No edit summary |
(update for requests-gssapi) |
||
| Line 25: | Line 25: | ||
== Summary == | == Summary == | ||
Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. | Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required. | ||
== Owner == | == Owner == | ||
| Line 63: | Line 63: | ||
Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly. | Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly. | ||
As part of this effort, [https://pypi.python.org/pypi/requests-gssapi python-requests-gssapi] will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos). | |||
''' | |||
Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.''' | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
| Line 70: | Line 73: | ||
pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation. | pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation. | ||
python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos. | |||
python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already. | python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already. | ||
python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi. | |||
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?--> | <!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?--> | ||
== Scope == | == Scope == | ||
* Proposal owners: rharwood (responsible for providing patches) | * Proposal owners: rharwood (responsible for providing patches and new package) | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
| Line 124: | Line 131: | ||
`dnf repoquery --whatrequires python3-kerberos` | `dnf repoquery --whatrequires python3-kerberos` | ||
== User Experience == | == User Experience == | ||
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | <!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --> | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
Change should not be noticeable, except to any users of the deprecated packages directly. | Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate. | ||
== Dependencies == | == Dependencies == | ||
| Line 151: | Line 154: | ||
* waiverdb | * waiverdb | ||
python2-requests-kerberos: | |||
* (none) | |||
python3-kerberos: | python3-kerberos: | ||
* python3-requests-kerberos | |||
python3-requests-kerberos: | |||
* (none) | * (none) | ||
== Contingency Plan == | == Contingency Plan == | ||
| Line 171: | Line 176: | ||
<!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | <!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | ||
python-gssapi docs can be found | python-gssapi docs can be found [https://pythongssapi.github.io/python-gssapi/stable/ on its github page] | ||
requests-gssapi docs can be found [https://github.com/pythongssapi/requests-gssapi/#requests-gssapi-authentication-library on its github] | |||
== Release Notes == | == Release Notes == | ||
Revision as of 17:58, 19 December 2017
Kerberos in Python modernization
Summary
Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required.
Owner
- Name: Robbie Harwood
- Email: rharwood at fp dot o
- Release notes owner:
Current status
- Targeted release: Fedora 28
- Last updated: 2017-12-19
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.
As part of this effort, python-requests-gssapi will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos).
Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.
Benefit to Fedora
python-krbV has no python3 support, so its replacement helps projects move to python3.
pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.
python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.
python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already.
python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.
Scope
- Proposal owners: rharwood (responsible for providing patches and new package)
- Other developers: maintainers of affected packages are expected to perform code review
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
All dependency changes should be handled seamlessly by dnf without additional input from the user.
How To Test
The following should all produce no results:
dnf repoquery --whatrequires python-krbV
dnf repoquery --whatrequires python-kerberos
dnf repoquery --whatrequires python3-kerberos
User Experience
Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.
Dependencies
python-krbV:
- beaker-client
- koji-web
- python2-koji
python2-kerberos:
- did
- offlineimap
- python2-nitrate
- python2-urllib2_kerberos
- waiverdb
python2-requests-kerberos:
- (none)
python3-kerberos:
- python3-requests-kerberos
python3-requests-kerberos:
- (none)
Contingency Plan
- Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
- Contingency deadline: Beta
- Blocks release? No
- Blocks product? No
Documentation
python-gssapi docs can be found on its github page
requests-gssapi docs can be found on its github