API¶

krbcontext.context¶

class krbcontext.context.krbContext(using_keytab=False, principal=None, keytab_file=None, ccache_file=None, password=None)¶

A context manager for Kerberos-related actions

krbContext is able to initialize credential cache automatically when the cache is not valid.

krbContext aims to use Kerberos environment variable KRB5CCNAME to point to a given local credential cache, which will be used by Kerberos library, whatever the krb5 API or GSSAPI, to store ticket.

If default credential cache is used, it is unnecessary to point out to the default by that variable, Kerberos library is able to handle that.

After credential cache is initialized, original value of KRB5CCNAME, if have, must be restored. Otherwise, KRB5CCNAME must not be present in program’s environment variables.

krbContext can work with with statement to simplify your code.

__enter__()¶

Initialize ccache when necessary before executing user code

Lock is acquired as well before user code executes.

__exit__(exc_type, exc_value, traceback)¶

Clean context

If ccache is reinitialized, original value of KRB5CCNAME will be restored correctly, if there was. And, lock gets released as well.

_prepare_context()¶

Prepare context

Initialize credential cache with keytab or password according to using_keytab parameter. Then, KRB5CCNAME is set properly so that Kerberos library called in current context is able to get credential from correct cache.

Internal use only.

clean_options(using_keytab=False, principal=None, keytab_file=None, ccache_file=None, password=None)¶

Clean argument to related object

Parameters:	using_keytab (bool) – refer to `krbContext.__init__`. principal (str) – refer to `krbContext.__init__`. keytab_file (str) – refer to `krbContext.__init__`. ccache_file (str) – refer to `krbContext.__init__`. password (str) – refer to `krbContext.__init__`.
Returns:	a mapping containing cleaned names and values, which are used internally.
Return type:	dict
Raises:	ValueError – principal is missing or given keytab file does not exist, when initialize from a keytab.

init_with_keytab()¶: Initialize credential cache with keytab

init_with_password()¶

Initialize credential cache with password

Causion: once you enter password from command line, or pass it to API directly, the given password is not encrypted always. Although getting credential with password works, from security point of view, it is strongly recommended NOT use it in any formal production environment. If you need to initialize credential in an application to application Kerberos authentication context, keytab has to be used.

Raises:	IOError – when trying to prompt to input password from command line but no attry is available.