hansken.auth — Authentication

Any Hansken deployment other than a local development instance will require users to authenticate themselves before answering the requests made by hansken.py. Due to the way this works inside Hansken, authenticating oneself can seem rather complicated. hansken.py hides a great deal of this complexity, but will still require some configuration in order to authenticate you. hansken.auth provides a few ways to make this work, the choice of which depending on either configuration using environment variables or user choice. hansken.py defines the following authentication mechanisms:

No authentication

Self-explanatory, don’t use authentication at all, obviously only useful when the REST endpoint doesn’t need it.

Username and password

By supplying a username and a password (hansken.py will prompt you for what’s missing), hansken.py can authenticate you when needed.

Kerberos-based single sign-on

Using a Kerberos token on your local machine, hansken.py can authenticate you based on credentials you provided when logging in to your local machine. No username and password are needed at runtime, hansken.py will use GSS-API calls to authenticate you when needed.

Note

Kerberos-based authentication requires an additional python package named requests-kerberos to be installed.

When a Hansken installation has only one identity provider, hansken.py will automatically use it. When the Hansken REST API is configured to support multiple backends (allowing a user to choose between supplying a username and password or using single-sign-on, for example), we’ll need to inform hansken.py of the ‘name’ of the identity provider (this is not the same as the REST endpoint), regardless of the actual authentication mechanism used. This is done with the --idp command line argument to any of the builtin command line commands or any script using hansken.tool.run. Using one of the connect functions, the idp argument controls the identity provider to be used. Telling hansken.py which identity provider to use is required in this case, a verbose error will be generated that includes the choices.