Re: Kerberos Authentication and Avatica
Thanks for the pointers, Josh :) I'll post back to the list when a release has been tagged. On 11/07/2017 11:38 AM, Josh Elser wrote: On Jul 10, 2017 20:18, "F21"wrote: Hey Josh, Thanks for clearing things up. In Go, it is not idiomatic for a database driver to reach out to environment variables. I think I will add an additional parameter called `krb5Conf` for users to point the driver to the location of `krb5.conf`. In the event that it is not provided, I plan to search common locations listed here: https://www.ibm.com/support/kn owledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rs ec_SPNEGO_config_krb5.html and https://docs.oracle.com/javase /8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html Sounds reasonable to me! Regarding the use-case where the user performs authentication and passes the ticket to Avatica, what does the driver configuration look like? In particular, if I were using the Java driver, is it correct to assume that I'd set `authentication` to `SPNEGO` and leave `keytab` and `principal` as blank? In that case, I am assuming the Java Kerberos library would find the cached ticket and set up the appropriate HTTP requests. Exactly right. The user does nothing special, and then the underlying Java security code provides it when the HTTP client library asks for the ticket. Cheers, Francis On 11/07/2017 12:49 AM, Josh Elser wrote: Hey Francis, On 7/10/17 7:09 AM, F21 wrote: Follow up questions: - According to the client reference for the principal parameter [0], the Java client is able to perform a Kerberos login before contacting the Avatica server. There appears to be no way to set the KDC address into the client. How does the Java client perform Kerberos logins? This is convention for Java. There are expected locations at which a file, krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf. - There is also an option for the user to perform the login themselves. In this case, how does the Java client pass the Kerberos ticket to the Avatica server? Again, convention. On Linux, the location of a user's ticket cache is defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be overriden by the environment variable KRB5CCNAME. All of this is handled by Java itself. This is definitely the common case for interactive users. [0] https://calcite.apache.org/avatica/docs/client_reference.htm l#principal On 10/07/2017 3:57 PM, F21 wrote: Recently, I came across a maintained pure-go kerberos client and server [0]. I am now in the process of adding SPNEGO authentication to the Go avatica client [1]. For the implementation, the plan is to make it as close to the official (java) client's implementation as possible. For SPNEGO, to Java client uses these 2 parameters: principal and keytab. The keytab parameter is easy to understand: a path to a keytab file. I'd like to confirm what a valid string for the principal looks like. - Is it a Service Principal Name? - What are the valid formats for the principal? A valid SPN looks like User1/User2@realm. - For the above example, I am assuming user2 can be optional. - Can the realm be optional? See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-use r/What-is-a-Kerberos-Principal_003f.html. This page does a very good job at concisely expressing what a Kerberos principal is and what can be implied (based on krb5.conf). Let me know if you still have questions. Cheers, Francis [0] https://github.com/jcmturner/gokrb5 [1] https://github.com/Boostport/avatica
Re: Kerberos Authentication and Avatica
On Jul 10, 2017 20:18, "F21"wrote: Hey Josh, Thanks for clearing things up. In Go, it is not idiomatic for a database driver to reach out to environment variables. I think I will add an additional parameter called `krb5Conf` for users to point the driver to the location of `krb5.conf`. In the event that it is not provided, I plan to search common locations listed here: https://www.ibm.com/support/kn owledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rs ec_SPNEGO_config_krb5.html and https://docs.oracle.com/javase /8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html Sounds reasonable to me! Regarding the use-case where the user performs authentication and passes the ticket to Avatica, what does the driver configuration look like? In particular, if I were using the Java driver, is it correct to assume that I'd set `authentication` to `SPNEGO` and leave `keytab` and `principal` as blank? In that case, I am assuming the Java Kerberos library would find the cached ticket and set up the appropriate HTTP requests. Exactly right. The user does nothing special, and then the underlying Java security code provides it when the HTTP client library asks for the ticket. Cheers, Francis On 11/07/2017 12:49 AM, Josh Elser wrote: > Hey Francis, > > On 7/10/17 7:09 AM, F21 wrote: > >> Follow up questions: >> - According to the client reference for the principal parameter [0], the >> Java client is able to perform a Kerberos login before contacting the >> Avatica server. There appears to be no way to set the KDC address into the >> client. How does the Java client perform Kerberos logins? >> > > This is convention for Java. There are expected locations at which a file, > krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf. > > - There is also an option for the user to perform the login themselves. In >> this case, how does the Java client pass the Kerberos ticket to the Avatica >> server? >> > > Again, convention. On Linux, the location of a user's ticket cache is > defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be > overriden by the environment variable KRB5CCNAME. All of this is handled by > Java itself. > > This is definitely the common case for interactive users. > > [0] https://calcite.apache.org/avatica/docs/client_reference.htm >> l#principal >> >> On 10/07/2017 3:57 PM, F21 wrote: >> >>> Recently, I came across a maintained pure-go kerberos client and server >>> [0]. >>> >>> I am now in the process of adding SPNEGO authentication to the Go >>> avatica client [1]. >>> >>> For the implementation, the plan is to make it as close to the official >>> (java) client's implementation as possible. For SPNEGO, to Java client uses >>> these 2 parameters: principal and keytab. >>> >>> The keytab parameter is easy to understand: a path to a keytab file. >>> >>> I'd like to confirm what a valid string for the principal looks like. >>> - Is it a Service Principal Name? >>> - What are the valid formats for the principal? A valid SPN looks like >>> User1/User2@realm. >>> - For the above example, I am assuming user2 can be optional. >>> - Can the realm be optional? >>> >> > See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-use > r/What-is-a-Kerberos-Principal_003f.html. This page does a very good job > at concisely expressing what a Kerberos principal is and what can be > implied (based on krb5.conf). > > Let me know if you still have questions. > > Cheers, >>> Francis >>> >>> [0] https://github.com/jcmturner/gokrb5 >>> [1] https://github.com/Boostport/avatica >>> >> >> >>
