I am trying to run the Flask-Kerberos example with a valid keytab file (it works with WSGI-Kerberos).
Here is the content of my ‘example.py’ file
JavaScript
x
18
18
1
from flask import Flask2
from flask import render_template3
from flask_kerberos import init_kerberos4
from flask_kerberos import requires_authentication5
from config import Config6
7
app = Flask(__name__)8
app.config.from_object(Config)9
10
@app.route("/")11
@requires_authentication12
def index(user):13
return render_template('index.html', user=user)14
15
if __name__ == '__main__':16
init_kerberos(app)17
app.run()18
here is a ‘config.py’
JavaScript
1
15
15
1
import os2
import base643
from dotenv import load_dotenv4
5
basedir = os.path.abspath(os.path.dirname(__file__))6
load_dotenv(os.path.join(basedir, '.flaskenv'))7
8
class Config(object):9
10
# Setup Secret Key for Application11
SECRET_KEY = os.environ.get('SECRET_KEY') or str(base64.b64encode('you-will-never-guess'.encode("utf-8")))12
13
# Location of the keytab file14
KRB5_KTNAME = "K000007.keytab"15
and here is a ‘.flaskenv’
JavaScript
1
5
1
FLASK_APP=example.py2
FLASK_RUN_HOST="0.0.0.0"3
FLASK_RUN_PORT=50004
FLASK_ENV=development5
However, when start the Flask via flask run I am getting the following error in CMD:
JavaScript
1
42
42
1
(venv) Server@User:~/.../flask_kerberos_example$ flask run2
* Serving Flask app "example.py" (lazy loading)3
* Environment: development4
* Debug mode: on5
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)6
* Restarting with stat7
* Debugger is active!8
* Debugger PIN: 603-674-9169
a.b.c.d - - [23/Jun/2021 08:47:51] "GET / HTTP/1.1" 401 -10
a.b.c.d - - [23/Jun/2021 08:47:51] "GET / HTTP/1.1" 500 -11
Traceback (most recent call last):12
File "/venv/lib/python3.7/site-packages/flask/app.py", line 2464, in __call__13
return self.wsgi_app(environ, start_response)14
File "/venv/lib/python3.7/site-packages/flask/app.py", line 2450, in wsgi_app15
response = self.handle_exception(e)16
File "/venv/lib/python3.7/site-packages/flask/app.py", line 1867, in handle_exception17
reraise(exc_type, exc_value, tb)18
File "/venv/lib/python3.7/site-packages/flask/_compat.py", line 39, in reraise19
raise value20
File "/venv/lib/python3.7/site-packages/flask/app.py", line 2447, in wsgi_app21
response = self.full_dispatch_request()22
File "/venv/lib/python3.7/site-packages/flask/app.py", line 1952, in full_dispatch_request23
rv = self.handle_user_exception(e)24
File "/venv/lib/python3.7/site-packages/flask/app.py", line 1821, in handle_user_exception25
reraise(exc_type, exc_value, tb)26
File "/venv/lib/python3.7/site-packages/flask/_compat.py", line 39, in reraise27
raise value28
File "/venv/lib/python3.7/site-packages/flask/app.py", line 1950, in full_dispatch_request29
rv = self.dispatch_request()30
File "/venv/lib/python3.7/site-packages/flask/app.py", line 1936, in dispatch_request31
return self.view_functions[rule.endpoint](**req.view_args)32
File "/venv/lib/python3.7/site-packages/flask_kerberos.py", line 106, in decorated33
rc = _gssapi_authenticate(token)34
File "/venv/lib/python3.7/site-packages/flask_kerberos.py", line 70, in _gssapi_authenticate35
rc, state = kerberos.authGSSServerInit(_SERVICE_NAME)36
TypeError: argument 1 must be str, not None37
a.b.c.d - - [23/Jun/2021 08:47:51] "GET /?__debugger__=yes&cmd=resource&f=style.css HTTP/1.1" 200 -38
a.b.c.d - - [23/Jun/2021 08:47:51] "GET /?__debugger__=yes&cmd=resource&f=debugger.js HTTP/1.1" 200 -39
a.b.c.d - - [23/Jun/2021 08:47:51] "GET /?__debugger__=yes&cmd=resource&f=jquery.js HTTP/1.1" 200 -40
a.b.c.d - - [23/Jun/2021 08:47:51] "GET /?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 200 -41
a.b.c.d - - [23/Jun/2021 08:47:51] "GET /?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 200 -42
And I have seen some related topics (were not helpful):
Advertisement
Answer
I started with brutally integrating the Flask-Kerberos code directly into my ‘example.py’ file and using some print()s:
JavaScript
1
139
139
1
"""HERE GOES THE CONTENT OF flask_kerberos.py"""2
3
import kerberos4
