diff --git a/projects/vdk-plugins/vdk-kerberos-auth/README.md b/projects/vdk-plugins/vdk-kerberos-auth/README.md index 7d81f33ce7..9561bd06ab 100644 --- a/projects/vdk-plugins/vdk-kerberos-auth/README.md +++ b/projects/vdk-plugins/vdk-kerberos-auth/README.md @@ -6,3 +6,13 @@ Run ```bash pip install vdk-kerberos-auth ``` + +The following environment variables can be used to configure this plugin: + +| name | description | +|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `VDK_KRB_AUTH` | Specifies the Kerberos authentication type to use. Possible values are 'minikerberos' and 'kinit'. If left empty, the authentication is disabled. | +| `VDK_KEYTAB_FILENAME` | Specifies the name of the keytab file. If left empty, the name of the keytab file is assumed to be the same as the name of the data job with '.keytab' suffix. | +| `VDK_KEYTAB_PRINCIPAL` | Specifies the Kerberos principal. If left empty, the principal will be the job name prepended with 'pa__view_'. | +| `VDK_KEYTAB_REALM` | Specifies the Kerberos realm. This value is used only with the 'minikerberos' authentication type. The default value is 'default_realm'. | +| `VDK_KERBEROS_KDC_HOST` | Specifies the name of the Kerberos KDC (Key Distribution Center) host. This value is used only with the 'minikerberos' authentication type. | diff --git a/projects/vdk-plugins/vdk-kerberos-auth/src/vdk/plugin/kerberos/authenticator_factory.py b/projects/vdk-plugins/vdk-kerberos-auth/src/vdk/plugin/kerberos/authenticator_factory.py index 996f5f56bd..9c8395c669 100644 --- a/projects/vdk-plugins/vdk-kerberos-auth/src/vdk/plugin/kerberos/authenticator_factory.py +++ b/projects/vdk-plugins/vdk-kerberos-auth/src/vdk/plugin/kerberos/authenticator_factory.py @@ -36,13 +36,13 @@ def create_authenticator( elif authentication_type is None: log.debug("No Kerberos authentication specified") return None - else: - errors.log_and_throw( - to_be_fixed_by=errors.ResolvableBy.CONFIG_ERROR, - log=log, - what_happened=f"Provided environment variable {'VDK_KRB_AUTH'} has invalid value.", - why_it_happened=f"VDK was run with environment variable {'VDK_KRB_AUTH'}={authentication_type}, " - f"however '{authentication_type}' is invalid value for this variable.", - consequences=errors.MSG_CONSEQUENCE_DELEGATING_TO_CALLER__LIKELY_EXECUTION_FAILURE, - countermeasures=f"Provide either 'minikerberos' or 'kinit' for environment variable {'VDK_KRB_AUTH'}.", - ) + + errors.log_and_throw( + to_be_fixed_by=errors.ResolvableBy.CONFIG_ERROR, + log=log, + what_happened="Provided environment variable VDK_KRB_AUTH has invalid value.", + why_it_happened=f"VDK was run with environment variable VDK_KRB_AUTH={authentication_type}, " + f"however '{authentication_type}' is invalid value for this variable.", + consequences=errors.MSG_CONSEQUENCE_DELEGATING_TO_CALLER__LIKELY_EXECUTION_FAILURE, + countermeasures="Provide either 'minikerberos' or 'kinit' for environment variable VDK_KRB_AUTH.", + ) diff --git a/projects/vdk-plugins/vdk-kerberos-auth/src/vdk/plugin/kerberos/kinit_authenticator.py b/projects/vdk-plugins/vdk-kerberos-auth/src/vdk/plugin/kerberos/kinit_authenticator.py index 03bd9ff243..eaf3debbcd 100644 --- a/projects/vdk-plugins/vdk-kerberos-auth/src/vdk/plugin/kerberos/kinit_authenticator.py +++ b/projects/vdk-plugins/vdk-kerberos-auth/src/vdk/plugin/kerberos/kinit_authenticator.py @@ -14,6 +14,8 @@ class KinitGSSAPIAuthenticator(BaseAuthenticator): """ A Kerberos authenticator that uses a 'kinit' call to obtain its ticket-granting ticket (TGT). + As this class operates by invoking 'kinit' directly, the Kerberos should be already installed + on the machine and the 'kinit' command should be working correctly. """ def __init__(self, keytab_pathname: str, kerberos_principal: str):