{"library":"thrift-sasl","title":"Thrift SASL Python Client","description":"This is a Python library (version 0.4.3) that provides SASL (Simple Authentication and Security Layer) transport for Apache Thrift clients. It enables secure communication by implementing `TSaslClientTransport`, allowing Thrift applications to use authentication mechanisms like Kerberos. The library has a maintenance release cadence, with the latest update in May 2021.","status":"maintenance","version":"0.4.3","language":"en","source_language":"en","source_url":"https://github.com/cloudera/thrift_sasl","tags":["thrift","sasl","authentication","client","kerberos","security"],"install":[{"cmd":"pip install thrift-sasl","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Core dependency for SASL implementation.","package":"pure-sasl","optional":false},{"reason":"Python 2/3 compatibility layer.","package":"six","optional":false},{"reason":"Apache Thrift library for transport protocols.","package":"thrift","optional":false}],"imports":[{"note":"This is the primary transport class for SASL client authentication.","symbol":"TSaslClientTransport","correct":"from thrift_sasl import TSaslClientTransport"}],"quickstart":{"code":"import os\nfrom thrift.transport import TSocket, TTransport\nfrom thrift.protocol import TBinaryProtocol\nfrom thrift_sasl import TSaslClientTransport\n\n# --- Configuration (replace with your actual values) ---\nSASL_MECHANISM = os.environ.get('SASL_MECHANISM', 'PLAIN') # e.g., 'GSSAPI', 'PLAIN'\nSASL_USERNAME = os.environ.get('SASL_USERNAME', 'user')\nSASL_PASSWORD = os.environ.get('SASL_PASSWORD', 'password') # Only for PLAIN mechanism\nTHRIFT_HOST = os.environ.get('THRIFT_HOST', 'localhost')\nTHRIFT_PORT = int(os.environ.get('THRIFT_PORT', '9090'))\n# For GSSAPI, you might need: SASL_SERVICE_PRINCIPAL = 'thrift/host.example.com@REALM'\n\n# 1. Create a base Thrift socket transport\nsocket = TSocket.TSocket(THRIFT_HOST, THRIFT_PORT)\n\n# 2. Wrap the socket in a buffered transport (often required)\nbuffered_transport = TTransport.TBufferedTransport(socket)\n\n# 3. Create the SASL client transport\n# For PLAIN mechanism:\nsasl_transport = TSaslClientTransport(\n    buffered_transport,\n    SASL_MECHANISM,\n    username=SASL_USERNAME,\n    password=SASL_PASSWORD\n)\n\n# For GSSAPI, you would typically use:\n# sasl_transport = TSaslClientTransport(\n#     buffered_transport,\n#     SASL_MECHANISM,\n#     service_principal=SASL_SERVICE_PRINCIPAL\n# )\n\n# 4. Open the SASL transport (initiates SASL handshake)\ntry:\n    sasl_transport.open()\n    print(f\"Successfully opened SASL transport to {THRIFT_HOST}:{THRIFT_PORT}\")\n\n    # 5. Create a protocol (e.g., TBinaryProtocol) using the SASL transport\n    protocol = TBinaryProtocol.TBinaryProtocol(sasl_transport)\n\n    # At this point, you would typically create a Thrift client\n    # and make remote procedure calls (RPCs).\n    # Example: client = MyThriftService.Client(protocol)\n    #          result = client.my_method()\n    #          print(f\"RPC result: {result}\")\n\nexcept TTransport.TTransportException as e:\n    print(f\"Thrift transport error: {e}\")\nexcept Exception as e:\n    print(f\"An unexpected error occurred: {e}\")\nfinally:\n    # 6. Close the transport\n    if sasl_transport.isOpen():\n        sasl_transport.close()\n        print(\"SASL transport closed.\")","lang":"python","description":"This quickstart demonstrates how to initialize `TSaslClientTransport` using `TSocket` and `TBufferedTransport`, configure it for a SASL mechanism (like PLAIN), and open the connection. This setup is the foundational step before creating a Thrift client and making RPC calls."},"warnings":[{"fix":"Upgrade to `thrift-sasl>=0.4.3`. If using an older version, consider installing `pure-sasl` manually and ensuring your environment is correctly configured, or ideally, upgrade.","message":"Older versions of `thrift-sasl` (prior to 0.4.3) depended on the unmaintained `sasl` package, which had compatibility issues with newer Python versions and required `g++` for compilation. Version `0.4.3` switched to `pure-sasl` to resolve this, making it pure-Python compatible.","severity":"breaking","affected_versions":"<0.4.3"},{"fix":"Consult your Thrift server's SASL configuration documentation. Verify the SASL mechanism, authentication credentials, and any required service principals. Use `os.environ.get` for sensitive data like passwords/principals.","message":"Correct configuration of SASL parameters (e.g., mechanism, username, password, service principal) is crucial and highly dependent on your server's SASL setup. Incorrect parameters will lead to authentication failures. For GSSAPI (Kerberos), ensure you have valid Kerberos tickets (`kinit`) and the correct service principal.","severity":"gotcha","affected_versions":"All"},{"fix":"Always use `TTransport.TBufferedTransport(TSocket.TSocket(...))` when initializing `TSaslClientTransport` to prevent potential data framing or read issues.","message":"It's essential to wrap the underlying Thrift transport (e.g., `TSocket`) with a buffered transport (`TBufferedTransport`) before passing it to `TSaslClientTransport`. The `thrift-sasl` library, particularly in versions 0.4.3a1 and later, includes fixes to ensure frames are fully buffered.","severity":"gotcha","affected_versions":"All"}],"env_vars":null,"last_verified":"2026-04-05T00:00:00.000Z","next_check":"2026-07-04T00:00:00.000Z"}