Fokko closed pull request #3563: [AIRFLOW-2698] Simplify Kerberos code
URL: https://github.com/apache/incubator-airflow/pull/3563
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/contrib/auth/backends/kerberos_auth.py
b/airflow/contrib/auth/backends/kerberos_auth.py
index 08be299a19..2701362300 100644
--- a/airflow/contrib/auth/backends/kerberos_auth.py
+++ b/airflow/contrib/auth/backends/kerberos_auth.py
@@ -19,6 +19,7 @@
import logging
import flask_login
+from airflow.exceptions import AirflowConfigException
from flask_login import current_user
from flask import flash
from wtforms import (
@@ -32,7 +33,6 @@
from flask import url_for, redirect
-from airflow import settings
from airflow import models
from airflow import configuration
from airflow.utils.db import provide_session
@@ -58,7 +58,13 @@ def authenticate(username, password):
utils.get_fqdn()
)
realm = configuration.conf.get("kerberos", "default_realm")
- user_principal = utils.principal_from_username(username)
+
+ try:
+ user_realm = configuration.conf.get("security", "default_realm")
+ except AirflowConfigException:
+ user_realm = realm
+
+ user_principal = utils.principal_from_username(username, user_realm)
try:
# this is pykerberos specific, verify = True is needed to prevent
KDC spoofing
@@ -68,7 +74,8 @@ def authenticate(username, password):
raise AuthenticationError()
except kerberos.KrbError as e:
logging.error(
- 'Password validation for principal %s failed %s',
user_principal, e)
+ 'Password validation for user '
+ '%s in realm %s failed %s', user_principal, realm, e)
raise AuthenticationError(e)
return
diff --git a/airflow/security/utils.py b/airflow/security/utils.py
index 8e4fcbd4bf..cf8ade922b 100644
--- a/airflow/security/utils.py
+++ b/airflow/security/utils.py
@@ -22,21 +22,6 @@
from airflow.utils.net import get_hostname
-# Pattern to replace with hostname
-HOSTNAME_PATTERN = '_HOST'
-
-
-def get_kerberos_principal(principal, host):
- components = get_components(principal)
- if not components or len(components) != 3 or components[1] !=
HOSTNAME_PATTERN:
- return principal
- else:
- if not host:
- raise IOError("Can't replace %s pattern "
- "since host is null." % HOSTNAME_PATTERN)
- return replace_hostname_pattern(components, host)
-
-
def get_components(principal):
"""
get_components(principal) -> (short name, instance (FQDN), realm)
@@ -51,33 +36,27 @@ def get_components(principal):
def replace_hostname_pattern(components, host=None):
fqdn = host
if not fqdn or fqdn == '0.0.0.0':
- fqdn = get_localhost_name()
+ fqdn = get_hostname()
return '%s/%s@%s' % (components[0], fqdn.lower(), components[2])
-def get_localhost_name():
- return get_hostname()
-
-
def get_fqdn(hostname_or_ip=None):
# Get hostname
try:
if hostname_or_ip:
fqdn = socket.gethostbyaddr(hostname_or_ip)[0]
+ if fqdn == 'localhost':
+ fqdn = get_hostname()
else:
- fqdn = get_localhost_name()
+ fqdn = get_hostname()
except IOError:
fqdn = hostname_or_ip
- if fqdn == 'localhost':
- fqdn = get_localhost_name()
-
return fqdn
-def principal_from_username(username):
- realm = conf.get("security", "default_realm")
- if '@' not in username and realm:
+def principal_from_username(username, realm):
+ if ('@' not in username) and realm:
username = "{}@{}".format(username, realm)
return username
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
