You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@calcite.apache.org by F21 <f2...@gmail.com> on 2017/07/10 05:57:35 UTC
Kerberos Authentication and Avatica
Recently, I came across a maintained pure-go kerberos client and server [0].
I am now in the process of adding SPNEGO authentication to the Go
avatica client [1].
For the implementation, the plan is to make it as close to the official
(java) client's implementation as possible. For SPNEGO, to Java client
uses these 2 parameters: principal and keytab.
The keytab parameter is easy to understand: a path to a keytab file.
I'd like to confirm what a valid string for the principal looks like.
- Is it a Service Principal Name?
- What are the valid formats for the principal? A valid SPN looks like
User1/User2@realm.
- For the above example, I am assuming user2 can be optional.
- Can the realm be optional?
Cheers,
Francis
[0] https://github.com/jcmturner/gokrb5
[1] https://github.com/Boostport/avatica
Re: Kerberos Authentication and Avatica
Posted by F21 <f2...@gmail.com>.
Thanks for the pointers, Josh :)
I'll post back to the list when a release has been tagged.
On 11/07/2017 11:38 AM, Josh Elser wrote:
> On Jul 10, 2017 20:18, "F21" <f2...@gmail.com> wrote:
>
> Hey Josh,
>
> Thanks for clearing things up. In Go, it is not idiomatic for a database
> driver to reach out to environment variables. I think I will add an
> additional parameter called `krb5Conf` for users to point the driver to the
> location of `krb5.conf`. In the event that it is not provided, I plan to
> search common locations listed here: https://www.ibm.com/support/kn
> owledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rs
> ec_SPNEGO_config_krb5.html and https://docs.oracle.com/javase
> /8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
>
>
> Sounds reasonable to me!
>
> Regarding the use-case where the user performs authentication and passes
> the ticket to Avatica, what does the driver configuration look like? In
> particular, if I were using the Java driver, is it correct to assume that
> I'd set `authentication` to `SPNEGO` and leave `keytab` and `principal` as
> blank? In that case, I am assuming the Java Kerberos library would find the
> cached ticket and set up the appropriate HTTP requests.
>
>
> Exactly right. The user does nothing special, and then the underlying Java
> security code provides it when the HTTP client library asks for the ticket.
>
> Cheers,
> Francis
>
> On 11/07/2017 12:49 AM, Josh Elser wrote:
>
>> Hey Francis,
>>
>> On 7/10/17 7:09 AM, F21 wrote:
>>
>>> Follow up questions:
>>> - According to the client reference for the principal parameter [0], the
>>> Java client is able to perform a Kerberos login before contacting the
>>> Avatica server. There appears to be no way to set the KDC address into the
>>> client. How does the Java client perform Kerberos logins?
>>>
>> This is convention for Java. There are expected locations at which a file,
>> krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf.
>>
>> - There is also an option for the user to perform the login themselves. In
>>> this case, how does the Java client pass the Kerberos ticket to the Avatica
>>> server?
>>>
>> Again, convention. On Linux, the location of a user's ticket cache is
>> defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be
>> overriden by the environment variable KRB5CCNAME. All of this is handled by
>> Java itself.
>>
>> This is definitely the common case for interactive users.
>>
>> [0] https://calcite.apache.org/avatica/docs/client_reference.htm
>>> l#principal
>>>
>>> On 10/07/2017 3:57 PM, F21 wrote:
>>>
>>>> Recently, I came across a maintained pure-go kerberos client and server
>>>> [0].
>>>>
>>>> I am now in the process of adding SPNEGO authentication to the Go
>>>> avatica client [1].
>>>>
>>>> For the implementation, the plan is to make it as close to the official
>>>> (java) client's implementation as possible. For SPNEGO, to Java client uses
>>>> these 2 parameters: principal and keytab.
>>>>
>>>> The keytab parameter is easy to understand: a path to a keytab file.
>>>>
>>>> I'd like to confirm what a valid string for the principal looks like.
>>>> - Is it a Service Principal Name?
>>>> - What are the valid formats for the principal? A valid SPN looks like
>>>> User1/User2@realm.
>>>> - For the above example, I am assuming user2 can be optional.
>>>> - Can the realm be optional?
>>>>
>> See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-use
>> r/What-is-a-Kerberos-Principal_003f.html. This page does a very good job
>> at concisely expressing what a Kerberos principal is and what can be
>> implied (based on krb5.conf).
>>
>> Let me know if you still have questions.
