• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

requests_kerberos/H20-Dec-2017-510351

requests_kerberos.egg-info/H03-May-2022-289202

AUTHORSH A D05-Dec-201750 43

HISTORY.rstH A D20-Dec-20172.3 KiB10365

LICENSEH A D05-Dec-2017743 1612

MANIFEST.inH A D05-Dec-201796 65

PKG-INFOH A D20-Dec-201711.2 KiB289202

README.rstH A D08-Dec-20176.3 KiB174127

setup.cfgH A D20-Dec-201761 85

setup.pyH A D08-Dec-20171.7 KiB6249

README.rst

1requests Kerberos/GSSAPI authentication library
2===============================================
3
4.. image:: https://travis-ci.org/requests/requests-kerberos.svg?branch=master
5    :target: https://travis-ci.org/requests/requests-kerberos
6
7.. image:: https://coveralls.io/repos/github/requests/requests-kerberos/badge.svg?branch=master
8    :target: https://coveralls.io/github/requests/requests-kerberos?branch=master
9
10Requests is an HTTP library, written in Python, for human beings. This library
11adds optional Kerberos/GSSAPI authentication support and supports mutual
12authentication. Basic GET usage:
13
14
15.. code-block:: python
16
17    >>> import requests
18    >>> from requests_kerberos import HTTPKerberosAuth
19    >>> r = requests.get("http://example.org", auth=HTTPKerberosAuth())
20    ...
21
22The entire ``requests.api`` should be supported.
23
24Authentication Failures
25-----------------------
26
27Client authentication failures will be communicated to the caller by returning
28the 401 response.
29
30Mutual Authentication
31---------------------
32
33REQUIRED
34^^^^^^^^
35
36By default, ``HTTPKerberosAuth`` will require mutual authentication from the
37server, and if a server emits a non-error response which cannot be
38authenticated, a ``requests_kerberos.errors.MutualAuthenticationError`` will
39be raised. If a server emits an error which cannot be authenticated, it will
40be returned to the user but with its contents and headers stripped. If the
41response content is more important than the need for mutual auth on errors,
42(eg, for certain WinRM calls) the stripping behavior can be suppressed by
43setting ``sanitize_mutual_error_response=False``:
44
45.. code-block:: python
46
47    >>> import requests
48    >>> from requests_kerberos import HTTPKerberosAuth, REQUIRED
49    >>> kerberos_auth = HTTPKerberosAuth(mutual_authentication=REQUIRED, sanitize_mutual_error_response=False)
50    >>> r = requests.get("https://windows.example.org/wsman", auth=kerberos_auth)
51    ...
52
53
54OPTIONAL
55^^^^^^^^
56
57If you'd prefer to not require mutual authentication, you can set your
58preference when constructing your ``HTTPKerberosAuth`` object:
59
60.. code-block:: python
61
62    >>> import requests
63    >>> from requests_kerberos import HTTPKerberosAuth, OPTIONAL
64    >>> kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL)
65    >>> r = requests.get("http://example.org", auth=kerberos_auth)
66    ...
67
68This will cause ``requests_kerberos`` to attempt mutual authentication if the
69server advertises that it supports it, and cause a failure if authentication
70fails, but not if the server does not support it at all.
71
72DISABLED
73^^^^^^^^
74
75While we don't recommend it, if you'd prefer to never attempt mutual
76authentication, you can do that as well:
77
78.. code-block:: python
79
80    >>> import requests
81    >>> from requests_kerberos import HTTPKerberosAuth, DISABLED
82    >>> kerberos_auth = HTTPKerberosAuth(mutual_authentication=DISABLED)
83    >>> r = requests.get("http://example.org", auth=kerberos_auth)
84    ...
85
86Preemptive Authentication
87-------------------------
88
89``HTTPKerberosAuth`` can be forced to preemptively initiate the Kerberos
90GSS exchange and present a Kerberos ticket on the initial request (and all
91subsequent). By default, authentication only occurs after a
92``401 Unauthorized`` response containing a Kerberos or Negotiate challenge
93is received from the origin server. This can cause mutual authentication
94failures for hosts that use a persistent connection (eg, Windows/WinRM), as
95no Kerberos challenges are sent after the initial auth handshake. This
96behavior can be altered by setting  ``force_preemptive=True``:
97
98.. code-block:: python
99
100    >>> import requests
101    >>> from requests_kerberos import HTTPKerberosAuth, REQUIRED
102    >>> kerberos_auth = HTTPKerberosAuth(mutual_authentication=REQUIRED, force_preemptive=True)
103    >>> r = requests.get("https://windows.example.org/wsman", auth=kerberos_auth)
104    ...
105
106Hostname Override
107-----------------
108
109If communicating with a host whose DNS name doesn't match its
110kerberos hostname (eg, behind a content switch or load balancer),
111the hostname used for the Kerberos GSS exchange can be overridden by
112setting the ``hostname_override`` arg:
113
114.. code-block:: python
115
116    >>> import requests
117    >>> from requests_kerberos import HTTPKerberosAuth, REQUIRED
118    >>> kerberos_auth = HTTPKerberosAuth(hostname_override="internalhost.local")
119    >>> r = requests.get("https://externalhost.example.org/", auth=kerberos_auth)
120    ...
121
122Explicit Principal
123------------------
124
125``HTTPKerberosAuth`` normally uses the default principal (ie, the user for
126whom you last ran ``kinit`` or ``kswitch``, or an SSO credential if
127applicable). However, an explicit principal can be specified, which will
128cause Kerberos to look for a matching credential cache for the named user.
129This feature depends on OS support for collection-type credential caches,
130as well as working principal support in PyKerberos (it is broken in many
131builds). An explicit principal can be specified with the ``principal`` arg:
132
133.. code-block:: python
134
135    >>> import requests
136    >>> from requests_kerberos import HTTPKerberosAuth, REQUIRED
137    >>> kerberos_auth = HTTPKerberosAuth(principal="user@REALM")
138    >>> r = requests.get("http://example.org", auth=kerberos_auth)
139    ...
140
141On Windows, WinKerberos is used instead of PyKerberos. WinKerberos allows the
142use of arbitrary principals instead of a credential cache. Passwords can be
143specified by following the form ``user@realm:password`` for ``principal``.
144
145Delegation
146----------
147
148``requests_kerberos`` supports credential delegation (``GSS_C_DELEG_FLAG``).
149To enable delegation of credentials to a server that requests delegation, pass
150``delegate=True`` to ``HTTPKerberosAuth``:
151
152.. code-block:: python
153
154    >>> import requests
155    >>> from requests_kerberos import HTTPKerberosAuth
156    >>> r = requests.get("http://example.org", auth=HTTPKerberosAuth(delegate=True))
157    ...
158
159Be careful to only allow delegation to servers you trust as they will be able
160to impersonate you using the delegated credentials.
161
162Logging
163-------
164
165This library makes extensive use of Python's logging facilities.
166
167Log messages are logged to the ``requests_kerberos`` and
168``requests_kerberos.kerberos_`` named loggers.
169
170If you are having difficulty we suggest you configure logging. Issues with the
171underlying kerberos libraries will be made apparent. Additionally, copious debug
172information is made available which may assist in troubleshooting if you
173increase your log level all the way up to debug.
174