adoroszlai commented on PR #6896: URL: https://github.com/apache/ozone/pull/6896#issuecomment-2208283645
`curl` sends it when options `--negotiate -u :` are present, and the user has a valid Kerberos ticket, see examples below. It seems to me the only difference between old and new `curl` is that the new one tries to obtain the credentials before sending the initial request, saving a round-trip. I don't know if it is caused by an actual code change in `curl`, or only by the difference in build-time features enabled in the versions I tried. This change in S3 Gateway works with both versions/configs. ---- Without `--negotiate` (or without `-u :`): ``` $ curl -vvv -Ss -o /dev/null http://om:9874/ * Connected to om (172.17.0.8) port 9874 (#0) > GET / HTTP/1.1 > Host: om:9874 > User-Agent: curl/7.81.0 ... < HTTP/1.1 401 Authentication required ... < WWW-Authenticate: Negotiate ``` Using `--negotiate -u :`, but without having Kerberos ticket: ``` $ curl -vvv -Ss -o /dev/null --negotiate -u : http://om:9874/ * Connected to om (172.17.0.8) port 9874 (#0) * gss_init_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. SPNEGO cannot find mechanisms to negotiate. * Server auth using Negotiate with user '' > GET / HTTP/1.1 > Host: om:9874 > User-Agent: curl/7.81.0 ... < HTTP/1.1 401 Authentication required ... * gss_init_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. SPNEGO cannot find mechanisms to negotiate. < WWW-Authenticate: Negotiate ``` After obtaining Kerberos ticket: ``` $ kinit -kt /etc/security/keytabs/testuser2.keytab testuser2/[email protected] $ curl -vvv -Ss -o /dev/null --negotiate -u : http://om:9874/ * Connected to om (172.17.0.8) port 9874 (#0) * Server auth using Negotiate with user '' > GET / HTTP/1.1 > Host: om:9874 > Authorization: Negotiate <redacted> > User-Agent: curl/7.81.0 ... < HTTP/1.1 200 OK ... < WWW-Authenticate: Negotiate <redacted> < Set-Cookie: hadoop.auth="u=testuser2&p=testuser2/[email protected]&t=kerberos&e=1720110158188&s=<redacted>"; Path=/; HttpOnly ... < Content-Length: 2927 < { [2927 bytes data] ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
