path: root/swiftkerbauth/
diff options
authorPrashanth Pai <>2013-11-18 15:40:47 +0530
committerLuis Pabon <>2013-11-25 18:40:41 -0800
commit5405fd7927ef68015c25632951a94bcddb60c33d (patch)
treeeb2b6a372df52970d299aff8de62e2e44353ebed /swiftkerbauth/
parent991989bc04178442b2a6b766a67f7a26e60c08f0 (diff)
Feature: Support client outside domain
Until now, all clients had to be part of Kerberos domain as authentication was done by mod_auth_kerb module of httpd by using Kerberos Ticket bundled with the request. To suport clients residing outside domain, we introduce a configurable option called "auth_mode". When auth_mode is set to 'passive', a client residing outside domain can authenticate itself by sending username(X-Auth-User) and password(X-Auth-Key) as request headers. This information is gleaned from the request and kinit is run against it. A successful kinit means the username and password exists on the Kerberos server. Change-Id: I1a165bd56bc3a425b00bcfdbf32150c14b5d9790 Signed-off-by: Prashanth Pai <> Reviewed-on: Reviewed-by: Chetan Risbud <> Tested-by: Chetan Risbud <> Reviewed-by: Luis Pabon <> Tested-by: Luis Pabon <>
Diffstat (limited to 'swiftkerbauth/')
1 files changed, 11 insertions, 2 deletions
diff --git a/swiftkerbauth/ b/swiftkerbauth/
index 507580e..8490d83 100644
--- a/swiftkerbauth/
+++ b/swiftkerbauth/
@@ -16,7 +16,7 @@
import re
import random
import grp
-import subprocess
+from subprocess import Popen, PIPE
from time import time
from swiftkerbauth import TOKEN_LIFE, RESELLER_PREFIX
@@ -87,7 +87,7 @@ def get_groups(username):
# because group names from Active Directory may contain spaces, and
# we wouldn't be able to split the list of group names into its
# elements.
- p = subprocess.Popen(['id', '-G', username], stdout=subprocess.PIPE)
+ p = Popen(['id', '-G', username], stdout=PIPE)
if p.wait() != 0:
raise RuntimeError("Failure running id -G for %s" % username)
(p_stdout, p_stderr) = p.communicate()
@@ -104,3 +104,12 @@ def get_groups(username):
groups = [username] + groups
groups = ','.join(groups)
return groups
+def run_kinit(username, password):
+ """Runs kinit command as a child process and returns the status code."""
+ kinit = Popen(['kinit', username],
+ stdin=PIPE, stdout=PIPE, stderr=PIPE)
+ kinit.stdin.write('%s\n' % password)
+ kinit.wait()
+ return kinit.returncode