search

krbcontext / python-krbcontext

A Kerberos context manager
https://krbcontext.github.io/
GNU General Public License v3.0
25 stars 10 forks source link

Can not init with password #31

Closed gp1314 closed 3 years ago

gp1314 commented 4 years ago

I use the username and password for kdc authentication, but I can't authenticate successfully.

zzdgit commented 4 years ago

I have the same problem。

zzdgit commented 4 years ago

@gp1314 Have you solved the problem?

zzdgit commented 4 years ago

我在hiveserver2所在服务器执行行的时候,却报另一个错:

 File "hive.py", line 18, in <module>
    raise e
  File "hive.py", line 8, in <module>
    with krbcontext(using_keytab=True, principal=user, keytab_file=keytab_file):
  File "/home/data/xxx/miniconda3/lib/python3.6/site-packages/krbcontext/context.py", line 274, in __enter__
    self._prepare_context()
  File "/home/data/xxx/miniconda3/lib/python3.6/site-packages/krbcontext/context.py", line 264, in _prepare_context
    self.init_with_keytab()
  File "/home/data/xxx/miniconda3/lib/python3.6/site-packages/krbcontext/context.py", line 156, in init_with_keytab
    creds = gssapi.creds.Credentials(**creds_opts)
  File "/home/data/xxx/miniconda3/lib/python3.6/site-packages/gssapi/creds.py", line 64, in __new__
    store=store)
  File "/home/data/xxx/miniconda3/lib/python3.6/site-packages/gssapi/creds.py", line 140, in acquire
    raise NotImplementedError("Your GSSAPI implementation does "
NotImplementedError: Your GSSAPI implementation does not have support for manipulating credential stores
tkdchen commented 4 years ago

@zzdgit @gp1314 What's the version of python-gssapi are you using?

zzdgit commented 4 years ago

@tkdchen I have tried all the following versions:gssapi==1.6.5 and gssapi==1.5.0

zzdgit commented 4 years ago

@tkdchen I mainly used to connect HIVE, an error thrown during kerberos authentication.But I had no problems with other servers。

When I made a mistake on dubug, on this file 146 line, Calling the underlying C dynamic library library times an error. What should I do /home/data/xxx/miniconda3/lib/python3.6/site-packages/gssapi/creds.py", line 146

            res = rcred_cred_store.acquire_cred_from(store, name,
                                                     lifetime, mechs,
                                                     usage)
tkdchen commented 4 years ago

@zzdgit

I have no experience on HIVE. krbcontext is just a simple wrapper of python-gssapi to handle some specific cases. According to the trackback you mentioned above, it looks the issue is related to gssapi itself. I would suggest you to create an object of gssapi.creds.Credential to try to reproduce it with your keytab file and principal and see what would happen. For example:

creds = gssapi.creds.Credentials(
    usage='initiate', name=principal, store={
        'client_keytab': 'path/to/keytab-file',
    }
)

If it still happens, perhaps, you need to ask for help from gssapi maintainers.

But I had no problems with other servers

BTW, would you like to mention what kinds of Kerberos environment have you succeeded to interact with by krbcontext? Thanks!

tkdchen commented 4 years ago

@zzdgit 有什么进展吗?

zzdgit commented 4 years ago

@tkdchen 我的问题算是解决了。我是去连接hive的,有kerberos认证。连接的hive服务端源码被修改导致的。 但是我还没太弄明白python去认证kerberos的机制。感觉和krbcontext没啥关系。 首先我下缓存kerberos凭据:kinit -kt xxx.keytab xxx 之前有问题,我的代码如下:

 with krbcontext(using_keytab=True, principal=self.user, keytab_file=self.keytab_file):
     self.conn = connect(host=host, port=port, auth_mechanism='GSSAPI', kerberos_service_name='hive')
     self.cursor = self.conn.cursor()

之后解决问题是,去掉with这一行

self.conn = connect(host=host, port=port, auth_mechanism='GSSAPI', kerberos_service_name='hive')
self.cursor = self.conn.cursor()

因为hive的kerberos认证还在,只需要先在服务器上激活kerberos认证凭据kinit -kt xxx.keytab xxx,但是我现在代码里没带任何认证去连接认证,也能连接上。感觉很奇怪。

所以目前还在看gssapi这块是怎么实现的。

tkdchen commented 4 years ago

@zzdgit

self.user 的值是什么?如果使用keytab,应该把keytab里面有的principal传给principal参数。

zzdgit commented 4 years ago

@tkdchen 抱歉,因为代码我是从我项目中截取的,有的地方没改 self.user 就是keytab的这个用户的名字, 就是keytab里面的principal image