>>
>> Cheers,
>>>> Francis
>>>>
>>>> [0] https://github.com/jcmturner/gokrb5
>>>> [1] https://github.com/Boostport/avatica
>>>>
>>>
>>>
Re: Kerberos Authentication and Avatica
Posted by Josh Elser <el...@apache.org>.
On Jul 10, 2017 20:18, "F21" <f2...@gmail.com> wrote:
Hey Josh,
Thanks for clearing things up. In Go, it is not idiomatic for a database
driver to reach out to environment variables. I think I will add an
additional parameter called `krb5Conf` for users to point the driver to the
location of `krb5.conf`. In the event that it is not provided, I plan to
search common locations listed here: https://www.ibm.com/support/kn
owledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rs
ec_SPNEGO_config_krb5.html and https://docs.oracle.com/javase
/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
Sounds reasonable to me!
Regarding the use-case where the user performs authentication and passes
the ticket to Avatica, what does the driver configuration look like? In
particular, if I were using the Java driver, is it correct to assume that
I'd set `authentication` to `SPNEGO` and leave `keytab` and `principal` as
blank? In that case, I am assuming the Java Kerberos library would find the
cached ticket and set up the appropriate HTTP requests.
Exactly right. The user does nothing special, and then the underlying Java
security code provides it when the HTTP client library asks for the ticket.
Cheers,
Francis
On 11/07/2017 12:49 AM, Josh Elser wrote:
> Hey Francis,
>
> On 7/10/17 7:09 AM, F21 wrote:
>
>> Follow up questions:
>> - According to the client reference for the principal parameter [0], the
>> Java client is able to perform a Kerberos login before contacting the
>> Avatica server. There appears to be no way to set the KDC address into the
>> client. How does the Java client perform Kerberos logins?
>>
>
> This is convention for Java. There are expected locations at which a file,
> krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf.
>
> - There is also an option for the user to perform the login themselves. In
>> this case, how does the Java client pass the Kerberos ticket to the Avatica
>> server?
>>
>
> Again, convention. On Linux, the location of a user's ticket cache is
> defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be
> overriden by the environment variable KRB5CCNAME. All of this is handled by
> Java itself.
>
> This is definitely the common case for interactive users.
>
> [0] https://calcite.apache.org/avatica/docs/client_reference.htm
>> l#principal
>>
>> On 10/07/2017 3:57 PM, F21 wrote:
>>
>>> Recently, I came across a maintained pure-go kerberos client and server
>>> [0].
>>>
>>> I am now in the process of adding SPNEGO authentication to the Go
>>> avatica client [1].
>>>
>>> For the implementation, the plan is to make it as close to the official
>>> (java) client's implementation as possible. For SPNEGO, to Java client uses
>>> these 2 parameters: principal and keytab.
>>>
>>> The keytab parameter is easy to understand: a path to a keytab file.
>>>
>>> I'd like to confirm what a valid string for the principal looks like.
>>> - Is it a Service Principal Name?
>>> - What are the valid formats for the principal? A valid SPN looks like
>>> User1/User2@realm.
>>> - For the above example, I am assuming user2 can be optional.
>>> - Can the realm be optional?
>>>
>>
> See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-use
> r/What-is-a-Kerberos-Principal_003f.html. This page does a very good job
> at concisely expressing what a Kerberos principal is and what can be
> implied (based on krb5.conf).
>
> Let me know if you still have questions.
>
> Cheers,
>>> Francis
>>>
>>> [0] https://github.com/jcmturner/gokrb5
>>> [1] https://github.com/Boostport/avatica
>>>
>>
>>
>>
Re: Kerberos Authentication and Avatica
Posted by F21 <f2...@gmail.com>.
Hey Josh,
Thanks for clearing things up. In Go, it is not idiomatic for a database
driver to reach out to environment variables. I think I will add an
additional parameter called `krb5Conf` for users to point the driver to
the location of `krb5.conf`. In the event that it is not provided, I
plan to search common locations listed here:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rsec_SPNEGO_config_krb5.html
and
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
Regarding the use-case where the user performs authentication and passes
the ticket to Avatica, what does the driver configuration look like? In
particular, if I were using the Java driver, is it correct to assume
that I'd set `authentication` to `SPNEGO` and leave `keytab` and
`principal` as blank? In that case, I am assuming the Java Kerberos
library would find the cached ticket and set up the appropriate HTTP
requests.
