我正在尝试通过Python request_negotiate身份验证到配置为使用Kerberos SSO的Jenkins实例。身份验证失败,下面报告的堆栈跟踪显示在服务器端。
klist
确认我有有效的票证。我可以使用启用了GSS-API Kerberos SPNEGO功能的内部版本成功使用cURL 7.59.0进行身份验证:
curl --negotiate --user : -k --verbose https://myjenkins.example.com/
我也尝试过requests_gssapi.HTTPSPNEGOAuth()
,但失败的原因与requests_negotiate
相同。
关于调试此问题的任何建议,我们将不胜感激。对我来说这是陌生的领域。
我的Python代码:
import requests
import requests_negotiate
auth = requests_negotiate.HTTPNegotiateAuth()
response = requests.get('https://myjenkins.example.com', auth=auth, verify=False)
print (response.content)
出现在服务器上的堆栈跟踪:
GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
at sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:600)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:317)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.codelibs.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:443)
at org.codelibs.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:281)
at com.sonymobile.jenkins.plugins.kerberossso.ioc.SpnegoKerberosAuthenticationFactory$SpnegoKerberosAuthenticator.authenticate(SpnegoKerberosAuthenticationFactory.java:89)
Caused: java.io.IOException
at com.sonymobile.jenkins.plugins.kerberossso.ioc.SpnegoKerberosAuthenticationFactory$SpnegoKerberosAuthenticator.authenticate(SpnegoKerberosAuthenticationFactory.java:91)
at com.sonymobile.jenkins.plugins.kerberossso.KerberosSSOFilter.doFilter(KerberosSSOFilter.java:182)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:232)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:209)
at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:113)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
詹金斯:2.60.3 要求:2.20.0 请求协商:1.5
答案 0 :(得分:0)
使用npm kerberos软件包时,我遇到了相同的错误,我通过明确要求SPNEGO协议解决了该错误,因为错误消息指出Kerberos票证中缺少该协议的凭据。您说它适用于curl和SPNEGO,但不适用于request_negotiate.HTTPNegotiateAuth()或request_gssapi.HTTPSPNEGOAuth()。我从文档或源代码中看不到requests_negotiate使用哪种机制,因此我现在将坚持使用requests_gssapi,这也大量使用了日志记录。您从那条日志中得到哪些日志消息?
我觉得这更多是评论,但我没有评论的声誉。