You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, SecurityContext#delegated_creds is just a normal instance attribute of SecurityContext, which means that it can be accidentally overwritten, and it does not show up in the documentation. This should be fixed.
The text was updated successfully, but these errors were encountered:
I think it should be possible to drop the delegated credentials esp if we allow to pickle the whole security context and then restore it.
Someone may want to pass around a security context but not transfer any delegated credentials to a lower priviliged process as dellegated credentials may include a delegated tgt.
Pickling the SecurityContext uses a special pickle process that doesn't actually pickle the object -- it just uses export_sec_context() (so the unpickling process just reconstitutes the SecurityContext using import_sec_context()).
This means delegated credentials get lost in the process.
On the one hand I think this is more secure, OTOH it may come as a suprise to the user and should be carefully documented.
Yeah. The only reason delegated creds are stored as a field is so that the "step" method can return only a token. It should definitely be documented, though
Currently,
SecurityContext#delegated_creds
is just a normal instance attribute ofSecurityContext
, which means that it can be accidentally overwritten, and it does not show up in the documentation. This should be fixed.The text was updated successfully, but these errors were encountered: