python-irodsclient icon indicating copy to clipboard operation
python-irodsclient copied to clipboard

Published 20 hours ago verified publisher icon irods

Support for Kerberos Authentication

Open boombard opened this issue 9 years ago • 14 comments

Does this library support Kerberos Authentication at all? If not, are there any plans to support it in the future?

boombard avatar Apr 14 '16 08:04 boombard

Not at this point but depending on the level of interest it could be added (as well as #8), after iRODS 4.2 is released.

adetorcy avatar Apr 14 '16 20:04 adetorcy

If you point me in the right direction I can try it myself and make a pull request? Is it a matter of changing the RODS_API_REQ message?

boombard avatar Apr 14 '16 20:04 boombard

Correct. You are going to need different Connection._login() methods based on irods_authentication_scheme in the client environment. In C++ both the client and server-side Kerberos authentication functionality is provided by the Kerberos plugin so you will need to implement the client side of the plugin in Python. I would start by looking at clientLogin.cpp to see what the overall authentication flow is, and then implement python versions of the client plugin operations in libkrb.cpp, which are called in clientLogin(). Thanks a lot for offering to help with this.

adetorcy avatar Apr 14 '16 22:04 adetorcy

This is useful for Sanger (as @boombard is a Sanger person).

kript avatar May 04 '16 10:05 kript

bump . :-)

kript avatar Jul 11 '16 14:07 kript

@boombard you might want to take a look at the new gsi login we just implemented, which should be pretty similar to Kerberos.

We based our handshake on the python gssapi library which covers with their basic tutorial the kerberos use case.

Good luck!

pdonorio avatar Jan 20 '17 08:01 pdonorio

@cmeesters is interested in kerberos integration. any updates anyone?

trel avatar Oct 21 '20 12:10 trel

What would be required to get the kerberos integration: In terms of enviroment, feedback, tests, code?

Perhaps I am naive, but I think there are two alternative options for implementing:

  • Either look for an existing kerberos ticket and cowardly refuse to work when there is none (by raising an appropriate error). This assume a non-interactive workflow from the client script.
  • Or ask for a passwd when there is no ticket. This would require an interactive part in the client script.

Personally, option 1 is just fine. But, as I said, perhaps a bit naive as I am unaware of additional requirements.

cmeesters avatar Oct 28 '20 18:10 cmeesters

The GSI commits were from January 2017 -- #56 and #57

trel avatar Oct 28 '20 19:10 trel

No progress on this so far?

erdc-cv19 avatar Feb 09 '21 21:02 erdc-cv19

The iRODS server has dropped direct Kerberos support, but Kerberos can be supported via the PAM stack.

This library supports a PAM flow with the iRODS server, so it would be interesting to show this is working with a Kerberized PAM configuration.

trel avatar Mar 15 '25 02:03 trel

I'm not sure how it works for 4.2, but in 4.3.2+, one can use pam_interactive to achieve PAM-based Kerberos authentication with iRODS: https://github.com/irods/irods_auth_plugin_pam_interactive?tab=readme-ov-file#kerberos-authentication This would of course require the pam_interactive plugin implementation for this client, but just thought I'd point that out.

Not sure how Kerberos auth works for 4.2.x. The Kerberos auth plugin was not ported to 4.3.x.

alanking avatar Mar 17 '25 12:03 alanking

I'm not sure how it works for 4.2, but in 4.3.2+, one can use pam_interactive to achieve PAM-based Kerberos authentication with iRODS: https://github.com/irods/irods_auth_plugin_pam_interactive?tab=readme-ov-file#kerberos-authentication.

This would of course require the pam_interactive plugin implementation for this client, but just thought I'd point that out. <...snip>

pam_interactive is slated to happen soon, I believe: #653

d-w-moore avatar Mar 17 '25 14:03 d-w-moore