I'm setting up a application on python that connects to hbase with thrift. This thrift connection uses kerberos as authentication with a service account, I need that the python application connect impersonating the user because my company uses kerberos with ad groups to restrict access to the tables on hbase.
This is an python 2.7 flask application running on linux.
I was taking a look at kerberos default library
https://github.com/apple/ccs-pykerberos/blob/master/pysrc/kerberos.py
and at line 159 I found this:
#param delegated: Optional server context containing delegated credentials
But I'm not familiar how to use this credentials.
I just want to be able to connect with hbase using impersonating.
Thanks.
P.S:I don't have much familiarity with kerberos so sorry for any misconceptions.
First you need to familiarize yourself with the concepts of delegation and constrained delegation. These are 2 different ways that Kerberos supports for "impersonation".
Short version: I recommend constrained delegation because it's more restricted. The only python library that I've been able to find that definitely supports constrained delegation is python-gssapi. I use this to impersonate users using constrained delegation and it works nicely.
Long version: There isn't a way to use Kerberos successfully without having a pretty good understanding of how it works at a high level. It isn't like anything else. You must first familiarize yourself with the essential concepts of Kerberos: tickets, principals, the KDC etc. Then, when you understand the language of Kerberos, you need to get familiar with the elements of the GSSAPI, and how they map to the Kerberos concepts you've learned. AFAIK, any python library you find out there for Kerberos is probably going to be a wrapper around the MIT krb5 libraries, which implement the GSSAPI spec. This is why I like the python-gssapi library: because it maps fairly closely to the underlying MIT libraries. That means I can usually figure out how to do stuff using the MIT documentation, and I can usually get help from the MIT mailing list if necessary.
Related
I wish to implement a custom OAuth flow/grant which requires me to create my own IDP. I did that before in .NET using IdntityServer but now the requirement is for a Python service.
Is there any Python equivalent for IdentiyServer? With regards to extensibility and popularity?
Is there any Python OIDC package that you recommend I'll use (again it should be extensible enough so I can create my own grant types)?
Thanks!
What is an alternative to firebase for user management/auth for python apps. I know I can use node.js w/ firebase but, I would rather authenticate users through a managed 3rd party API in python using HTTPS requests,if possible. Appery.io has this feature but, I do not need all that comes with appery.io
Check out Amazon Cognito . They offer a quite nice package for small projects. Backendless is also a fantastic service, providing authentication and database with very helpful documentation and also SDK for different platforms including iOS, Android, Javascript, Rest API, Angular, React and React Native. I have been using Backendless for a couple of months and I highly recommend you use it, too.
If you're looking for a self-hosted solution, Keycloak is a pretty robust option. If you want a service, Auth0 and Okta have quite a lot of features. They also offer a free tier with reasonable limits.
You could try using Auth0 for pure authentication management. The Auth0 python package can be found here.
I new to SSO and I've only tried pysaml2 by far.
I am also aware of python3-saml library (and its python-saml Python 2 flavour).
I need to use one of those with Shibboleth, if it is relevant.
What are the pros and cons of pysaml2 and python3-saml?
Update:
As for 2019, I still find python3-saml to be the best option if you need to implement an SP. It is not flawless (sorry #smartin, hhehe), but it will give you much less headache than pysaml2.
Both projects are compatible with Shibboleth.
pysaml2 is older than python3-saml, right now both support py2 and py3. Both are kinda active and documented.
python3-saml follows the structure of Onelogin's SAML toolkit so if you used any other toolkit before (php-saml, ruby-saml, java-saml), will be easy for you to handle with it (similar methods, same settings).
Differences
Crypto:
pysaml2 uses as dependecy pycryptodome to handle with cryptography and implements its own xmldsig and xmlenc classes (to manipulate signatures and encryption on XMLs).
python3-saml uses as dependecy python-xmlsec and delegates on it the signature/encryption of XML elements.
Functionality:
pysaml2 let you deploy an Identity Provider or a Service Provider
python3-saml is focused on the Service Provider
Settings:
In my opinion, python3-saml is easier than pysaml2, settings are more precise and its repo contains code examples on how integrate a django or a flask app and a guide at the docs.
Note: I'm the author of python3-saml
I search for OpenID-library, which works with python3. I need to be an OpenID-provider and OpenID-consumer. tornado.auth provides only consumer functionality. What I can use to implement provider functionality, or how it can be implemented with tornado?
Does anybody uses python3-openid (fork of python-openid)? How it works?
python3-openid is the Python 3 version of python-openid, which has been more or less the reference library for OpenID in Python for several years. So it should implement everything you need. (Disclaimer: I ported python3-openid over and am the maintainer of the PyPI package).
However, for Tornado you will need a non-blocking implementation, ideally using Tornado's HTTPClient classes, and currently python3-openid does not provide that -- if you'd like to implement it, though, I'll gladly work on your pull request!
I went with pyoidc because it is listed as a "Certified Relying Party Library" on the official list of "Certified OpenID Connect Implementations" directly on the website for the OpenID standard. It runs on Python 3.5+ and also doubles as a full OAuth2.0 implementation.
I know this is an old post but it is still relevant. One should not screw around when it comes to things like security and authentication, it could very well save your job to stick with officially recommended or certified libraries - if anything goes wrong, at least your choice of authentication library can't be called into question!
have you tried this, i found it on pypi:
http://pypi.python.org/pypi/python3-openid/3.0.1
what is the advantage of using a python virtualbox API instead of using XPCOM?
The advantage is that pyvb is lot easier to work with.
On the contrary the documentation for the python API of XPCOM doesn't exist, and the API is not pythonic at all. You can't do introspection to find methods/attributes of an object, etc. So you have to check the C++ source to find how it works or some python scripts already written (like vboxshell.py and VBoxWebSrv.py).
On the other hand pyvb is really just python wrapper that call VirtuaBoxManager on the command line. I don't know if it's a real disadvantage or not?
I would generally recommend against either one. If you need to use virtualization programmatically, take a look at libvirt, which gives you cross platform and cross hypervisor support; which lets you do kvm/xen/vz/vmware later on.
That said, the SOAP api is using two extra abstraction layers (the client and server side of the HTTP transaction), which is pretty clearly then just calling the XPCOM interface.
If you need local host only support, use XPCOM. The extra indirection of libvirt/SOAP doesn't help you.
If you need to access virtualbox on a various hosts across multiple client machines, use SOAP or libvirt
If you want cross platform support, or to run your code on Linux, use libvirt.
From sun's site on VirtualBox python APIs:
SOAP allows to control remote VMs over
HTTP, while XPCOM is much more
high-performing and exposes certain
functionality not available with SOAP.
They use very different technologies
(SOAP is procedural, while XPCOM is
OOP), but as it is ultimately API to
the same functionality of the
VirtualBox, we kept in bindings
original semantics, so other that
connection establishment, code could
be written in such a way that people
may not care what communication
channel with VirtualBox instance is
used.
From that article, I'm having trouble seeing the difference between "python virtualbox API" and "XPCOM". Could you provide a link to the API you're thinking of?