Renew kerberos token from keytab :param principal: principal :param keytab: keytab file :return: None
(principal: str, keytab: str, exit_on_fail: bool = True)
| 47 | |
| 48 | |
| 49 | def renew_from_kt(principal: str, keytab: str, exit_on_fail: bool = True): |
| 50 | """ |
| 51 | Renew kerberos token from keytab |
| 52 | |
| 53 | :param principal: principal |
| 54 | :param keytab: keytab file |
| 55 | :return: None |
| 56 | """ |
| 57 | # The config is specified in seconds. But we ask for that same amount in |
| 58 | # minutes to give ourselves a large renewal buffer. |
| 59 | renewal_lifetime = f"{conf.getint('kerberos', 'reinit_frequency')}m" |
| 60 | |
| 61 | cmd_principal = principal or conf.get('kerberos', 'principal').replace("_HOST", socket.getfqdn()) |
| 62 | |
| 63 | cmdv = [ |
| 64 | conf.get('kerberos', 'kinit_path'), |
| 65 | "-r", |
| 66 | renewal_lifetime, |
| 67 | "-k", # host ticket |
| 68 | "-t", |
| 69 | keytab, # specify keytab |
| 70 | "-c", |
| 71 | conf.get('kerberos', 'ccache'), # specify credentials cache |
| 72 | cmd_principal, |
| 73 | ] |
| 74 | log.info("Re-initialising kerberos from keytab: %s", " ".join(cmdv)) |
| 75 | |
| 76 | subp = subprocess.Popen( |
| 77 | cmdv, |
| 78 | stdout=subprocess.PIPE, |
| 79 | stderr=subprocess.PIPE, |
| 80 | close_fds=True, |
| 81 | bufsize=-1, |
| 82 | universal_newlines=True, |
| 83 | ) |
| 84 | subp.wait() |
| 85 | if subp.returncode != 0: |
| 86 | log.error( |
| 87 | "Couldn't reinit from keytab! `kinit' exited with %s.\n%s\n%s", |
| 88 | subp.returncode, |
| 89 | "\n".join(subp.stdout.readlines() if subp.stdout else []), |
| 90 | "\n".join(subp.stderr.readlines() if subp.stderr else []), |
| 91 | ) |
| 92 | if exit_on_fail: |
| 93 | sys.exit(subp.returncode) |
| 94 | else: |
| 95 | return subp.returncode |
| 96 | |
| 97 | global NEED_KRB181_WORKAROUND # pylint: disable=global-statement |
| 98 | if NEED_KRB181_WORKAROUND is None: |
| 99 | NEED_KRB181_WORKAROUND = detect_conf_var() |
| 100 | if NEED_KRB181_WORKAROUND: |
| 101 | # (From: HUE-640). Kerberos clock have seconds level granularity. Make sure we |
| 102 | # renew the ticket after the initial valid time. |
| 103 | time.sleep(1.5) |
| 104 | ret = perform_krb181_workaround(principal) |
| 105 | if exit_on_fail and ret != 0: |
| 106 | sys.exit(ret) |