You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/07/29 14:10:59 UTC
[GitHub] [airflow] kiwy42 opened a new issue #17314: Kerberos configuration to enable allow kinit -f -A
kiwy42 opened a new issue #17314:
URL: https://github.com/apache/airflow/issues/17314
**Description**
`kerberos.py` implementation do not account for the case where you need to use a forwardable token or a token without IP.
The `kinit` option `-f` (to allow forwardable token) and `-A` (to remove IP) are mandatory in my setup.
As Airflow run inside a docker and is provided with a kerberos token for the docker host.
**Use case / motivation**
When running inside a docker behind NAT it can sometime be easier to remove original IP from token so the token is able to be validate against KDC.
**Are you willing to submit a PR?**
I'm absolutely lost regarding python and git so probably no.
What I suggest is adding 2 configurations key inside airflow.conf:
```
[kerberos]
forwardable=True (default False)
include_ip=False (default True)
```
Those two key should be read in (`kerberos.py`)[https://github.com/apache/airflow/blob/main/airflow/security/kerberos.py]:
```
def renew_from_kt(principal: str, keytab: str, exit_on_fail: bool = True):
"""
Renew kerberos token from keytab
:param principal: principal
:param keytab: keytab file
:return: None
"""
# The config is specified in seconds. But we ask for that same amount in
# minutes to give ourselves a large renewal buffer.
renewal_lifetime = f"{conf.getint('kerberos', 'reinit_frequency')}m"
if conf.get('kerberos','forwardable'):
forwardable = '-f'
else:
forwardable = '-F'
if conf.get('kerberos','include_ip'):
include_ip = '-a'
else
include_ip = '-A'
cmd_principal = principal or conf.get('kerberos', 'principal').replace("_HOST", socket.getfqdn())
cmdv = [
conf.get('kerberos', 'kinit_path'),
"-r",
forwardable,
include_originl_ip,
renewal_lifetime,
"-k", # host ticket
"-t",
keytab, # specify keytab
"-c",
conf.get('kerberos', 'ccache'), # specify credentials cache
cmd_principal,
]
log.info("Re-initialising kerberos from keytab: %s", " ".join(cmdv))
```
I think something like that should be good, I don't know where configuration variables are declared with there default value.
At least on Linux this should work properly, no idea if `kinit` on Windows has the same arguments.
```
kinit --help
Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life]
[-f | -F] [-n] [-a | -A]
[...]
options:
[...]
-f forwardable
-F not forwardable
[...]
-a include addresses
-A do not include addresses
```
**Related Issues**
I've no knowledge of related issues.
Hope someone with better understanding of the project
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] eladkal closed issue #17314: Kerberos configuration to enable allow kinit -f -A
Posted by GitBox <gi...@apache.org>.
eladkal closed issue #17314:
URL: https://github.com/apache/airflow/issues/17314
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] eladkal commented on issue #17314: Kerberos configuration to enable allow kinit -f -A
Posted by GitBox <gi...@apache.org>.
eladkal commented on issue #17314:
URL: https://github.com/apache/airflow/issues/17314#issuecomment-928201286
solved in https://github.com/apache/airflow/pull/17816
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] eladkal closed issue #17314: Kerberos configuration to enable allow kinit -f -A
Posted by GitBox <gi...@apache.org>.
eladkal closed issue #17314:
URL: https://github.com/apache/airflow/issues/17314
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] eladkal commented on issue #17314: Kerberos configuration to enable allow kinit -f -A
Posted by GitBox <gi...@apache.org>.
eladkal commented on issue #17314:
URL: https://github.com/apache/airflow/issues/17314#issuecomment-928201286
solved in https://github.com/apache/airflow/pull/17816
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #17314: Kerberos configuration to enable allow kinit -f -A
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #17314:
URL: https://github.com/apache/airflow/issues/17314#issuecomment-889178101
Thanks for opening your first issue here! Be sure to follow the issue template!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org