From Fedora Project Wiki
(update for requests-gssapi)
Line 25: Line 25:
 
== Summary ==
 
== Summary ==
  
Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora.
+
Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora.  rharwood will author all necessary code changes; no new code from maintainers is required.
  
 
== Owner ==
 
== Owner ==
Line 63: Line 63:
 
Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi.  python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.
 
Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi.  python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.
  
TODO: requests
+
As part of this effort, [https://pypi.python.org/pypi/requests-gssapi python-requests-gssapi] will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos).
 +
 
 +
'''
 +
Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.'''
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
Line 70: Line 73:
  
 
pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications.  It has almost no documentation.
 
pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications.  It has almost no documentation.
 +
 +
python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month).  It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.
  
 
python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI).  Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors.  The project runs PR CI on Fedora explicitly already.
 
python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI).  Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors.  The project runs PR CI on Fedora explicitly already.
 +
 +
python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi.  It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.
 
    
 
    
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
  
 
== Scope ==
 
== Scope ==
* Proposal owners: rharwood (responsible for providing patches)
+
* Proposal owners: rharwood (responsible for providing patches and new package)
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
  
Line 124: Line 131:
  
 
`dnf repoquery --whatrequires python3-kerberos`
 
`dnf repoquery --whatrequires python3-kerberos`
 
TODO: requests?
 
  
 
== User Experience ==
 
== User Experience ==
 
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Change should not be noticeable, except to any users of the deprecated packages directly.
+
Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.
 
 
TODO: requests
 
  
 
== Dependencies ==
 
== Dependencies ==
Line 151: Line 154:
 
* waiverdb
 
* waiverdb
  
TODO requests
+
python2-requests-kerberos:
 +
* (none)
  
 
python3-kerberos:
 
python3-kerberos:
 +
* python3-requests-kerberos
 +
 +
python3-requests-kerberos:
 
* (none)
 
* (none)
 
TODO requests
 
  
 
== Contingency Plan ==
 
== Contingency Plan ==
Line 171: Line 176:
 
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
  
python-gssapi docs can be found here: https://pythonhosted.org/gssapi/
+
python-gssapi docs can be found [https://pythongssapi.github.io/python-gssapi/stable/ on its github page]
 +
 
 +
requests-gssapi docs can be found [https://github.com/pythongssapi/requests-gssapi/#requests-gssapi-authentication-library on its github]
  
 
== Release Notes ==
 
== Release Notes ==

Revision as of 17:58, 19 December 2017


Kerberos in Python modernization

Summary

Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required.

Owner

Current status

  • Targeted release: Fedora 28
  • Last updated: 2017-12-19
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.

As part of this effort, python-requests-gssapi will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos).

Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.

Benefit to Fedora

python-krbV has no python3 support, so its replacement helps projects move to python3.

pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.

python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.

python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already.

python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.


Scope

  • Proposal owners: rharwood (responsible for providing patches and new package)
  • Other developers: maintainers of affected packages are expected to perform code review
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

All dependency changes should be handled seamlessly by dnf without additional input from the user.

How To Test

The following should all produce no results:

dnf repoquery --whatrequires python-krbV

dnf repoquery --whatrequires python-kerberos

dnf repoquery --whatrequires python3-kerberos

User Experience

Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.

Dependencies

python-krbV:

  • beaker-client
  • koji-web
  • python2-koji

python2-kerberos:

  • did
  • offlineimap
  • python2-nitrate
  • python2-urllib2_kerberos
  • waiverdb

python2-requests-kerberos:

  • (none)

python3-kerberos:

  • python3-requests-kerberos

python3-requests-kerberos:

  • (none)

Contingency Plan

  • Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

python-gssapi docs can be found on its github page

requests-gssapi docs can be found on its github

Release Notes