From Fedora Project Wiki
(update status for f28 release)
(add python-rtkit)
 
(One intermediate revision by the same user not shown)
Line 142: Line 142:
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


All dependencies generated by `dnf repoquery whatrequires packagename`.
All dependencies generated by `dnf repoquery --whatrequires packagename`.


=== python-krbV ===
=== python-krbV ===
Line 149: Line 149:
* python2-koji
* python2-koji


=== python2-kerberos ===
=== python-kerberos (python{2,3}-kerberos) ===
* did
* did
* offlineimap
* offlineimap
* python2-nitrate
* python2-nitrate
* python2-urllib2_kerberos
* python-requests-kerberos
* python-urllib2_kerberos
* waiverdb
* waiverdb


=== python2-requests-kerberos ===
=== python-requests-kerberos (python{2,3}-requests-kerberos) ===
* (none)
* osbs-client
* python-hdfs
* python2-keystoneclient-kerberos
* python-koji
* python-osbs-client
* python-pdc-client
* retrace-server


=== python3-kerberos ===
=== python-urllib2_kerberos (python{2,3}-urllib2_kerberos) ===
* python3-requests-kerberos
* python2-rtkit
 
=== python3-requests-kerberos ===
* (none)


== Contingency Plan ==
== Contingency Plan ==
Line 199: Line 203:
* python-urllib-gssapi was introduced to replace python-urllib2_kerberos
* python-urllib-gssapi was introduced to replace python-urllib2_kerberos
* python-kerberos therefore remains until python-urllib2_kerberos and python-requests-kerberos can be removed.
* python-kerberos therefore remains until python-urllib2_kerberos and python-requests-kerberos can be removed.
* python2-rtkit has a changeset, but it wasn't proposed in time, so python-urllib2_kerberos can't be removed yet.


[[Category:ChangeAcceptedF28]]
[[Category:ChangeAcceptedF28]]

Latest revision as of 18:20, 26 March 2018


Kerberos in Python modernization

Summary

Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required.

Owner

Current status

Detailed Description

Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.

As part of this effort, python-requests-gssapi will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos). Its package review (completed as of 2018-01-03) was rhbz#1527682

Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.

Benefit to Fedora

python-krbV has no python3 support, so its replacement helps projects move to python3.

pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.

python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.

python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already.

python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.


Scope

  • Proposal owners: rharwood (responsible for providing patches and new package)
  • Other developers: maintainers of affected packages are expected to perform code review
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

All dependency changes should be handled seamlessly by dnf without additional input from the user.

How To Test

The following should all produce no results:

dnf repoquery --whatrequires python-krbV

dnf repoquery --whatrequires python-kerberos

dnf repoquery --whatrequires python3-kerberos

User Experience

Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.

Dependencies

All dependencies generated by dnf repoquery --whatrequires packagename.

python-krbV

  • beaker-client
  • koji-web
  • python2-koji

python-kerberos (python{2,3}-kerberos)

  • did
  • offlineimap
  • python2-nitrate
  • python-requests-kerberos
  • python-urllib2_kerberos
  • waiverdb

python-requests-kerberos (python{2,3}-requests-kerberos)

  • osbs-client
  • python-hdfs
  • python2-keystoneclient-kerberos
  • python-koji
  • python-osbs-client
  • python-pdc-client
  • retrace-server

python-urllib2_kerberos (python{2,3}-urllib2_kerberos)

  • python2-rtkit

Contingency Plan

  • Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

python-gssapi docs can be found on its github page

requests-gssapi docs can be found on its github

Release Notes

This change did not fully land for Fedora28, but a large part of it did, and the rest will be proposed in the future. In particular:

  • koji did not deploy their python-gssapi code, and no beaker changeset was proposed, so python-krbV remains.
  • did was migrated to python-gssapi.
  • offlineimap migrated to python-gssapi.
  • python-nitrate was migrated to python-gssapi.
  • waiverdb has a changeset, but it wasn't proposed in time, so it doesn't make fc28.
  • python-requests-gssapi was introduced to replace python-requests-kerberos
  • python-urllib-gssapi was introduced to replace python-urllib2_kerberos
  • python-kerberos therefore remains until python-urllib2_kerberos and python-requests-kerberos can be removed.
  • python2-rtkit has a changeset, but it wasn't proposed in time, so python-urllib2_kerberos can't be removed yet.