Fokko closed pull request #3563: [AIRFLOW-2698] Simplify Kerberos code URL: https://github.com/apache/incubator-airflow/pull/3563
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/airflow/contrib/auth/backends/kerberos_auth.py b/airflow/contrib/auth/backends/kerberos_auth.py index 08be299a19..2701362300 100644 --- a/airflow/contrib/auth/backends/kerberos_auth.py +++ b/airflow/contrib/auth/backends/kerberos_auth.py @@ -19,6 +19,7 @@ import logging import flask_login +from airflow.exceptions import AirflowConfigException from flask_login import current_user from flask import flash from wtforms import ( @@ -32,7 +33,6 @@ from flask import url_for, redirect -from airflow import settings from airflow import models from airflow import configuration from airflow.utils.db import provide_session @@ -58,7 +58,13 @@ def authenticate(username, password): utils.get_fqdn() ) realm = configuration.conf.get("kerberos", "default_realm") - user_principal = utils.principal_from_username(username) + + try: + user_realm = configuration.conf.get("security", "default_realm") + except AirflowConfigException: + user_realm = realm + + user_principal = utils.principal_from_username(username, user_realm) try: # this is pykerberos specific, verify = True is needed to prevent KDC spoofing @@ -68,7 +74,8 @@ def authenticate(username, password): raise AuthenticationError() except kerberos.KrbError as e: logging.error( - 'Password validation for principal %s failed %s', user_principal, e) + 'Password validation for user ' + '%s in realm %s failed %s', user_principal, realm, e) raise AuthenticationError(e) return diff --git a/airflow/security/utils.py b/airflow/security/utils.py index 8e4fcbd4bf..cf8ade922b 100644 --- a/airflow/security/utils.py +++ b/airflow/security/utils.py @@ -22,21 +22,6 @@ from airflow.utils.net import get_hostname -# Pattern to replace with hostname -HOSTNAME_PATTERN = '_HOST' - - -def get_kerberos_principal(principal, host): - components = get_components(principal) - if not components or len(components) != 3 or components[1] != HOSTNAME_PATTERN: - return principal - else: - if not host: - raise IOError("Can't replace %s pattern " - "since host is null." % HOSTNAME_PATTERN) - return replace_hostname_pattern(components, host) - - def get_components(principal): """ get_components(principal) -> (short name, instance (FQDN), realm) @@ -51,33 +36,27 @@ def get_components(principal): def replace_hostname_pattern(components, host=None): fqdn = host if not fqdn or fqdn == '0.0.0.0': - fqdn = get_localhost_name() + fqdn = get_hostname() return '%s/%s@%s' % (components[0], fqdn.lower(), components[2]) -def get_localhost_name(): - return get_hostname() - - def get_fqdn(hostname_or_ip=None): # Get hostname try: if hostname_or_ip: fqdn = socket.gethostbyaddr(hostname_or_ip)[0] + if fqdn == 'localhost': + fqdn = get_hostname() else: - fqdn = get_localhost_name() + fqdn = get_hostname() except IOError: fqdn = hostname_or_ip - if fqdn == 'localhost': - fqdn = get_localhost_name() - return fqdn -def principal_from_username(username): - realm = conf.get("security", "default_realm") - if '@' not in username and realm: +def principal_from_username(username, realm): + if ('@' not in username) and realm: username = "{}@{}".format(username, realm) return username ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services