From Fedora Project Wiki
(update for requests-gssapi)
Line 25: Line 25:
== Summary ==
== Summary ==


Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora.
Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora.  rharwood will author all necessary code changes; no new code from maintainers is required.


== Owner ==
== Owner ==
Line 63: Line 63:
Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi.  python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.
Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi.  python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.


TODO: requests
As part of this effort, [https://pypi.python.org/pypi/requests-gssapi python-requests-gssapi] will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos).
 
'''
Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.'''


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 70: Line 73:


pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications.  It has almost no documentation.
pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications.  It has almost no documentation.
python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month).  It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.


python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI).  Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors.  The project runs PR CI on Fedora explicitly already.
python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI).  Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors.  The project runs PR CI on Fedora explicitly already.
python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi.  It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.
    
    
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->


== Scope ==
== Scope ==
* Proposal owners: rharwood (responsible for providing patches)
* Proposal owners: rharwood (responsible for providing patches and new package)
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


Line 124: Line 131:


`dnf repoquery --whatrequires python3-kerberos`
`dnf repoquery --whatrequires python3-kerberos`
TODO: requests?


== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Change should not be noticeable, except to any users of the deprecated packages directly.
Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.
 
TODO: requests


== Dependencies ==
== Dependencies ==
Line 151: Line 154:
* waiverdb
* waiverdb


TODO requests
python2-requests-kerberos:
* (none)


python3-kerberos:
python3-kerberos:
* python3-requests-kerberos
python3-requests-kerberos:
* (none)
* (none)
TODO requests


== Contingency Plan ==
== Contingency Plan ==
Line 171: Line 176:
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->


python-gssapi docs can be found here: https://pythonhosted.org/gssapi/
python-gssapi docs can be found [https://pythongssapi.github.io/python-gssapi/stable/ on its github page]
 
requests-gssapi docs can be found [https://github.com/pythongssapi/requests-gssapi/#requests-gssapi-authentication-library on its github]


== Release Notes ==
== Release Notes ==

Revision as of 17:58, 19 December 2017


Kerberos in Python modernization

Summary

Replace usage of python-krbV and pykerberos with python-gssapi in all Fedora packages to enable their removal from Fedora. rharwood will author all necessary code changes; no new code from maintainers is required.

Owner

Current status

  • Targeted release: Fedora 28
  • Last updated: 2017-12-19
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Replace older, clunkier, less user-friendly python interfaces to Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, which is widely standardized, implemented by both MIT and Heimdal Kerberos, and much more user-friendly.

As part of this effort, python-requests-gssapi will be introduced to fedora to enable transition off of python-requests-kerberos (which requires pykerberos).

Please note that I will be providing all patches necessary to all affected components; no work is expected from other maintainers, other than normal review and backport handling.

Benefit to Fedora

python-krbV has no python3 support, so its replacement helps projects move to python3.

pykerberos is a very minimal implementation intended for use in calendar server and not intended for consumption by other applications. It has almost no documentation.

python-requests-kerberos is largely unmaintained upstream (PRs not getting merged for a very long time; no feedback on python-gssapi for a month). It's also mis-named for what it does, since both it and python-requests-gssapi provide GSSAPI/SPNEGO negotiation support, not just Kerberos.

python-gssapi is substantially more maintainable than python-krbV and pykerberos, and uses the preferred interface to Kerberos (GSSAPI). Its upstream is active (i.e., not dead) and it is hosted in a reasonable way (its own repository on github) that is friendly to new contributors. The project runs PR CI on Fedora explicitly already.

python-requests-gssapi provides a compatability layer for python-requests-kerberos, while also providing a new API that fits much better with projects already using python-gssapi. It is written and maintained by the same group that wrote python-gssapi and apache's mod_auth_gssapi.


Scope

  • Proposal owners: rharwood (responsible for providing patches and new package)
  • Other developers: maintainers of affected packages are expected to perform code review
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

All dependency changes should be handled seamlessly by dnf without additional input from the user.

How To Test

The following should all produce no results:

dnf repoquery --whatrequires python-krbV

dnf repoquery --whatrequires python-kerberos

dnf repoquery --whatrequires python3-kerberos

User Experience

Change should not be noticeable, except to any users of the deprecated packages directly. dnf should pull in python-gssapi and python-requests-gssapi as appropriate.

Dependencies

python-krbV:

  • beaker-client
  • koji-web
  • python2-koji

python2-kerberos:

  • did
  • offlineimap
  • python2-nitrate
  • python2-urllib2_kerberos
  • waiverdb

python2-requests-kerberos:

  • (none)

python3-kerberos:

  • python3-requests-kerberos

python3-requests-kerberos:

  • (none)

Contingency Plan

  • Contingency mechanism: Ship them. python-krbV removal is highest priority since no python3 support.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

python-gssapi docs can be found on its github page

requests-gssapi docs can be found on its github

Release Notes