From Fedora Project Wiki
(template import)
 
(add python-rtkit)
 
(30 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
 
 
 
<!-- Self Contained or System Wide Change Proposal?
 
<!-- Self Contained or System Wide Change Proposal?
 
Use this guide to determine to which category your proposed change belongs to.
 
Use this guide to determine to which category your proposed change belongs to.
Line 23: Line 21:
  
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
= Change Proposal Name <!-- The name of your change proposal --> =
+
= Kerberos in Python modernization =
  
 
== Summary ==
 
== Summary ==
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
+
 
 +
Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora.  rharwood will author all necessary code changes; no new code from maintainers is required.
  
 
== Owner ==
 
== Owner ==
Line 33: Line 32:
 
This should link to your home wiki page so we know who you are.  
 
This should link to your home wiki page so we know who you are.  
 
-->
 
-->
* Name: [[User:FASAcountName| Your Name]]
+
* Name: [[User:rharwood| Robbie Harwood]]
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
 
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Email: <your email address so we can contact you, invite you to meetings, etc.>
+
* Email: rharwood at fp dot o
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
+
* Release notes ticket: [https://pagure.io/fedora-docs/release-notes/issue/91 #91]
 
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
 
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
 
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
 
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
Line 46: Line 45:
  
 
== Current status ==
 
== Current status ==
* Targeted release: [[Releases/<number> | Fedora <number> ]]  
+
* Targeted release: [[Releases/28 | Fedora 28 ]]  
 
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
 
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 56: Line 55:
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
-->
 
-->
* Tracker bug: <will be assigned by the Wrangler>
+
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1537249 #1537249]
  
 
== Detailed Description ==
 
== Detailed Description ==
  
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 +
 +
Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi.  python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.
 +
 +
As part of this effort, [https://pypi.python.org/pypi/requests-gssapi python-requests-gssapi] will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos).  Its package review (completed as of 2018-01-03) was [https://bugzilla.redhat.com/show_bug.cgi?id=1527682 rhbz#1527682]
 +
 +
'''
 +
Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.'''
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
  
   
+
python-krbV has no python3 support, so its replacement helps projects move to python3.
 +
 
 +
pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.
 +
 
 +
python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month).  It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.
 +
 
 +
python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI).  Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors.  The project runs PR CI on Fedora explicitly already.
 +
 
 +
python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi.  It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.
 
    
 
    
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
  
 
== Scope ==
 
== Scope ==
* Proposal owners:
+
* Proposal owners: rharwood (responsible for providing patches and new package)
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
  
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Other developers: maintainers of affected packages are expected to perform code review <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
  
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
+
* Release engineering: [https://pagure.io/releng/issue/7219 #7219] <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
 
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
 
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
 
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
 
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not needed for this change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
 
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
  
* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Policies and guidelines: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
 
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
  
Line 91: Line 105:
  
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
+
All dependency changes should be handled seamlessly by dnf without additional input from the user.
  
 
== How To Test ==
 
== How To Test ==
Line 109: Line 123:
  
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
+
 
 +
The following should all produce no results:
 +
 
 +
`dnf repoquery --whatrequires python-krbV`
 +
 
 +
`dnf repoquery --whatrequires python-kerberos`
 +
 
 +
`dnf repoquery --whatrequires python3-kerberos`
  
 
== User Experience ==
 
== User Experience ==
 
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
+
Change should not be noticeable, except to any users of the deprecated packages directly.  dnf should pull in python-gssapi and python-requests-gssapi as appropriate.
  
 
== Dependencies ==
 
== Dependencies ==
Line 120: Line 141:
  
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)  
+
 
 +
All dependencies generated by `dnf repoquery --whatrequires packagename`.
 +
 
 +
=== python-krbV ===
 +
* beaker-client
 +
* koji-web
 +
* python2-koji
 +
 
 +
=== python-kerberos (python{2,3}-kerberos) ===
 +
* did
 +
* offlineimap
 +
* python2-nitrate
 +
* python-requests-kerberos
 +
* python-urllib2_kerberos
 +
* waiverdb
 +
 
 +
=== python-requests-kerberos (python{2,3}-requests-kerberos) ===
 +
* osbs-client
 +
* python-hdfs
 +
* python2-keystoneclient-kerberos
 +
* python-koji
 +
* python-osbs-client
 +
* python-pdc-client
 +
* retrace-server
 +
 
 +
=== python-urllib2_kerberos (python{2,3}-urllib2_kerberos) ===
 +
* python2-rtkit
  
