Thanks for the pointers, Josh :)
I'll post back to the list when a release has been tagged.
On 11/07/2017 11:38 AM, Josh Elser wrote:
On Jul 10, 2017 20:18, "F21" <f21.gro...@gmail.com> wrote:
Hey Josh,
Thanks for clearing things up. In Go, it is not idiomatic for a database
driver to reach out to environment variables. I think I will add an
additional parameter called `krb5Conf` for users to point the driver to the
location of `krb5.conf`. In the event that it is not provided, I plan to
search common locations listed here: https://www.ibm.com/support/kn
owledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rs
ec_SPNEGO_config_krb5.html and https://docs.oracle.com/javase
/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
Sounds reasonable to me!
Regarding the use-case where the user performs authentication and passes
the ticket to Avatica, what does the driver configuration look like? In
particular, if I were using the Java driver, is it correct to assume that
I'd set `authentication` to `SPNEGO` and leave `keytab` and `principal` as
blank? In that case, I am assuming the Java Kerberos library would find the
cached ticket and set up the appropriate HTTP requests.
Exactly right. The user does nothing special, and then the underlying Java
security code provides it when the HTTP client library asks for the ticket.
Cheers,
Francis
On 11/07/2017 12:49 AM, Josh Elser wrote:
Hey Francis,
On 7/10/17 7:09 AM, F21 wrote:
Follow up questions:
- According to the client reference for the principal parameter [0], the
Java client is able to perform a Kerberos login before contacting the
Avatica server. There appears to be no way to set the KDC address into the
client. How does the Java client perform Kerberos logins?
This is convention for Java. There are expected locations at which a file,
krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf.
- There is also an option for the user to perform the login themselves. In
this case, how does the Java client pass the Kerberos ticket to the Avatica
server?
Again, convention. On Linux, the location of a user's ticket cache is
defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be
overriden by the environment variable KRB5CCNAME. All of this is handled by
Java itself.
This is definitely the common case for interactive users.
[0] https://calcite.apache.org/avatica/docs/client_reference.htm
l#principal
On 10/07/2017 3:57 PM, F21 wrote:
Recently, I came across a maintained pure-go kerberos client and server
[0].
I am now in the process of adding SPNEGO authentication to the Go
avatica client [1].
For the implementation, the plan is to make it as close to the official
(java) client's implementation as possible. For SPNEGO, to Java client uses
these 2 parameters: principal and keytab.
The keytab parameter is easy to understand: a path to a keytab file.
I'd like to confirm what a valid string for the principal looks like.
- Is it a Service Principal Name?
- What are the valid formats for the principal? A valid SPN looks like
User1/User2@realm.
- For the above example, I am assuming user2 can be optional.
- Can the realm be optional?
See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-use
r/What-is-a-Kerberos-Principal_003f.html. This page does a very good job
at concisely expressing what a Kerberos principal is and what can be
implied (based on krb5.conf).
Let me know if you still have questions.
Cheers,
Francis
[0] https://github.com/jcmturner/gokrb5
[1] https://github.com/Boostport/avatica
