python-freeipa icon indicating copy to clipboard operation
python-freeipa copied to clipboard
verified publisher icon waldur

login_kerberos is inefficient

Open tiran opened this issue 5 years ago • 0 comments

Hi,

while I was assisting @abompard with a problem in Fedora Account System, I noticed that python-freeipa's Kerberos login is inefficient. It requires two HTTP roundtrips to authenticate and uses cookie sessions, which are less efficient. The official IPA client library uses opportunistic authentication without sessions.

To make python-freeipa faster:

  • use opportunistic authentication
  • allow passing of GSS-API credentials
  • don't call login_kerberos
  • drop session_logout for GSS-API auth
try:
    import requests_gssapi
    import gssapi
    import gssapi.exceptions
except ImportError as e:
    # Will raise if the user tries to login via Kerberos.
    requests_gssapi = gssapi = e

in Client.__init__:

        self._session.verify = verify_ssl

    def login_gssapi(self, creds=None)
        if creds is None:
            try:
                creds = gssapi.Credentials(usage="initiate")
            except gssapi.exceptions.GSSError as e:
                raise Unauthorized(e)
        self._session.auth = requests_gssapi.HTTPSPNEGOAuth(
            opportunistic_auth=True, creds=creds
        )
        # optional check to get a 401 early
        self._request("ping")

tiran avatar Nov 19 '20 09:11 tiran