Follow up questions:
- According to the client reference for the principal parameter [0], the
Java client is able to perform a Kerberos login before contacting the
Avatica server. There appears to be no way to set the KDC address into
the client. How does the Java client perform Kerberos logins?
- There is also an option for the user to perform the login themselves.
In this case, how does the Java client pass the Kerberos ticket to the
Avatica server?
[0] https://calcite.apache.org/avatica/docs/client_reference.html#principal
On 10/07/2017 3:57 PM, F21 wrote:
Recently, I came across a maintained pure-go kerberos client and
server [0].
I am now in the process of adding SPNEGO authentication to the Go
avatica client [1].
For the implementation, the plan is to make it as close to the
official (java) client's implementation as possible. For SPNEGO, to
Java client uses these 2 parameters: principal and keytab.
The keytab parameter is easy to understand: a path to a keytab file.
I'd like to confirm what a valid string for the principal looks like.
- Is it a Service Principal Name?
- What are the valid formats for the principal? A valid SPN looks like
User1/User2@realm.
- For the above example, I am assuming user2 can be optional.
- Can the realm be optional?
Cheers,
Francis
[0] https://github.com/jcmturner/gokrb5
[1] https://github.com/Boostport/avatica
