Reputation: 704
How to impersonate or delegate on kerberos with python?
I'm setting up a application on python that connects to hbase with thrift. This thrift connection uses kerberos as authentication with a service account, I need that the python application connect impersonating the user because my company uses kerberos with ad groups to restrict access to the tables on hbase.
This is an python 2.7 flask application running on linux.
I was taking a look at kerberos default library https://github.com/apple/ccs-pykerberos/blob/master/pysrc/kerberos.py
and at line 159 I found this:
@param delegated: Optional server context containing delegated credentials
But I'm not familiar how to use this credentials.
I just want to be able to connect with hbase using impersonating. Thanks.
P.S:I don't have much familiarity with kerberos so sorry for any misconceptions.
Upvotes: 0
Views: 1993
Answers (1)
Reputation: 3591
First you need to familiarize yourself with the concepts of delegation and constrained delegation. These are 2 different ways that Kerberos supports for "impersonation".
Short version: I recommend constrained delegation because it's more restricted. The only python library that I've been able to find that definitely supports constrained delegation is python-gssapi. I use this to impersonate users using constrained delegation and it works nicely.
Long version: There isn't a way to use Kerberos successfully without having a pretty good understanding of how it works at a high level. It isn't like anything else. You must first familiarize yourself with the essential concepts of Kerberos: tickets, principals, the KDC etc. Then, when you understand the language of Kerberos, you need to get familiar with the elements of the GSSAPI, and how they map to the Kerberos concepts you've learned. AFAIK, any python library you find out there for Kerberos is probably going to be a wrapper around the MIT krb5 libraries, which implement the GSSAPI spec. This is why I like the python-gssapi library: because it maps fairly closely to the underlying MIT libraries. That means I can usually figure out how to do stuff using the MIT documentation, and I can usually get help from the MIT mailing list if necessary.
Upvotes: 2
Related Questions
- How do I connect to a kerberos authenticated REST service in Python on Windows
- Windows Logon as a user without a password with Python
- Verify credentials with kerberos python
- How to use Kerberos libraries in Python?
- How could impersonate in kerberos?
- Kerberos authentication for Twisted Python client/server
- Kerberos authentication with python
- Kerberos Delegation (Double-Hop) with pymssql
- How can I get a Kerberos ticket in Python
- Setting up Kerberos in python in Ubuntu machine