 
== Contingency Plan ==
 
== Contingency Plan ==
  
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
 
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
 
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Contingency deadline: Beta <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
 
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks product? product <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
+
* Blocks product? No <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
  
 
== Documentation ==
 
== Documentation ==
 
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
  
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
python-gssapi docs can be found [https://pythongssapi.github.io/python-gssapi/stable/ on its github page]
N/A (not a System Wide Change)
+
 
 +
requests-gssapi docs can be found [https://github.com/pythongssapi/requests-gssapi/#requests-gssapi-authentication-library on its github]
  
 
== Release Notes ==
 
== Release Notes ==
Line 145: Line 193:
 
-->
 
-->
  
[[Category:ChangePageIncomplete]]
+
This change did not fully land for Fedora28, but a large part of it did, and the rest will be proposed in the future.  In particular:
 +
 
 +
* koji did not deploy their python-gssapi code, and no beaker changeset was proposed, so python-krbV remains.
 +
* did was migrated to python-gssapi.
 +
* offlineimap migrated to python-gssapi.
 +
* python-nitrate was migrated to python-gssapi.
 +
* waiverdb has a changeset, but it wasn't proposed in time, so it doesn't make fc28.
 +
* python-requests-gssapi was introduced to replace python-requests-kerberos
 +
* python-urllib-gssapi was introduced to replace python-urllib2_kerberos
 +
* python-kerberos therefore remains until python-urllib2_kerberos and python-requests-kerberos can be removed.
 +
* python2-rtkit has a changeset, but it wasn't proposed in time, so python-urllib2_kerberos can't be removed yet.
 +
 
 +
[[Category:ChangeAcceptedF28]]
 
<!-- When your change proposal page is completed and ready for review and announcement -->
 
<!-- When your change proposal page is completed and ready for review and announcement -->
 
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
 
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 151: Line 211:
 
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
 
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
  
<!-- Select proper category, default is Self Contained Change -->
+
[[Category:SystemWideChange]]
[[Category:SelfContainedChange]]
 
<!-- [[Category:SystemWideChange]] -->
 

Latest revision as of 18:20, 26 March 2018


Kerberos in Python modernization

Summary

Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required.

Owner

Current status

Detailed Description

Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.

As part of this effort, python-requests-gssapi will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos). Its package review (completed as of 2018-01-03) was rhbz#1527682

Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.

Benefit to Fedora

python-krbV has no python3 support, so its replacement helps projects move to python3.

pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.

python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.

python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already.

python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.


Scope

  • Proposal owners: rharwood (responsible for providing patches and new package)
  • Other developers: maintainers of affected packages are expected to perform code review
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

All dependency changes should be handled seamlessly by dnf without additional input from the user.

How To Test

The following should all produce no results:

dnf repoquery --whatrequires python-krbV

dnf repoquery --whatrequires python-kerberos

dnf repoquery --whatrequires python3-kerberos

User Experience

Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.

Dependencies

All dependencies generated by dnf repoquery --whatrequires packagename.

python-krbV

  • beaker-client
  • koji-web
  • python2-koji

python-kerberos (python{2,3}-kerberos)

  • did
  • offlineimap
  • python2-nitrate
  • python-requests-kerberos
  • python-urllib2_kerberos
  • waiverdb

python-requests-kerberos (python{2,3}-requests-kerberos)

  • osbs-client
  • python-hdfs
  • python2-keystoneclient-kerberos
  • python-koji
  • python-osbs-client
  • python-pdc-client
  • retrace-server

python-urllib2_kerberos (python{2,3}-urllib2_kerberos)

  • python2-rtkit

Contingency Plan

  • Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

python-gssapi docs can be found on its github page

requests-gssapi docs can be found on its github

Release Notes

This change did not fully land for Fedora28, but a large part of it did, and the rest will be proposed in the future. In particular:

  • koji did not deploy their python-gssapi code, and no beaker changeset was proposed, so python-krbV remains.
  • did was migrated to python-gssapi.
  • offlineimap migrated to python-gssapi.
  • python-nitrate was migrated to python-gssapi.
  • waiverdb has a changeset, but it wasn't proposed in time, so it doesn't make fc28.
  • python-requests-gssapi was introduced to replace python-requests-kerberos
  • python-urllib-gssapi was introduced to replace python-urllib2_kerberos
  • python-kerberos therefore remains until python-urllib2_kerberos and python-requests-kerberos can be removed.
  • python2-rtkit has a changeset, but it wasn't proposed in time, so python-urllib2_kerberos can't be removed yet.