@mmmunafo, I guess your workaround should be OK. The only other two option I could see would be to wrap the pam.authenticate() call with an unset and set of KRB5CCNAME. Assuming authentication takes milliseconds, it would be unlikely that Hue is attempting to retrieve cache information at that moment, but I don't know that it is any better than what you are up to. for instance, in desktop/core/src/desktop/auth/backend.py wrap: if pam.authenticate(username, password, desktop.conf.AUTH.PAM_SERVICE.get()): With del os.environ['KRB5CCNAME'] and then after auth: os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get() NOTE: we would need to import os in backend.py to do that. So possibly, something like this would work: class PamBackend(DesktopBackendBase):
"""
Authentication backend that uses PAM to authenticate logins. The first user to
login will become the superuser.
"""
@metrics.pam_authentication_time
def authenticate(self, request=None, username=None, password=None):
username = force_username_case(username)
del os.environ['KRB5CCNAME']
if pam.authenticate(username, password, desktop.conf.AUTH.PAM_SERVICE.get()):
os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get()
is_super = False
if User.objects.count() == 0:
is_super = True
try:
if desktop.conf.AUTH.IGNORE_USERNAME_CASE.get():
user = User.objects.get(username__iexact=username)
else:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = find_or_create_user(username, None)
if user is not None and user.is_active:
profile = get_profile(user)
profile.creation_method = UserProfile.CreationMethod.EXTERNAL.name
profile.save()
user.is_superuser = is_super
ensure_has_a_group(user)
user.save()
user = rewrite_user(user)
return user
os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get()
return None
@classmethod
def manages_passwords_externally(cls):
return True Might not be worth it, though
... View more