Re: Kerberos Authentication and Avatica
Hey Josh, Thanks for clearing things up. In Go, it is not idiomatic for a database driver to reach out to environment variables. I think I will add an additional parameter called `krb5Conf` for users to point the driver to the location of `krb5.conf`. In the event that it is not provided, I plan to search common locations listed here: https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rsec_SPNEGO_config_krb5.html and https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html Regarding the use-case where the user performs authentication and passes the ticket to Avatica, what does the driver configuration look like? In particular, if I were using the Java driver, is it correct to assume that I'd set `authentication` to `SPNEGO` and leave `keytab` and `principal` as blank? In that case, I am assuming the Java Kerberos library would find the cached ticket and set up the appropriate HTTP requests. Cheers, Francis On 11/07/2017 12:49 AM, Josh Elser wrote: Hey Francis, On 7/10/17 7:09 AM, F21 wrote: Follow up questions: - According to the client reference for the principal parameter [0], the Java client is able to perform a Kerberos login before contacting the Avatica server. There appears to be no way to set the KDC address into the client. How does the Java client perform Kerberos logins? This is convention for Java. There are expected locations at which a file, krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf. - There is also an option for the user to perform the login themselves. In this case, how does the Java client pass the Kerberos ticket to the Avatica server? Again, convention. On Linux, the location of a user's ticket cache is defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be overriden by the environment variable KRB5CCNAME. All of this is handled by Java itself. This is definitely the common case for interactive users. [0] https://calcite.apache.org/avatica/docs/client_reference.html#principal On 10/07/2017 3:57 PM, F21 wrote: Recently, I came across a maintained pure-go kerberos client and server [0]. I am now in the process of adding SPNEGO authentication to the Go avatica client [1]. For the implementation, the plan is to make it as close to the official (java) client's implementation as possible. For SPNEGO, to Java client uses these 2 parameters: principal and keytab. The keytab parameter is easy to understand: a path to a keytab file. I'd like to confirm what a valid string for the principal looks like. - Is it a Service Principal Name? - What are the valid formats for the principal? A valid SPN looks like User1/User2@realm. - For the above example, I am assuming user2 can be optional. - Can the realm be optional? See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html. This page does a very good job at concisely expressing what a Kerberos principal is and what can be implied (based on krb5.conf). Let me know if you still have questions. Cheers, Francis [0] https://github.com/jcmturner/gokrb5 [1] https://github.com/Boostport/avatica
Re: Kerberos Authentication and Avatica
Hey Francis, On 7/10/17 7:09 AM, F21 wrote: Follow up questions: - According to the client reference for the principal parameter [0], the Java client is able to perform a Kerberos login before contacting the Avatica server. There appears to be no way to set the KDC address into the client. How does the Java client perform Kerberos logins? This is convention for Java. There are expected locations at which a file, krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf. - There is also an option for the user to perform the login themselves. In this case, how does the Java client pass the Kerberos ticket to the Avatica server? Again, convention. On Linux, the location of a user's ticket cache is defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be overriden by the environment variable KRB5CCNAME. All of this is handled by Java itself. This is definitely the common case for interactive users. [0] https://calcite.apache.org/avatica/docs/client_reference.html#principal On 10/07/2017 3:57 PM, F21 wrote: Recently, I came across a maintained pure-go kerberos client and server [0]. I am now in the process of adding SPNEGO authentication to the Go avatica client [1]. For the implementation, the plan is to make it as close to the official (java) client's implementation as possible. For SPNEGO, to Java client uses these 2 parameters: principal and keytab. The keytab parameter is easy to understand: a path to a keytab file. I'd like to confirm what a valid string for the principal looks like. - Is it a Service Principal Name? - What are the valid formats for the principal? A valid SPN looks like User1/User2@realm. - For the above example, I am assuming user2 can be optional. - Can the realm be optional? See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html. This page does a very good job at concisely expressing what a Kerberos principal is and what can be implied (based on krb5.conf). Let me know if you still have questions. Cheers, Francis [0] https://github.com/jcmturner/gokrb5 [1] https://github.com/Boostport/avatica
Re: Kerberos Authentication and Avatica
Follow up questions: - According to the client reference for the principal parameter [0], the Java client is able to perform a Kerberos login before contacting the Avatica server. There appears to be no way to set the KDC address into the client. How does the Java client perform Kerberos logins? - There is also an option for the user to perform the login themselves. In this case, how does the Java client pass the Kerberos ticket to the Avatica server? [0] https://calcite.apache.org/avatica/docs/client_reference.html#principal On 10/07/2017 3:57 PM, F21 wrote: Recently, I came across a maintained pure-go kerberos client and server [0]. I am now in the process of adding SPNEGO authentication to the Go avatica client [1]. For the implementation, the plan is to make it as close to the official (java) client's implementation as possible. For SPNEGO, to Java client uses these 2 parameters: principal and keytab. The keytab parameter is easy to understand: a path to a keytab file. I'd like to confirm what a valid string for the principal looks like. - Is it a Service Principal Name? - What are the valid formats for the principal? A valid SPN looks like User1/User2@realm. - For the above example, I am assuming user2 can be optional. - Can the realm be optional? Cheers, Francis [0] https://github.com/jcmturner/gokrb5 [1] https://github.com/Boostport/avatica