From Fedora Project Wiki
No edit summary
(add python-rtkit)
 
(3 intermediate revisions by 2 users not shown)
Line 35: Line 35:
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Email: rharwood at fp dot o
* Email: rharwood at fp dot o
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
* Release notes ticket: [https://pagure.io/fedora-docs/release-notes/issue/91 #91]
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
Line 142: Line 142:
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


All dependencies generated by `dnf repoquery whatrequires packagename`.
All dependencies generated by `dnf repoquery --whatrequires packagename`.


=== python-krbV ===
=== python-krbV ===
Line 149: Line 149:
* python2-koji
* python2-koji


=== python2-kerberos ===
=== python-kerberos (python{2,3}-kerberos) ===
* did
* did
* offlineimap
* offlineimap
* python2-nitrate
* python2-nitrate
* python2-urllib2_kerberos
* python-requests-kerberos
* python-urllib2_kerberos
* waiverdb
* waiverdb


=== python2-requests-kerberos ===
=== python-requests-kerberos (python{2,3}-requests-kerberos) ===
* (none)
* osbs-client
* python-hdfs
* python2-keystoneclient-kerberos
* python-koji
* python-osbs-client
* python-pdc-client
* retrace-server


=== python3-kerberos ===
=== python-urllib2_kerberos (python{2,3}-urllib2_kerberos) ===
* python3-requests-kerberos
* python2-rtkit
 
=== python3-requests-kerberos ===
* (none)


== Contingency Plan ==
== Contingency Plan ==
Line 188: Line 192:
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.  
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.  
-->
-->
This change did not fully land for Fedora28, but a large part of it did, and the rest will be proposed in the future.  In particular:
* koji did not deploy their python-gssapi code, and no beaker changeset was proposed, so python-krbV remains.
* did was migrated to python-gssapi.
* offlineimap migrated to python-gssapi.
* python-nitrate was migrated to python-gssapi.
* waiverdb has a changeset, but it wasn't proposed in time, so it doesn't make fc28.
* python-requests-gssapi was introduced to replace python-requests-kerberos
* python-urllib-gssapi was introduced to replace python-urllib2_kerberos
* python-kerberos therefore remains until python-urllib2_kerberos and python-requests-kerberos can be removed.
* python2-rtkit has a changeset, but it wasn't proposed in time, so python-urllib2_kerberos can't be removed yet.


[[Category:ChangeAcceptedF28]]
[[Category:ChangeAcceptedF28]]

Latest revision as of 18:20, 26 March 2018


Kerberos in Python modernization

Summary

Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required.

Owner

Current status

Detailed Description

Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.

As part of this effort, python-requests-gssapi will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos). Its package review (completed as of 2018-01-03) was rhbz#1527682

Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.

Benefit to Fedora

python-krbV has no python3 support, so its replacement helps projects move to python3.

pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.

python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.

python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already.

python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.


Scope

  • Proposal owners: rharwood (responsible for providing patches and new package)
  • Other developers: maintainers of affected packages are expected to perform code review
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

All dependency changes should be handled seamlessly by dnf without additional input from the user.

How To Test

The following should all produce no results:

dnf repoquery --whatrequires python-krbV

dnf repoquery --whatrequires python-kerberos

dnf repoquery --whatrequires python3-kerberos

User Experience

Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.

Dependencies

All dependencies generated by dnf repoquery --whatrequires packagename.

python-krbV

  • beaker-client
  • koji-web
  • python2-koji

python-kerberos (python{2,3}-kerberos)

  • did
  • offlineimap
  • python2-nitrate
  • python-requests-kerberos
  • python-urllib2_kerberos
  • waiverdb

python-requests-kerberos (python{2,3}-requests-kerberos)

  • osbs-client
  • python-hdfs
  • python2-keystoneclient-kerberos
  • python-koji
  • python-osbs-client
  • python-pdc-client
  • retrace-server

python-urllib2_kerberos (python{2,3}-urllib2_kerberos)

  • python2-rtkit

Contingency Plan

  • Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

python-gssapi docs can be found on its github page

requests-gssapi docs can be found on its github

Release Notes

This change did not fully land for Fedora28, but a large part of it did, and the rest will be proposed in the future. In particular:

  • koji did not deploy their python-gssapi code, and no beaker changeset was proposed, so python-krbV remains.
  • did was migrated to python-gssapi.
  • offlineimap migrated to python-gssapi.
  • python-nitrate was migrated to python-gssapi.
  • waiverdb has a changeset, but it wasn't proposed in time, so it doesn't make fc28.
  • python-requests-gssapi was introduced to replace python-requests-kerberos
  • python-urllib-gssapi was introduced to replace python-urllib2_kerberos
  • python-kerberos therefore remains until python-urllib2_kerberos and python-requests-kerberos can be removed.
  • python2-rtkit has a changeset, but it wasn't proposed in time, so python-urllib2_kerberos can't be removed yet.