from flask import Response5
from flask import _request_ctx_stack as stack6
from flask import make_response7
from flask import request8
from functools import wraps9
from socket import gethostname10
from os import environ11
12
_SERVICE_NAME = None #_SERVICE_NAME = 'HTTP/l.s.d'13
14
def init_kerberos(app, service='HTTP', hostname=gethostname()):15
'''16
Configure the GSSAPI service name, and validate the presence of the17
appropriate principal in the kerberos keytab.18
19
:param app: a flask application20
:type app: flask.Flask21
:param service: GSSAPI service name22
:type service: str23
:param hostname: hostname the service runs under24
:type hostname: str25
'''26
global _SERVICE_NAME27
_SERVICE_NAME = "%s@%s" % (service, hostname)28
print(_SERVICE_NAME) #HTTP@Server.l.s.d29
30
if 'KRB5_KTNAME' not in environ:31
app.logger.warn("Kerberos: set KRB5_KTNAME to your keytab file")32
else:33
try:34
principal = kerberos.getServerPrincipalDetails(service, hostname)35
except kerberos.KrbError as exc:36
app.logger.warn("Kerberos: %s" % exc.message[0])37
else:38
app.logger.info("Kerberos: server is %s" % principal)39
40
41
def _unauthorized():42
'''43
Indicate that authentication is required44
'''45
return Response('Unauthorized', 401, {'WWW-Authenticate': 'Negotiate'})46
47
48
def _forbidden():49
'''50
Indicate a complete authentication failure51
'''52
return Response('Forbidden', 403)53
54
55
def _gssapi_authenticate(token):56
'''57
Performs GSSAPI Negotiate Authentication58
59
On success also stashes the server response token for mutual authentication60
at the top of request context with the name kerberos_token, along with the61
authenticated user principal with the name kerberos_user.62
63
@param token: GSSAPI Authentication Token64
@type token: str65
@returns gssapi return code or None on failure66
@rtype: int or None67
'''68
state = None69
ctx = stack.top70
try:71
rc, state = kerberos.authGSSServerInit(_SERVICE_NAME)72
if rc != kerberos.AUTH_GSS_COMPLETE:73
return None74
rc = kerberos.authGSSServerStep(state, token)75
if rc == kerberos.AUTH_GSS_COMPLETE:76
ctx.kerberos_token = kerberos.authGSSServerResponse(state)77
ctx.kerberos_user = kerberos.authGSSServerUserName(state)78
return rc79
elif rc == kerberos.AUTH_GSS_CONTINUE:80
return kerberos.AUTH_GSS_CONTINUE81
else:82
return None83
except kerberos.GSSError:84
return None85
finally:86
if state:87
kerberos.authGSSServerClean(state)88
89
90
def requires_authentication(function):91
'''92
Require that the wrapped view function only be called by users93
authenticated with Kerberos. The view function will have the authenticated94
users principal passed to it as its first argument.95
96
:param function: flask view function97
:type function: function98
:returns: decorated function99
:rtype: function100
'''101
@wraps(function)102
def decorated(*args, **kwargs):103
header = request.headers.get("Authorization")104
if header:105
ctx = stack.top106
token = ''.join(header.split()[1:])107
rc = _gssapi_authenticate(token)108
if rc == kerberos.AUTH_GSS_COMPLETE:109
response = function(ctx.kerberos_user, *args, **kwargs)110
response = make_response(response)111
if ctx.kerberos_token is not None:112
response.headers['WWW-Authenticate'] = ' '.join(['negotiate',113
ctx.kerberos_token])114
return response115
elif rc != kerberos.AUTH_GSS_CONTINUE:116
return _forbidden()117
return _unauthorized()118
return decorated119
120
"""END OF THE flask_kerberos.py"""121
122
from flask import Flask123
from flask import render_template124
from config import Config125
126
app = Flask(__name__)127
app.config.from_object(Config)128
129
130
@app.route("/")131
@requires_authentication132
def index(user):133
return render_template('index.html', user=user)134
135
136
if __name__ == '__main__':137
init_kerberos(app, hostname='Server.l.s.d')138
app.run()139
As was mentioned in this answer:
The problem is exactly as the error message states – you’ve told the kerberos library to get a service principal from the keytab, but the keytab doesn’t contain an entry for that service principal.
