CORP.SOME.COM while getting initial credentials"
> Tried different arguments, -kt and --keytab, here's one of the runs (some lines wrapped for readability):
> {noformat}
> $ airflow kerberos -kt /home/rdautkha/.keytab rdautkhanov@CORP.SOME.COM
> [2017-03-14 23:50:11,523] {__init__.py:57} INFO - Using executor LocalExecutor
> [2017-03-14 23:50:12,069] {kerberos.py:43} INFO - Reinitting kerberos from keytab:
> kinit -r 3600m -k -t airflow.keytab -c /tmp/airflow_krb5_ccache airflow
> [2017-03-14 23:50:12,080] {kerberos.py:55} ERROR -
> Couldn't reinit from keytab! `kinit' exited with 1.
> kinit: Keytab contains no suitable keys for airflow@CORP.SOME.COM
> while getting initial credentials
> {noformat}
> 1.8-rc5
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)