Force the use of a separte Kerberos cache per thread

When using a single Kerberos cache that is shared among threads, Koji logins start failing because the cache gets corrupt. This uses the Linux kernel keyring to store a Kerberos cache per MBS thread. See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
2026-04-03 10:48:03 +08:00 · 2018-12-12 19:04:00 -05:00
parent 654a30129f
commit 7f82275114
4 changed files with 9 additions and 15 deletions
--- a/conf/config.py
+++ b/conf/config.py
@@ -77,7 +77,6 @@ class BaseConfiguration(object):
    # Settings for Kerberos
    KRB_KEYTAB = None
    KRB_PRINCIPAL = None
-    KRB_CCACHE = None

    # AMQ prefixed variables are required only while using 'amq' as messaging backend
    # Addresses to listen to
--- a/module_build_service/init.py
+++ b/module_build_service/init.py
@@ -41,6 +41,7 @@ for a number of tasks:
 """

 import pkg_resources
+import os
 from flask import Flask, has_app_context, url_for
 from flask_sqlalchemy import SQLAlchemy
 from sqlalchemy.pool import StaticPool
@@ -69,6 +70,9 @@ app.wsgi_app = ReverseProxy(app.wsgi_app)

 conf = init_config(app)

+# We want to use a separate Kerberos cache per thread to avoid Kerberos cache corruption
+os.environ['KRB5CCNAME'] = 'KEYRING:thread:mbs'
+

 class MBSSQLAlchemy(SQLAlchemy):
    """
--- a/module_build_service/builder/KojiModuleBuilder.py
+++ b/module_build_service/builder/KojiModuleBuilder.py
@@ -463,18 +463,13 @@ chmod 644 %buildroot/etc/rpm/macros.zz-modules
        authtype = koji_config.authtype
        log.info("Authenticate session with %r.", authtype)
        if authtype == "kerberos":
-            ccache = getattr(config, "krb_ccache", None)
            keytab = getattr(config, "krb_keytab", None)
            principal = getattr(config, "krb_principal", None)
-            log.debug("  ccache: %r, keytab: %r, principal: %r" % (ccache, keytab, principal))
-            if keytab and principal:
-                koji_session.krb_login(
-                    principal=principal,
-                    keytab=keytab,
-                    ccache=ccache
-                )
-            else:
-                koji_session.krb_login(ccache=ccache)
+            if not keytab and principal:
+                raise ValueError(
+                    "The Kerberos keytab and principal aren't set for Koji authentication")
+            log.debug("  keytab: %r, principal: %r" % (keytab, principal))
+            koji_session.krb_login(principal=principal, keytab=keytab)
        elif authtype == "ssl":
            koji_session.ssl_login(
                os.path.expanduser(koji_config.cert),
--- a/module_build_service/config.py
+++ b/module_build_service/config.py
@@ -284,10 +284,6 @@ class Config(object):
            'type': None,
            'default': None,
            'desc': ''},
-        'krb_ccache': {
-            'type': None,
-            'default': '/tmp/krb5cc_module_build_service',
-            'desc': ''},
        'messaging': {
            'type': str,
            'default': 'fedmsg',