So, I decided to check several variables and their values, i.e. _SERVICE_NAME and getServerPrincipalDetails(service, hostname).
Firstly I set the _SERVICE_NAME='L.S.D' and after I got the ‘Forbidden’ response in my Browser. And here is an output in the CMD:
JavaScript
1
12
12
1
(venv) Server@User:~/.../flask_kerberos_example$ flask run2
3
* Serving Flask app "example.py" (lazy loading)4
* Environment: development5
* Debug mode: on6
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)7
* Restarting with stat8
* Debugger is active!9
* Debugger PIN: 417-811-79210
a.b.c.d - - [06/Jul/2021 11:01:06] "GET / HTTP/1.1" 401 -11
a.b.c.d - - [06/Jul/2021 11:01:06] "GET / HTTP/1.1" 403 -12
I run the the above code via Vim I received this message:
JavaScript
1
16
16
1
Traceback (most recent call last):2
File "example.py", line 34, in init_kerberos3
principal = kerberos.getServerPrincipalDetails(service, hostname)4
kerberos.KrbError: ('Cannot get sequence cursor from keytab', 2)5
6
During handling of the above exception, another exception occurred:7
8
Traceback (most recent call last):9
File "example.py", line 140, in <module>10
init_kerberos(app)11
File "example.py", line 36, in init_kerberos12
app.logger.warn("Kerberos: %s" % exc.message[0])13
AttributeError: 'KrbError' object has no attribute 'message'14
15
shell returned 116
This issue brought me further to this issue on the GitHub. Where author stated:
Nevermind, regardless of how I interpret the code it works fine with service=”HTTP” and hostname=”my.host.name”.
Therefore, I tried to adjust service and hostname variables of the getServerPrincipalDetails(service, hostname) function. The most convenient way for me to test it was:
JavaScript
1
12
12
1
import kerberos2
3
service = 'HTTP'4
hostname = 'Server.l.s.d'5
6
try:7
principal = kerberos.getServerPrincipalDetails(service, hostname)8
except kerberos.KrbError as exc:9
print("Kerberos: %s" % exc.message[0])10
else:11
print("Kerberos: server is %s" % principal)12
So, I ended up with the following variables and their values
JavaScript
1
4
1
_SERVICE_NAME = None2
service = 'HTTP'3
hostname = 'Server.l.s.d'4
And after I got the response in Browser
Flask Kerberos Example
It worked, I think you are username@L.S.D.
and in CMD correspondingly
JavaScript
1
11
11
1
HTTP@Server.l.s.d2
* Serving Flask app "example" (lazy loading)3
* Environment: production4
WARNING: This is a development server. Do not use it in a production deployment.5
Use a production WSGI server instead.6
* Debug mode: off7
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)8
a.b.c.d - - [08/Jul/2021 13:02:18] "GET / HTTP/1.1" 401 -9
a.b.c.d - - [08/Jul/2021 13:02:18] "GET / HTTP/1.1" 200 -10
a.b.c.d - - [08/Jul/2021 13:02:18] "GET /static/style.css HTTP/1.1" 304 -11
Unfortunatelly it still does not work via flask run. It was asked as a new question here: Flask-Kerberos yields different results when running the code via “flask run” and with Vim