Revision as of 22:08, 19 December 2017

Kerberos in Python modernization

Summary

Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required.

Owner

Name: Robbie Harwood
Email: rharwood at fp dot o
Release notes owner:

Current status

Targeted release: Fedora 28
Last updated: 2017-12-19
Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.

As part of this effort, python-requests-gssapi will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos). Its package review is rhbz#1527682

Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.

Benefit to Fedora

python-krbV has no python3 support, so its replacement helps projects move to python3.

pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.

python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.

python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already.

python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.

Scope

Proposal owners: rharwood (responsible for providing patches and new package)

Other developers: maintainers of affected packages are expected to perform code review

Release engineering: #7219
- List of deliverables: N/A (not needed for this change)

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

All dependency changes should be handled seamlessly by dnf without additional input from the user.

How To Test

The following should all produce no results:

dnf repoquery --whatrequires python-krbV

dnf repoquery --whatrequires python-kerberos

dnf repoquery --whatrequires python3-kerberos

User Experience

Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.

Dependencies

All dependencies generated by dnf repoquery whatrequires packagename.

python-krbV

beaker-client
koji-web
python2-koji

python2-kerberos

did
offlineimap
python2-nitrate
python2-urllib2_kerberos
waiverdb

python2-requests-kerberos

(none)

python3-kerberos

python3-requests-kerberos

python3-requests-kerberos

(none)

Contingency Plan

Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
Contingency deadline: Beta
Blocks release? No
Blocks product? No

Documentation

python-gssapi docs can be found on its github page

requests-gssapi docs can be found on its github

Release Notes

@@ Line 89: / Line 89: @@
 <!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
-* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
+* Release engineering: [https://pagure.io/releng/issue/7219 #7219] <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
 <!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
 The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
-** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not needed for this change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 <!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
-* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+* Policies and guidelines: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 <!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->

Search

Changes/kerberos-in-python-modernization: Difference between revisions