KBI0023: Keyring configuration#

authors:

Michał Szczepanik

discussion:

https://github.com/psychoinformatics-de/knowledge-base/pull/89

keywords:

keyring, credentials

software-versions:

datalad_0.18.3, datalad-next_0.6.3

This KBI covers keyring configuration in the context of a problem with credential retrieval observed on a headless system. It also provides a general overview of keyring access.

Problem description and troubleshooting#

DataLad uses the Keyring Python library to communicate with keyring backends available on the given system to store user’s credentials.

If GNOME Keyring is installed on a system, but a D-Bus session is not started after login (the latter is likely to be the case on headless systems), Keyring library sees the SecretService keyring as an available backend and tries to use it, but fails with an error.

The error would appear for any operation requiring credential access (e.g. datalad siblings enable). Here we replicate it with the datalad credentials command (from DataLad-next):

$ datalad --log-level debug credentials
(...)
[DEBUG  ] Assigning credentials into 21 providers
[DEBUG  ] Importing keyring
[ERROR  ] Failed to create the collection: Prompt dismissed.

Keyring information, including the active backends and the location of a keyring configuration file, can always be found in the output of datalad wtf:

$ datalad wtf --section credentials
# WTF
## credentials
- keyring:
  - active_backends:
    - SecretService Keyring
    - PlaintextKeyring with no encryption v.1.0 at /home/jdoe/.local/share/python_keyring/keyring_pass.cfg
  - config_file: /home/jdoe/.config/python_keyring/keyringrc.cfg
  - data_root: /home/jdoe/.local/share/python_keyring

User solution 1: configure preferred keyring#

Users can choose their default keyring backend.

The simplest option is a plaintext keyring, specified as keyrings.alt.file.PlaintextKeyring. We will use it in our examples. Other keyrings are available, but may require installing third-party packages.

A backend can be set through an environment variable (here affecting only a single command call):

$ PYTHON_KEYRING_BACKEND=keyrings.alt.file.PlaintextKeyring datalad credentials

or by adding the following to the configuration file reported by datalad wtf (in our case: ~/.local/share/python_keyring/keyring_pass.cfg), creating the file if needed:

[backend]
default-keyring=keyrings.alt.file.PlaintextKeyring

Note

With PlaintextKeyring, credentials are written, base64-encoded, into a file for which only the owner has read and write permissions (-rw-------), but which is not protected otherwise. This may be sufficient for some setups and use cases, but is not recommended in general.

User solution 2: start a D-bus session#

Keyring library documentation provides another solution for using Keyring on headless Linux systems. It involves starting a D-Bus session, and running gnome-keyring-daemon --unlock, (which reads unlock password via stdin). Follow instructions there.

Administrator solution: remove GNOME Keyring if not needed#

If the GNOME Keyring is not needed on the given system, its removal will prevent Keyring library from trying to use it:

# aptitude purge gnome-keyring

This will likely cause Keyring to use the plaintext keyring as a backup; see note above for security considerations.