Deprecated kerberos auth removed (apache#41693)

* deprecatd kerberos auth airflow.api.auth.backend.kerberos_auth and airflow.auth.managers.fab.api.auth.backend.kerberos_aut removed

* news fragment added

* deprecatd kerberos auth airflow.api.auth.backend.kerberos_auth and airflow.auth.managers.fab.api.auth.backend.kerberos_aut removed

Author: dirrao

airflow/api/auth/backend/kerberos_auth.py

@@ -18,27 +18,125 @@
 from __future__ import annotations
 
 import logging
-from functools import partial
-from typing import Any, cast
+import os
+from functools import wraps
+from typing import TYPE_CHECKING, Any, Callable, NamedTuple, TypeVar, cast
 
+import kerberos
+from flask import Response, g, make_response, request
 from requests_kerberos import HTTPKerberosAuth
 
-from airflow.api.auth.backend.kerberos_auth import (
-    init_app as base_init_app,
-    requires_authentication as base_requires_authentication,
-)
+from airflow.configuration import conf
 from airflow.providers.fab.auth_manager.security_manager.override import FabAirflowSecurityManagerOverride
+from airflow.utils.net import getfqdn
 from airflow.www.extensions.init_auth_manager import get_auth_manager
 
+if TYPE_CHECKING:
+    from airflow.auth.managers.models.base_user import BaseUser
+
 log = logging.getLogger(__name__)
 
 CLIENT_AUTH: tuple[str, str] | Any | None = HTTPKerberosAuth(service="airflow")
 
 
+class KerberosService:
+    """Class to keep information about the Kerberos Service initialized."""
+
+    def __init__(self):
+        self.service_name = None
+
+
+class _KerberosAuth(NamedTuple):
+    return_code: int | None
+    user: str = ""
+    token: str | None = None
+
+
+# Stores currently initialized Kerberos Service
+_KERBEROS_SERVICE = KerberosService()
+
+
+def init_app(app):
+    """Initialize application with kerberos."""
+    hostname = app.config.get("SERVER_NAME")
+    if not hostname:
+        hostname = getfqdn()
+    log.info("Kerberos: hostname %s", hostname)
+
+    service = "airflow"
+
+    _KERBEROS_SERVICE.service_name = f"{service}@{hostname}"
+
+    if "KRB5_KTNAME" not in os.environ:
+        os.environ["KRB5_KTNAME"] = conf.get("kerberos", "keytab")
+
+    try:
+        log.info("Kerberos init: %s %s", service, hostname)
+        principal = kerberos.getServerPrincipalDetails(service, hostname)
+    except kerberos.KrbError as err:
+        log.warning("Kerberos: %s", err)
+    else:
+        log.info("Kerberos API: server is %s", principal)
+
+
+def _unauthorized():
+    """Indicate that authorization is required."""
+    return Response("Unauthorized", 401, {"WWW-Authenticate": "Negotiate"})
+
+
+def _forbidden():
+    return Response("Forbidden", 403)
+
+
+def _gssapi_authenticate(token) -> _KerberosAuth | None:
+    state = None
+    try:
+        return_code, state = kerberos.authGSSServerInit(_KERBEROS_SERVICE.service_name)
+        if return_code != kerberos.AUTH_GSS_COMPLETE:
+            return _KerberosAuth(return_code=None)
+
+        if (return_code := kerberos.authGSSServerStep(state, token)) == kerberos.AUTH_GSS_COMPLETE:
+            return _KerberosAuth(
+                return_code=return_code,
+                user=kerberos.authGSSServerUserName(state),
+                token=kerberos.authGSSServerResponse(state),
+            )
+        elif return_code == kerberos.AUTH_GSS_CONTINUE:
+            return _KerberosAuth(return_code=return_code)
+        return _KerberosAuth(return_code=return_code)
+    except kerberos.GSSError:
+        return _KerberosAuth(return_code=None)
+    finally:
+        if state:
+            kerberos.authGSSServerClean(state)
+
+
+T = TypeVar("T", bound=Callable)
+
+
 def find_user(username=None, email=None):
     security_manager = cast(FabAirflowSecurityManagerOverride, get_auth_manager().security_manager)
     return security_manager.find_user(username=username, email=email)
 
 
-init_app = base_init_app
-requires_authentication = partial(base_requires_authentication, find_user=find_user)
+def requires_authentication(function: T, find_user: Callable[[str], BaseUser] | None = find_user):
+    """Decorate functions that require authentication with Kerberos."""
+
+    @wraps(function)
+    def decorated(*args, **kwargs):
+        header = request.headers.get("Authorization")
+        if header:
+            token = "".join(header.split()[1:])
+            auth = _gssapi_authenticate(token)
+            if auth.return_code == kerberos.AUTH_GSS_COMPLETE:
+                g.user = find_user(auth.user)
+                response = function(*args, **kwargs)
+                response = make_response(response)
+                if auth.token is not None:
+                    response.headers["WWW-Authenticate"] = f"negotiate {auth.token}"
+                return response
+            elif auth.return_code != kerberos.AUTH_GSS_CONTINUE:
+                return _forbidden()
+        return _unauthorized()
+
+    return cast(T, decorated)

airflow/auth/managers/fab/api/auth/backend/kerberos_auth.py

@@ -55,7 +55,7 @@ To enable Kerberos authentication, set the following in the configuration:
 .. code-block:: ini
 
     [api]
-    auth_backends = airflow.api.auth.backend.kerberos_auth
+    auth_backends = airflow.providers.fab.auth_manager.api.auth.backend.kerberos_auth
 
     [kerberos]
     keytab = <KEYTAB>

airflow/providers/fab/auth_manager/api/auth/backend/kerberos_auth.py

@@ -0,0 +1 @@
+Removed deprecated auth ``airflow.api.auth.backend.kerberos_auth`` and ``airflow.auth.managers.fab.api.auth.backend.kerberos_auth`` from ``auth_backends``. Please use ``airflow.providers.fab.auth_manager.api.auth.backend.kerberos_auth`` instead.

docs/apache-airflow-providers-fab/auth-manager/api-authentication.rst

@@ -16,9 +16,6 @@
 # under the License.
 from __future__ import annotations
 
-from airflow.api.auth.backend.kerberos_auth import (
-    init_app as base_init_app,
-)
 from tests.test_utils.compat import ignore_provider_compatibility_error
 
 with ignore_provider_compatibility_error("2.9.0+", __file__):
@@ -27,4 +24,4 @@
 
 class TestKerberosAuth:
     def test_init_app(self):
-        assert init_app == base_init_app
+        init_app