kiwy42 opened a new issue #17314: URL: https://github.com/apache/airflow/issues/17314
**Description** `kerberos.py` implementation do not account for the case where you need to use a forwardable token or a token without IP. The `kinit` option `-f` (to allow forwardable token) and `-A` (to remove IP) are mandatory in my setup. As Airflow run inside a docker and is provided with a kerberos token for the docker host. **Use case / motivation** When running inside a docker behind NAT it can sometime be easier to remove original IP from token so the token is able to be validate against KDC. **Are you willing to submit a PR?** I'm absolutely lost regarding python and git so probably no. What I suggest is adding 2 configurations key inside airflow.conf: ``` [kerberos] forwardable=True (default False) include_ip=False (default True) ``` Those two key should be read in (`kerberos.py`)[https://github.com/apache/airflow/blob/main/airflow/security/kerberos.py]: ``` def renew_from_kt(principal: str, keytab: str, exit_on_fail: bool = True): """ Renew kerberos token from keytab :param principal: principal :param keytab: keytab file :return: None """ # The config is specified in seconds. But we ask for that same amount in # minutes to give ourselves a large renewal buffer. renewal_lifetime = f"{conf.getint('kerberos', 'reinit_frequency')}m" if conf.get('kerberos','forwardable'): forwardable = '-f' else: forwardable = '-F' if conf.get('kerberos','include_ip'): include_ip = '-a' else include_ip = '-A' cmd_principal = principal or conf.get('kerberos', 'principal').replace("_HOST", socket.getfqdn()) cmdv = [ conf.get('kerberos', 'kinit_path'), "-r", forwardable, include_originl_ip, renewal_lifetime, "-k", # host ticket "-t", keytab, # specify keytab "-c", conf.get('kerberos', 'ccache'), # specify credentials cache cmd_principal, ] log.info("Re-initialising kerberos from keytab: %s", " ".join(cmdv)) ``` I think something like that should be good, I don't know where configuration variables are declared with there default value. At least on Linux this should work properly, no idea if `kinit` on Windows has the same arguments. ``` kinit --help Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F] [-n] [-a | -A] [...] options: [...] -f forwardable -F not forwardable [...] -a include addresses -A do not include addresses ``` **Related Issues** I've no knowledge of related issues. Hope someone with better understanding of the project -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
