Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warn rather than raise on opportunistic auth failure. #31

Conversation

twosigmajab
Copy link
Contributor

@twosigmajab twosigmajab commented Feb 18, 2021

When opportunistic_auth is enabled but an Authorization header could not be generated opportunistically, log a warning rather than raising an exception. (If the request results in a 401 and we fail to generate an Authorization header in that (no-
longer-opportunistic) case, an exception is still raised.)

Motivation: We'd like to enable opportunistic auth by default for requests to internal services within our network, but would not be able to easily flip that switch without these changes for $REASONS. (There are a number of existing integration tests that run under network isolation where the client makes a request to a server running locally that doesn't actually require auth. Making opportunistic auth no longer a hard failure would allow us to default all clients to opportunistic auth without such tests failing.)

This behavior also matches a reasonable interpretation of the word "opportunistic": try early, but if that fails, don't just give up.


UPDATE: The following changes will be split out from this PR into a separate PR

While I was making the above changes, I also noticed some issues with the logging in this code, so I fixed them while I was in here:

  • Never log Authorization header values to prevent unintentional leaking of credentials.
  • Consistently use logging's built-in string interpolation everywhere, rather than using wasteful str.format() in some places. Using str.format() in logging calls is an anti-pattern, because when the log message would be filtered out anyway (e.g. when the level is too low), it wastes time on string interpolation results that are never used.
  • Don't make two different logging calls, one after another, for the same event. Combining them into a single logging call is more efficient and interoperable with non-line-based logging formatters and aggregators (e.g. JSON and Datadog, etc.).

@twosigmajab twosigmajab force-pushed the only-warn-on-opportunistic-fail branch 2 times, most recently from 68fb6f6 to ba3154c Compare February 18, 2021 22:02
Copy link
Member

@frozencemetery frozencemetery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refer to https://chris.beams.io/posts/git-commit/ for how to style commit messages. Additionally, each proposed change should be its own commit. I am happy to re-review when you have something more presentable.

HISTORY.rst Outdated
Comment on lines 4 to 15
Unreleased
----------

- When opportunistic_auth is enabled but an Authorization header
could not be generated opportunistically, log a warning rather
than raising an exception. (If the request results in a 401
and we fail to generate an Authorization header in that (no-
longer-opportunistic) case, an exception is still raised.)

- Never log Authorization header values to prevent unintentional
leaking of credentials.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not how this file is used. Please refer to git history, or look at the previous entries.

@twosigmajab
Copy link
Contributor Author

twosigmajab commented Feb 19, 2021

Thanks for your response. I am happy to make the requested changes.

But in the meantime, the bottom 20 lines of this patch already include the isolated changes for "warn rather than raise on opportunistic auth failure". Here is a link with just those 20 lines highlighted:

https://github.com/pythongssapi/requests-gssapi/pull/31/files#diff-b6ed09d14ac055cc2aa676d962e97e5b63bd057b3f25a688b31c1b1b7cbc6d8eL309-R319

Would it be possible to say whether you would consider accepting a patch that accomplished what is proposed in the title of this PR based solely on the rationale given in its description? And if it would help to have a reference implementation, you can look at only the 20 lines I've highlighted?

@frozencemetery
Copy link
Member

I am willing to consider many things :)

Concretely, I'm not opposed to the fallback-type behavior. I'm undecided on whether hijacking the existing opportunistic=True behavior is the right way to go on that: while I agree it's unfortunately named, adding a fallback path may result in a second request in the failure case. I see three possibilities for that:

  1. It's fine; no one will care about an error log message when it's not going to work anyway.
  2. requests-kerberos strict compatibility is important, so make the semantic change only when we're not shimming.
  3. Turn the boolean into a three-state: true, false, and "fallback" (or so).

It seems like you're more inclined to (1), right? That's probably okay but we need to take some care that we only retry when the server wasn't prepared, not for general auth failures.

@twosigmajab twosigmajab force-pushed the only-warn-on-opportunistic-fail branch 2 times, most recently from 2823ec0 to c6a2420 Compare February 23, 2021 14:52
@twosigmajab
Copy link
Contributor Author

Thank you, great to know you're open to this!

Yes, I'm more inclined to (1).

Regarding compatibility with requests-kerberos, @geofft and I recently became maintainers of it, and would be interested in making similar changes there if there are no concerns from the community. So far it sounds like we can coordinate a convergent path for this, which is great to hear.

I've removed the unrelated changes in the latest revision and updated the commit message to conform to the style guide you're using.

we need to take some care that we only retry when the server wasn't prepared, not for general auth failures.

Yes, as the updated commit message hopefully now makes clearer, that is the intended effect of these changes.

Please let me know if this looks good to merge now, or if any other changes are in order.

Thanks again for your consideration.

If the request results in a 401, this reduces to the non-opportunistic
case, whose behavior remains the same as before.

This allows callers for whom enabling opportunistic auth is a more
appropriate default to do so, without needing to write additional
exception handling code to ensure they recover in the case that
opportunistic auth failed.  In other words, take "opportunistic" to mean
"try early, but if that fails, don't just give up right away".

Signed-off-by: Joshua Bronson <[email protected]>
[[email protected]: restore debug message, fussy style things]
@frozencemetery
Copy link
Member

Regarding compatibility with requests-kerberos, @geofft and I recently became maintainers of it, and would be interested in making similar changes there if there are no concerns from the community. So far it sounds like we can coordinate a convergent path for this, which is great to hear.

Very intriguing! At some point we should talk about how to fix #8 :)

Please let me know if this looks good to merge now, or if any other changes are in order.

I fixed a couple nits. If it still looks good to you, I'm ready to merge it.

@twosigmajab
Copy link
Contributor Author

Fantastic!

Looks like the latest revision introduces logging calls that exhibit some of the problems I originally flagged (still listed in the description above). But happy to get this merged as-is and take the logging concerns to a separate issue.

I'd have to catch up on #8 (and related discussion in requests/requests-kerberos#133 etc.), but @geofft may have more context on that. In any case, I'm sure we'd love to see that addressed in both projects, and would be happy to coordinate further on that whenever we can.

Thanks for merging this!

@frozencemetery
Copy link
Member

Okay. Please do follow up on the logging concerns if you're still interested in them - I think we'll need a bit more discussion but I'm sure we can make something work :)

@frozencemetery frozencemetery merged commit e56466f into pythongssapi:main Mar 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants