API¶
krbcontext.context¶
-
class
krbcontext.context.
krbContext
(using_keytab=False, principal=None, keytab_file=None, ccache_file=None, password=None)¶ A context manager for Kerberos-related actions
krbContext is able to initialize credential cache automatically when the cache is not valid.
krbContext aims to use Kerberos environment variable
KRB5CCNAME
to point to a given local credential cache, which will be used by Kerberos library, whatever the krb5 API or GSSAPI, to store ticket.If default credential cache is used, it is unnecessary to point out to the default by that variable, Kerberos library is able to handle that.
After credential cache is initialized, original value of
KRB5CCNAME
, if have, must be restored. Otherwise,KRB5CCNAME
must not be present in program’s environment variables.krbContext can work with
with
statement to simplify your code.-
__enter__
()¶ Initialize ccache when necessary before executing user code
Lock is acquired as well before user code executes.
-
__exit__
(exc_type, exc_value, traceback)¶ Clean context
If ccache is reinitialized, original value of
KRB5CCNAME
will be restored correctly, if there was. And, lock gets released as well.
-
_prepare_context
()¶ Prepare context
Initialize credential cache with keytab or password according to
using_keytab
parameter. Then,KRB5CCNAME
is set properly so that Kerberos library called in current context is able to get credential from correct cache.Internal use only.
-
clean_options
(using_keytab=False, principal=None, keytab_file=None, ccache_file=None, password=None)¶ Clean argument to related object
Parameters: - using_keytab (bool) – refer to
krbContext.__init__
. - principal (str) – refer to
krbContext.__init__
. - keytab_file (str) – refer to
krbContext.__init__
. - ccache_file (str) – refer to
krbContext.__init__
. - password (str) – refer to
krbContext.__init__
.
Returns: a mapping containing cleaned names and values, which are used internally.
Return type: dict
Raises: ValueError – principal is missing or given keytab file does not exist, when initialize from a keytab.
- using_keytab (bool) – refer to
-
init_with_keytab
()¶ Initialize credential cache with keytab
-
init_with_password
()¶ Initialize credential cache with password
Causion: once you enter password from command line, or pass it to API directly, the given password is not encrypted always. Although getting credential with password works, from security point of view, it is strongly recommended NOT use it in any formal production environment. If you need to initialize credential in an application to application Kerberos authentication context, keytab has to be used.
Raises: IOError – when trying to prompt to input password from command line but no attry is available.
-