Kerberos in Python modernization
Summary
Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required.
Owner
- Name: Robbie Harwood
- Email: rharwood at fp dot o
- Release notes owner:
Current status
- Targeted release: Fedora 28
- Last updated: 2018-01-12
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.
As part of this effort, python-requests-gssapi will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos). Its package review (completed as of 2018-01-03) was rhbz#1527682
Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.
Benefit to Fedora
python-krbV has no python3 support, so its replacement helps projects move to python3.
pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.
python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.
python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already.
python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.
Scope
- Proposal owners: rharwood (responsible for providing patches and new package)
- Other developers: maintainers of affected packages are expected to perform code review
- Release engineering: #7219
- List of deliverables: N/A (not needed for this change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
All dependency changes should be handled seamlessly by dnf without additional input from the user.
How To Test
The following should all produce no results:
dnf repoquery --whatrequires python-krbV
dnf repoquery --whatrequires python-kerberos
dnf repoquery --whatrequires python3-kerberos
User Experience
Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.
Dependencies
All dependencies generated by dnf repoquery whatrequires packagename
.
python-krbV
- beaker-client
- koji-web
- python2-koji
python2-kerberos
- did
- offlineimap
- python2-nitrate
- python2-urllib2_kerberos
- waiverdb
python2-requests-kerberos
- (none)
python3-kerberos
- python3-requests-kerberos
python3-requests-kerberos
- (none)
Contingency Plan
- Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
- Contingency deadline: Beta
- Blocks release? No
- Blocks product? No
Documentation
python-gssapi docs can be found on its github page
requests-gssapi docs can be found on its github