Story #14964

Port arvados-pam to Python 3

Added by Tom Morris 4 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-

Description

source:sdk/pam provides a PAM module that allows users to authenticate (e.g., to an SSH service on a shell node) using an Arvados token. It checks the same login permissions as source:services/login-sync. It makes it possible to provide a login service like shellinabox that doesn't have SSH private keys or tunnel options.

Currently it requires Python 2.7.


Related issues

Related to Arvados - Story #15348: [pam] PAM module in GoNew

Blocks Arvados - Story #14532: [Epic] Port to Python 3 to prepare for Python 2 sunsetting in December 2019In Progress

Associated revisions

Revision 6cd211af (diff)
Added by Tom Clegg about 2 months ago

Fix syntax for python3.

refs #14964

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <>

History

#1 Updated by Tom Morris about 2 months ago

  • Parent task deleted (#14532)

#2 Updated by Tom Morris about 2 months ago

  • Target version changed from Arvados Future Sprints to To Be Groomed
  • Tracker changed from Task to Story

#3 Updated by Tom Morris about 2 months ago

  • Blocks Story #14532: [Epic] Port to Python 3 to prepare for Python 2 sunsetting in December 2019 added

#4 Updated by Tom Morris about 2 months ago

  • Description updated (diff)
  • Subject changed from Port PAM to Python 3 to Port arvados-pam to Python 3

#5 Updated by Tom Clegg about 2 months ago

Pam-python is a PAM Module that runs the Python interpreter, thus allowing PAM Modules to be written in Python.

arvados-pam is one such "PAM module written in Python." We can make have made the arvados_pam module python3-compatible enough to pass its unit tests, but it can't be shown to work in real life (and can't eliminate the python2.7 dependency) until pam-python itself is updated to work with python3. The author hasn't done this yet, but plans to.

Debian ships pam-python as libpam-python. Even in buster, it still requires python2.7. https://packages.debian.org/buster/libpam-python

If we can't wait for an upstream fix (or fork pam-python and do it ourselves) another approach would be to start fresh and implement a PAM module in Go, using someone else's example like https://github.com/uber/pam-ussh. This might be a better long term solution anyway -- it looks like we never even found a way to test the libpam-python solution without hitting segfaults.

#6 Updated by Tom Clegg about 2 months ago

  • Description updated (diff)

#7 Updated by Tom Clegg about 2 months ago

  • Description updated (diff)

#8 Updated by Tom Clegg about 1 month ago

(from discussion offline) having a PAM module is worthwhile (still the best way to enable shell-over-https for CLI/browser use) but the Python solution is looking like a dead end -- it's never been stable and the connector shim isn't even aimed at production use. Porting to Go seems like the least-effort long term solution.

#9 Updated by Tom Clegg about 1 month ago

Also available in: Atom PDF