From 7f822751144b8ac087f82fc4bc024b4769ec0fbf Mon Sep 17 00:00:00 2001
From: mprahl <mprahl@redhat.com>
Date: Wed, 12 Dec 2018 19:04:00 -0500
Subject: [PATCH] Force the use of a separte Kerberos cache per thread

When using a single Kerberos cache that is shared among threads,
Koji logins start failing because the cache gets corrupt. This uses
the Linux kernel keyring to store a Kerberos cache per MBS thread.

See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
---
 conf/config.py                                    |  1 -
 module_build_service/__init__.py                  |  4 ++++
 module_build_service/builder/KojiModuleBuilder.py | 15 +++++----------
 module_build_service/config.py                    |  4 ----
 4 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/conf/config.py b/conf/config.py
index 916989dd..efba28b4 100644
--- a/conf/config.py
+++ b/conf/config.py
@@ -77,7 +77,6 @@ class BaseConfiguration(object):
     # Settings for Kerberos
     KRB_KEYTAB = None
     KRB_PRINCIPAL = None
-    KRB_CCACHE = None
 
     # AMQ prefixed variables are required only while using 'amq' as messaging backend
     # Addresses to listen to
diff --git a/module_build_service/__init__.py b/module_build_service/__init__.py
index cd5016f2..01a5a0fb 100644
--- a/module_build_service/__init__.py
+++ b/module_build_service/__init__.py
@@ -41,6 +41,7 @@ for a number of tasks:
 """
 
 import pkg_resources
+import os
 from flask import Flask, has_app_context, url_for
 from flask_sqlalchemy import SQLAlchemy
 from sqlalchemy.pool import StaticPool
@@ -69,6 +70,9 @@ app.wsgi_app = ReverseProxy(app.wsgi_app)
 
 conf = init_config(app)
 
+# We want to use a separate Kerberos cache per thread to avoid Kerberos cache corruption
+os.environ['KRB5CCNAME'] = 'KEYRING:thread:mbs'
+
 
 class MBSSQLAlchemy(SQLAlchemy):
     """
diff --git a/module_build_service/builder/KojiModuleBuilder.py b/module_build_service/builder/KojiModuleBuilder.py
index b28b76a0..38041568 100644
--- a/module_build_service/builder/KojiModuleBuilder.py
+++ b/module_build_service/builder/KojiModuleBuilder.py
@@ -463,18 +463,13 @@ chmod 644 %buildroot/etc/rpm/macros.zz-modules
         authtype = koji_config.authtype
         log.info("Authenticate session with %r.", authtype)
         if authtype == "kerberos":
-            ccache = getattr(config, "krb_ccache", None)
             keytab = getattr(config, "krb_keytab", None)
             principal = getattr(config, "krb_principal", None)
-            log.debug("  ccache: %r, keytab: %r, principal: %r" % (ccache, keytab, principal))
-            if keytab and principal:
-                koji_session.krb_login(
-                    principal=principal,
-                    keytab=keytab,
-                    ccache=ccache
-                )
-            else:
-                koji_session.krb_login(ccache=ccache)
+            if not keytab and principal:
+                raise ValueError(
+                    "The Kerberos keytab and principal aren't set for Koji authentication")
+            log.debug("  keytab: %r, principal: %r" % (keytab, principal))
+            koji_session.krb_login(principal=principal, keytab=keytab)
         elif authtype == "ssl":
             koji_session.ssl_login(
                 os.path.expanduser(koji_config.cert),
diff --git a/module_build_service/config.py b/module_build_service/config.py
index 0f1651f4..a2e81437 100644
--- a/module_build_service/config.py
+++ b/module_build_service/config.py
@@ -284,10 +284,6 @@ class Config(object):
             'type': None,
             'default': None,
             'desc': ''},
-        'krb_ccache': {
-            'type': None,
-            'default': '/tmp/krb5cc_module_build_service',
-            'desc': ''},
         'messaging': {
             'type': str,
             'default': 'fedmsg',