Arunodoy18 opened a new pull request, #60998: URL: https://github.com/apache/airflow/pull/60998
This PR implements task-scoped Kerberos authentication for HTTP-based operations in Airflow, addressing issue #60991. Closes: #60991 PR Description Summary Add task-level Kerberos authentication support for HTTP tasks by enabling Kerberos ticket initialization using connection-managed keytabs and principals. Problem Apache Airflow currently provides Kerberos authentication support via airflow.security.kerberos, but this mplementation is designed specifically for webserver authentication and supports only a single global keytab and principal. As a result, DAG authors who need to call Kerberos-protected HTTP services from tasks must manually handle: kinit execution Ticket cache management Ticket renewal and cleanup This leads to duplicated logic in DAGs and increases the risk of misconfigured or long-lived Kerberos credentials. Solution This PR introduces task-scoped Kerberos authentication for HTTP-based tasks by: Allowing Kerberos credentials (keytab and principal) to be configured via Airflow Connections Initializing Kerberos tickets (kinit) at task execution time with a task-local credential cache Integrating the mechanism with HttpHook / HttpOperator so HTTP calls can transparently use Kerberos authentication Ensuring Kerberos tickets are isolated per task and do not affect global or webserver Kerberos behavior The change is intentionally limited to task execution and does not modify existing webserver Kerberos authentication. Scope & Compatibility No breaking changes No changes to existing webserver Kerberos logic Ticket lifecycle is strictly task-scoped (create → use → cleanup) Existing non-Kerberos HTTP behavior remains unchanged Testing Added targeted tests to verify Kerberos initialization is invoked for HTTP tasks when configured Verified task-level ticket isolation Confirmed existing HTTP task behavior is unaffected when Kerberos is not enabled Related Issue Closes #60991 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
