Hey Josh,
Thanks for clearing things up. In Go, it is not idiomatic for a database
driver to reach out to environment variables. I think I will add an
additional parameter called `krb5Conf` for users to point the driver to
the location of `krb5.conf`. In the event that it is not provided, I
plan to search common locations listed here:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rsec_SPNEGO_config_krb5.html
and
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
Regarding the use-case where the user performs authentication and passes
the ticket to Avatica, what does the driver configuration look like? In
particular, if I were using the Java driver, is it correct to assume
that I'd set `authentication` to `SPNEGO` and leave `keytab` and
`principal` as blank? In that case, I am assuming the Java Kerberos
library would find the cached ticket and set up the appropriate HTTP
requests.
Cheers,
Francis
On 11/07/2017 12:49 AM, Josh Elser wrote:
Hey Francis,
On 7/10/17 7:09 AM, F21 wrote:
Follow up questions:
- According to the client reference for the principal parameter [0],
the Java client is able to perform a Kerberos login before contacting
the Avatica server. There appears to be no way to set the KDC address
into the client. How does the Java client perform Kerberos logins?
This is convention for Java. There are expected locations at which a
file, krb5.conf, is located on platforms. For Linux, this is
/etc/krb5.conf.
- There is also an option for the user to perform the login
themselves. In this case, how does the Java client pass the Kerberos
ticket to the Avatica server?
Again, convention. On Linux, the location of a user's ticket cache is
defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be
overriden by the environment variable KRB5CCNAME. All of this is
handled by Java itself.
This is definitely the common case for interactive users.
[0]
https://calcite.apache.org/avatica/docs/client_reference.html#principal
On 10/07/2017 3:57 PM, F21 wrote:
Recently, I came across a maintained pure-go kerberos client and
server [0].
I am now in the process of adding SPNEGO authentication to the Go
avatica client [1].
For the implementation, the plan is to make it as close to the
official (java) client's implementation as possible. For SPNEGO, to
Java client uses these 2 parameters: principal and keytab.
The keytab parameter is easy to understand: a path to a keytab file.
I'd like to confirm what a valid string for the principal looks like.
- Is it a Service Principal Name?
- What are the valid formats for the principal? A valid SPN looks
like User1/User2@realm.
- For the above example, I am assuming user2 can be optional.
- Can the realm be optional?
See
http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html.
This page does a very good job at concisely expressing what a Kerberos
principal is and what can be implied (based on krb5.conf).
Let me know if you still have questions.
Cheers,
Francis
[0] https://github.com/jcmturner/gokrb5
[1] https://github.com/Boostport/avatica
