Ignore existing kerberos ticket for CTS auth

When there is an existing kerberos ticket, it gets precedence over the environment variable with path to a keytab. That is not expected and the user ticket can possibly lack permissions in CTS to be able to run the compose successfully. This patch fixes that by setting KRB5CCNAME to a fresh path. That way there will not be any valid ticket, since the credentials cache does not exist yet. JIRA: RHELCMP-9742 Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
2022-09-13 11:54:23 +02:00 · 2022-09-13 11:54:23 +02:00 · fa967f79b5
commit fa967f79b5
parent 57739c238f
1 changed files with 2 additions and 0 deletions
--- a/pungi/compose.py
+++ b/pungi/compose.py
@ -102,6 +102,7 @@ def get_compose_info(
            if "$HOSTNAME" in cts_keytab:
                cts_keytab = cts_keytab.replace("$HOSTNAME", socket.gethostname())
            os.environ["KRB5_CLIENT_KTNAME"] = cts_keytab
+            os.environ["KRB5CCNAME"] = "DIR:%s" % tempfile.mkdtemp()

        try:
            # Create compose in CTS and get the reserved compose ID.
@ -116,6 +117,7 @@ def get_compose_info(
            rv.raise_for_status()
        finally:
            if cts_keytab:
+                shutil.rmtree(os.environ["KRB5CCNAME"].split(":", 1)[1])
                os.environ.clear()
                os.environ.update(environ_copy)