orchestrator: Support getting kerberos ticket

If the configuration sets keytab path and principal, run kinit with custom cache file, and delete the file at the end of the run. JIRA: COMPOSE-3288 Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
2019-03-06 10:12:43 +01:00 · 2019-03-06 10:12:43 +01:00 · 86fb93d603
parent b80efbfd97
commit 86fb93d603
3 changed files with 60 additions and 1 deletions
--- a/doc/multi_compose.rst
+++ b/doc/multi_compose.rst
@ -39,6 +39,14 @@ General settings
   If specified, a current event will be retrieved from the Koji instance and
   used for all parts.

+**kerberos**
+   If set to yes, a kerberos ticket will be automatically created at the start.
+   Set keytab and principal as well.
+**kerberos_keytab**
+   Path to keytab file used to create the kerberos ticket.
+**kerberos_principal**
+   Kerberos principal for the ticket
+

 Partial compose settings
 ------------------------
--- a/pungi_utils/orchestrator.py
+++ b/pungi_utils/orchestrator.py
@ -3,6 +3,7 @@
 from __future__ import print_function

 import argparse
+import atexit
 import errno
 import json
 import logging
@ -11,11 +12,13 @@ import re
 import shutil
 import subprocess
 import sys
+import tempfile
 from collections import namedtuple

 import kobo.conf
 import kobo.log
 import productmd
+from kobo import shortcuts
 from six.moves import configparser, shlex_quote

 from pungi.compose import get_compose_dir
@ -465,14 +468,33 @@ def setup_for_restart(global_config, parts, to_restart):
        raise RuntimeError("All restarted parts are blocked. Nothing to do.")


+def run_kinit(config):
+    if not config.getboolean("general", "kerberos"):
+        return
+
+    keytab = config.get("general", "kerberos_keytab")
+    principal = config.get("general", "kerberos_principal")
+
+    fd, fname = tempfile.mkstemp(prefix="krb5cc_pungi-orchestrate_")
+    os.close(fd)
+    os.environ["KRB5CCNAME"] = fname
+    shortcuts.run(["kinit", "-k", "-t", keytab, principal])
+    log.debug("Created a kerberos ticket for %s", principal)
+
+    atexit.register(os.remove, fname)
+
+
 def run(work_dir, main_config_file, args):
    config_dir = os.path.join(work_dir, "config")
    shutil.copytree(os.path.dirname(main_config_file), config_dir)

    # Read main config
-    parser = configparser.RawConfigParser()
+    parser = configparser.RawConfigParser(defaults={"kerberos": "false"})
    parser.read(main_config_file)

+    # Create kerberos ticket
+    run_kinit(parser)
+
    compose_info = dict(parser.items("general"))
    compose_type = parser.get("general", "compose_type")

--- a/tests/test_orchestrator.py
+++ b/tests/test_orchestrator.py
@ -804,3 +804,32 @@ class TestSetupForRestart(BaseTestCase):
        self.assertEqual(parts["p1"].path, "/p1")
        self.assertEqual(parts["p2"].status, "WAITING")
        self.assertEqual(parts["p2"].path, None)
+
+
+@mock.patch("atexit.register")
+@mock.patch("kobo.shortcuts.run")
+class TestRunKinit(BaseTestCase):
+    def test_without_config(self, run, register):
+        conf = mock.Mock()
+        conf.getboolean.return_value = False
+
+        o.run_kinit(conf)
+
+        self.assertEqual(run.call_args_list, [])
+        self.assertEqual(register.call_args_list, [])
+
+    @mock.patch.dict("os.environ")
+    def test_with_config(self, run, register):
+        conf = mock.Mock()
+        conf.getboolean.return_value = True
+        conf.get.side_effect = lambda section, option: option
+
+        o.run_kinit(conf)
+
+        self.assertEqual(
+            run.call_args_list,
+            [mock.call(["kinit", "-k", "-t", "kerberos_keytab", "kerberos_principal"])],
+        )
+        self.assertEqual(
+            register.call_args_list, [mock.call(os.remove, os.environ["KRB5CCNAME"])]
+        )