Skip to content

Commit d6e994a

Browse files
psaizharshavamsi
andauthored
Example of authenticating with kerberos (opensearch-project#214)
Signed-off-by: Pablo Saiz <pablo.saiz@cern.ch> Signed-off-by: Pablo Saiz <pablo.saiz@cern.ch> Co-authored-by: Pablo Saiz <pablo.saiz@cern.ch> Co-authored-by: Harsha Vamsi Kalluri <harshavamsi096@gmail.com>
1 parent 0aeb8a0 commit d6e994a

File tree

3 files changed

+39
-11
lines changed

3 files changed

+39
-11
lines changed

CHANGELOG.md

+2-1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
66
- Added Point in time API rest API([#191](https://github.com/opensearch-project/opensearch-py/pull/191))
77
- Github workflow for changelog verification ([#218](https://github.com/opensearch-project/opensearch-py/pull/218))
88
- Added overload decorators to helpers-actions.pyi-"bulk" ([#239](https://github.com/opensearch-project/opensearch-py/pull/239))
9+
- Document Keberos authenticaion ([214](https://github.com/opensearch-project/opensearch-py/pull/214))
910
- Add release workflows ([#240](https://github.com/opensearch-project/opensearch-py/pull/240))
1011
### Changed
1112
- Updated getting started to user guide ([#233](https://github.com/opensearch-project/opensearch-py/pull/233))
@@ -20,4 +21,4 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
2021
### Security
2122

2223

23-
[Unreleased]: https://github.com/opensearch-project/opensearch-py/compare/2.0...HEAD
24+
[Unreleased]: https://github.com/opensearch-project/opensearch-py/compare/2.0...HEAD

USER_GUIDE.md

+36-10
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
- [Getting Started with the OpenSearch Python Client](#getting-started-with-the-opensearch-python-client)
1+
- [Getting started with the OpenSearch Python client](#getting-started-with-the-opensearch-python-client)
22
- [Setup](#setup)
33
- [Sample code](#sample-code)
44
- [Creating a client](#creating-a-client)
@@ -9,8 +9,8 @@
99
- [Searching for a document](#searching-for-a-document)
1010
- [Deleting a document](#deleting-a-document)
1111
- [Deleting an index](#deleting-an-index)
12-
- [Making API Calls](#making-api-calls)
13-
- [Point in Time API](#point-in-time-api-calls)
12+
- [Making API calls](#making-api-calls)
13+
- [Point in time API](#point-in-time-api-calls)
1414
- [Using plugins](#using-plugins)
1515
- [Alerting plugin](#alerting-plugin)
1616
- [**Searching for monitors**](#searching-for-monitors)
@@ -19,10 +19,12 @@
1919
- [**Creating a destination**](#creating-a-destination)
2020
- [**Getting alerts**](#getting-alerts)
2121
- [**Acknowledge alerts**](#acknowledge-alerts)
22-
- [Using IAM credentials for authentication](#using-iam-credentials-for-authentication)
22+
- [Using different authentication methods](#using-different-authentication-methods)
23+
- [Using IAM credentials](#using-iam-credentials)
2324
- [Pre-requisites to use `AWSV4SignerAuth`](#pre-requisites-to-use-awsv4signerauth)
25+
- [Using Kerberos](#using-kerberos)
2426

25-
# User guide of OpenSearch Python Client
27+
# User guide of OpenSearch Python client
2628

2729
## Setup
2830

@@ -193,9 +195,9 @@ response = client.indices.delete(
193195
print('\nDeleting index:')
194196
print(response)
195197
```
196-
## Making API Calls
198+
## Making API calls
197199

198-
### Point in Time API
200+
### Point in time API
199201

200202
```python
201203
# create a point in time on a index
@@ -378,13 +380,17 @@ query = {
378380
response = client.plugins.alerting.acknowledge_alert(query)
379381
print(response)
380382
```
381-
## Using IAM credentials for authentication
383+
## Using different authentication methods
384+
385+
It is possible to use different methods for the authentication to OpenSearch. The parameters of `connection_class` and `http_auth` can be used for this. The following examples show how to authenticate using IAM credentials and using Kerberos.
386+
387+
### Using IAM credentials
382388

383389
Refer the AWS documentation regarding usage of IAM credentials to sign requests to OpenSearch APIs - [Signing HTTP requests to Amazon OpenSearch Service.](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/request-signing.html#request-signing-python)
384390

385391
Opensearch-py client library also provides an in-house IAM based authentication feature, `AWSV4SignerAuth` that will help users to connect to their opensearch clusters by making use of IAM roles.
386392

387-
#### Pre-requisites to use `AWSV4SignerAuth`
393+
##### Pre-requisites to use `AWSV4SignerAuth`
388394
- Python version 3.6 or above,
389395
- Install [botocore](https://pypi.org/project/botocore/) using pip
390396

@@ -428,4 +434,24 @@ response = client.search(
428434

429435
print('\nSearch results:')
430436
print(response)
431-
```
437+
```
438+
439+
### Using Kerberos
440+
441+
There are several python packages that provide Kerberos support over HTTP connections, such as [requests-kerberos](http://pypi.org/project/requests-kerberos) and [requests-gssapi](https://pypi.org/project/requests-gssapi). The following example shows how to setup the authentication. Note that some of the parameters, such as `mutual_authentication` might depend on the server settings.
442+
443+
```python
444+
445+
from opensearchpy import OpenSearch, RequestsHttpConnection
446+
from requests_kerberos import HTTPKerberosAuth, OPTIONAL
447+
448+
client = OpenSearch(
449+
['htps://...'],
450+
use_ssl=True,
451+
verify_certs=True,
452+
connection_class=RequestsHttpConnection,
453+
http_auth=HTTPKerberosAuth(mutual_authentication=OPTIONAL)
454+
)
455+
456+
health = client.cluster.health()
457+
```

setup.py

+1
Original file line numberDiff line numberDiff line change
@@ -115,5 +115,6 @@
115115
"develop": tests_require + docs_require + generate_require,
116116
"docs": docs_require,
117117
"async": async_require,
118+
"kerberos": ["requests_kerberos"],
118119
},
119120
)

0 commit comments

Comments
 (0)