From 8290f3ae2f6b70f3f1590a246fa19abac4059d4f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 12 Jun 2019 13:07:52 -0400 Subject: [PATCH 1/2] [travis] Don't log on expected installation failure python3-requests-gssapi isn't packaged everywhere, and the Travis logic will fall back to pulling from PyPI. Remove the noise. Signed-off-by: Robbie Harwood --- .travis.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.sh b/.travis.sh index 8a4cafa..9fcf4fa 100644 --- a/.travis.sh +++ b/.travis.sh @@ -11,7 +11,7 @@ if [ -f /etc/debian_version ]; then $PYTHON{,-dev,-requests} lib{socket,nss}-wrapper \ flex bison krb5-{kdc,admin-server,pkinit} - apt-get -y install $PYTHON-requests-gssapi || true + apt-get -y install $PYTHON-requests-gssapi 2>/dev/null || true flake8 elif [ -f /etc/redhat-release ]; then @@ -28,7 +28,7 @@ elif [ -f /etc/redhat-release ]; then autoconf automake libtool which bison make $PYTHON \ flex mod_session redhat-rpm-config /usr/bin/virtualenv - $DY -y install python-requests-gssapi || true + $DY -y install python-requests-gssapi 2>/dev/null || true else echo "Distro not found!" false From 60b9e0afb90d09b57c631f1eafd0507ab986079a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 10 Jun 2019 16:19:53 -0400 Subject: [PATCH 2/2] Adapt and document sweeper.py for gssproxy Resolves: #207 Signed-off-by: Robbie Harwood --- README | 3 ++- contrib/sweeper.py | 26 ++++++++++++++++++++------ 2 files changed, 22 insertions(+), 7 deletions(-) mode change 100644 => 100755 contrib/sweeper.py diff --git a/README b/README index 70f82ce..47c3059 100644 --- a/README +++ b/README @@ -245,7 +245,8 @@ suffix. **Note:** Consuming application must delete the ccache otherwise it will litter the filesystem if sessions are used. An example sweeper can be found -in the contrib directory. +in the contrib directory. If using with gssproxy, see note at the top of that +file. #### Example GssapiDelegCcacheUnique On diff --git a/contrib/sweeper.py b/contrib/sweeper.py old mode 100644 new mode 100755 index 162b260..98ca010 --- a/contrib/sweeper.py +++ b/contrib/sweeper.py @@ -9,9 +9,18 @@ # removing any ccaches that have expired from the filesystem, and serves as an # example of how this cleaning can be performed. +# gssproxy note: in order to sweep credentials, the sweeper needs to connect +# to gssproxy as if it were mod_auth_gssapi. In the configuration provided +# with mod_auth_gssapi (80-httpd.conf), this just consists of matching the +# gssproxy uid - so run it as the appropriate user (i.e., apache). Custom +# configurations require careful consideration of how to match the sweeper +# connection to the correct service in gssproxy; this script is just an +# example. This script will not attempt to contact gssproxy unless -g is +# passed. + +import argparse import os import stat -import sys import time # try importing this first to provide a more useful error message @@ -48,16 +57,21 @@ def should_delete(fname, t): if __name__ == "__main__": - dirs = sys.argv[1:] - if len(dirs) < 1: - print("Usage: %s dir1 [dir2...]" % sys.argv[0]) - exit(1) + parser = argparse.ArgumentParser(description="Sweep expired ccaches") + parser.add_argument("-g", dest="gssproxy", action="store_true", + help="is gssproxy in use (default: no)") + parser.add_argument("dirs", nargs='+') + args = parser.parse_args() + + if args.gssproxy: + os.environ["GSS_USE_PROXY"] = "yes" + os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_FIRST" print("System looks okay; running sweeper...") t = time.time() - for basedir in dirs: + for basedir in args.dirs: os.chdir(basedir) print("Sweeping %s" % basedir)