feat: Add options to mutual authentication (jupyter-server#1320)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
fresende · Sep 14, 2023 · 9570694 · 9570694
1 parent bd78ad5
commit 9570694
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/enterprise_gateway/services/processproxies/yarn.py b/enterprise_gateway/services/processproxies/yarn.py
@@ -35,6 +35,7 @@
 #            whether we verify the server's TLS certificate in yarn-api-client.
 #            Or a string, in which case it must be a path to a CA bundle(.pem file) to use.
 cert_path = os.getenv("EG_YARN_CERT_BUNDLE", True)
+mutual_authentication = os.getenv("EG_YARN_MUTUAL_AUTHENTICATION", "REQUIRED")
 
 
 class YarnClusterProcessProxy(RemoteProcessProxy):
@@ -91,9 +92,15 @@ def _initialize_resource_manager(self, **kwargs: dict[str, Any] | None) -> None:
                 endpoints.append(self.alt_yarn_endpoint)
 
         if self.yarn_endpoint_security_enabled:
-            from requests_kerberos import HTTPKerberosAuth
-
-            auth = HTTPKerberosAuth()
+            from requests_kerberos import DISABLED, OPTIONAL, REQUIRED, HTTPKerberosAuth
+
+            auth = HTTPKerberosAuth(
+                mutual_authentication={
+                    "REQUIRED": REQUIRED,
+                    "OPTIONAL": OPTIONAL,
+                    "DISABLED": DISABLED,
+                }.get(mutual_authentication.upper())
+            )
         else:
             # If we have the appropriate version of yarn-api-client, use its SimpleAuth class.
             # This allows EG to continue to issue requests against the YARN api when anonymous