Juan Hernandez has uploaded a new change for review.
Change subject: [WIP] Add support for Kerberos authentication
......................................................................
[WIP] Add support for Kerberos authentication
This patch adds support for Kerberos authentication. To use it the API
object has to be created using the "negotiate" parameter:
api = ovirtsdk.api.API(
url="https://ovirt.example.com/ovirt-engine/api";,
negotiate=True,
...
)
For this to succeed the user must have acquired the Kerberos credentials
(the TGT) before calling the Python SDK.
Change-Id: Ic36e8548e5743aca71757eba46e4970976f08911
Bug-Url: https://bugzilla.redhat.com/1145234
Signed-off-by: Juan Hernandez <[email protected]>
---
M
generator/src/main/java/org/ovirt/engine/sdk/generator/rsdl/templates/EntryPointTemplate
M src/ovirtsdk/infrastructure/connectionspool.py
M src/ovirtsdk/web/connection.py
3 files changed, 18 insertions(+), 9 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine-sdk refs/changes/21/33221/1
diff --git
a/generator/src/main/java/org/ovirt/engine/sdk/generator/rsdl/templates/EntryPointTemplate
b/generator/src/main/java/org/ovirt/engine/sdk/generator/rsdl/templates/EntryPointTemplate
index a5e1dee..4997846 100644
---
a/generator/src/main/java/org/ovirt/engine/sdk/generator/rsdl/templates/EntryPointTemplate
+++
b/generator/src/main/java/org/ovirt/engine/sdk/generator/rsdl/templates/EntryPointTemplate
@@ -1,12 +1,13 @@
class API(object):
- def __init__(self, url, username, password, key_file=None, cert_file=None,
+ def __init__(self, url, username=None, password=None, key_file=None,
cert_file=None,
ca_file=None, port=None, timeout=None, session_timeout=None,
persistent_auth=True,
- renew_session=False, insecure=False,
validate_cert_chain=True, filter=False, debug=False): # @ReservedAssignment
+ renew_session=False, insecure=False,
validate_cert_chain=True, filter=False, debug=False,
+ negotiate=False): # @ReservedAssignment
'''
@param url: server url (format
"http/s://server[:port]/ovirt-engine/api")
- @param username: user (format user@domain)
- @param password: password
+ [@param username: user (format user@domain)]
+ [@param password: password]
[@param key_file: client PEM key_file for ssl enabled connection]
[@param cert_file: client PEM cert_file for ssl enabled connection]
[@param ca_file: server ca_file for ssl enabled connection]
@@ -19,6 +20,7 @@
[@param validate_cert_chain: validate the server's CA certificate
(default is True)]
[@param filter: enables user-api filtering (default is False)]
[@param debug: debug (format True|False)]
+ [@param negotiate: use SPNEGO authentication (default is False)]
@raise NoCertificatesError: raised when CA certificate is not provided
for SSL site (can be disabled using 'insecure=True' argument).
@raise UnsecuredConnectionAttemptError: raised when HTTP protocol is
used in url against server running HTTPS.
@@ -66,7 +68,8 @@
timeout=timeout,
insecure=insecure,
validate_cert_chain=validate_cert_chain,
- debug=debug
+ debug=debug,
+ negotiate=negotiate
)
# Create the proxy:
diff --git a/src/ovirtsdk/infrastructure/connectionspool.py
b/src/ovirtsdk/infrastructure/connectionspool.py
index 07027df..16d813d 100644
--- a/src/ovirtsdk/infrastructure/connectionspool.py
+++ b/src/ovirtsdk/infrastructure/connectionspool.py
@@ -29,7 +29,7 @@
'''
def __init__(self, url, port, key_file, cert_file, ca_file, strict,
timeout,
username, password, context, count=20, insecure=False,
validate_cert_chain=True,
- debug=False):
+ debug=False, negotiate=False):
self.__free_connections = Queue(0)
self.__busy_connections = {}
@@ -59,7 +59,8 @@
manager=self,
insecure=insecure,
validate_cert_chain=validate_cert_chain,
- debug=debug))
+ debug=debug,
+ negotiate=negotiate))
def getConnection(self, get_ttl=100):
# try:
diff --git a/src/ovirtsdk/web/connection.py b/src/ovirtsdk/web/connection.py
index c268278..ce53ad8 100644
--- a/src/ovirtsdk/web/connection.py
+++ b/src/ovirtsdk/web/connection.py
@@ -40,7 +40,8 @@
validate_cert_chain=validate_cert_chain,
strict=strict,
timeout=timeout,
- debug=debug)
+ debug=debug,
+ negotiate=negotiate)
self.__url = url
self.__manager = manager
@@ -50,6 +51,7 @@
self.__context = manager.context
self.__username = username
self.__password = password
+ self.__negotiate = negotiate
def get_id(self):
return self.__id
@@ -76,7 +78,10 @@
# Set the URL:
self.__curl.setopt(pycurl.URL, self.__url + url)
- # Credentials should be sent only if there isn't a session:
+ # Basic credentials should be sent only if there isn't a session:
+ if self.__negotiate:
+ self.__curl.setopt(pycurl.HTTPAUTH,
pycurl.HTTPAUTH_GSSNEGOTIATE)
+ self.__curl.setopt(pycurl.USERPWD, ":")
if not self.__in_session():
self.__curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
self.__curl.setopt(pycurl.USERPWD, "%s:%s" % (self.__username,
self.__password))
--
To view, visit http://gerrit.ovirt.org/33221
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic36e8548e5743aca71757eba46e4970976f08911
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine-sdk
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