Cheers,
Francis
On 11/07/2017 12:49 AM, Josh Elser wrote:
> Hey Francis,
>
> On 7/10/17 7:09 AM, F21 wrote:
>> Follow up questions:
>> - According to the client reference for the principal parameter [0],
>> the Java client is able to perform a Kerberos login before contacting
>> the Avatica server. There appears to be no way to set the KDC address
>> into the client. How does the Java client perform Kerberos logins?
>
> This is convention for Java. There are expected locations at which a
> file, krb5.conf, is located on platforms. For Linux, this is
> /etc/krb5.conf.
>
>> - There is also an option for the user to perform the login
>> themselves. In this case, how does the Java client pass the Kerberos
>> ticket to the Avatica server?
>
> Again, convention. On Linux, the location of a user's ticket cache is
> defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be
> overriden by the environment variable KRB5CCNAME. All of this is
> handled by Java itself.
>
> This is definitely the common case for interactive users.
>
>> [0]
>> https://calcite.apache.org/avatica/docs/client_reference.html#principal
>>
>> On 10/07/2017 3:57 PM, F21 wrote:
>>> Recently, I came across a maintained pure-go kerberos client and
>>> server [0].
>>>
>>> I am now in the process of adding SPNEGO authentication to the Go
>>> avatica client [1].
>>>
>>> For the implementation, the plan is to make it as close to the
>>> official (java) client's implementation as possible. For SPNEGO, to
>>> Java client uses these 2 parameters: principal and keytab.
>>>
>>> The keytab parameter is easy to understand: a path to a keytab file.
>>>
>>> I'd like to confirm what a valid string for the principal looks like.
>>> - Is it a Service Principal Name?
>>> - What are the valid formats for the principal? A valid SPN looks
>>> like User1/User2@realm.
>>> - For the above example, I am assuming user2 can be optional.
>>> - Can the realm be optional?
>
> See
> http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html.
> This page does a very good job at concisely expressing what a Kerberos
> principal is and what can be implied (based on krb5.conf).
>
> Let me know if you still have questions.
>
>>> Cheers,
>>> Francis
>>>
>>> [0] https://github.com/jcmturner/gokrb5
>>> [1] https://github.com/Boostport/avatica
>>
>>
Re: Kerberos Authentication and Avatica
Posted by Josh Elser <el...@apache.org>.
Hey Francis,
On 7/10/17 7:09 AM, F21 wrote:
> Follow up questions:
> - According to the client reference for the principal parameter [0], the
> Java client is able to perform a Kerberos login before contacting the
> Avatica server. There appears to be no way to set the KDC address into
> the client. How does the Java client perform Kerberos logins?
This is convention for Java. There are expected locations at which a
file, krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf.
> - There is also an option for the user to perform the login themselves.
> In this case, how does the Java client pass the Kerberos ticket to the
> Avatica server?
Again, convention. On Linux, the location of a user's ticket cache is
defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be
overriden by the environment variable KRB5CCNAME. All of this is handled
by Java itself.
This is definitely the common case for interactive users.
> [0] https://calcite.apache.org/avatica/docs/client_reference.html#principal
>
> On 10/07/2017 3:57 PM, F21 wrote:
>> Recently, I came across a maintained pure-go kerberos client and
>> server [0].
>>
>> I am now in the process of adding SPNEGO authentication to the Go
>> avatica client [1].
>>
>> For the implementation, the plan is to make it as close to the
>> official (java) client's implementation as possible. For SPNEGO, to
>> Java client uses these 2 parameters: principal and keytab.
>>
>> The keytab parameter is easy to understand: a path to a keytab file.
>>
>> I'd like to confirm what a valid string for the principal looks like.
>> - Is it a Service Principal Name?
>> - What are the valid formats for the principal? A valid SPN looks like
>> User1/User2@realm.
>> - For the above example, I am assuming user2 can be optional.
>> - Can the realm be optional?
See
http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html.
This page does a very good job at concisely expressing what a Kerberos
principal is and what can be implied (based on krb5.conf).
Let me know if you still have questions.
>> Cheers,
>> Francis
>>
>> [0] https://github.com/jcmturner/gokrb5
>> [1] https://github.com/Boostport/avatica
>
>
Re: Kerberos Authentication and Avatica
Posted by F21 <f2...@gmail.com>.
Follow up questions:
- According to the client reference for the principal parameter [0], the
Java client is able to perform a Kerberos login before contacting the
Avatica server. There appears to be no way to set the KDC address into
the client. How does the Java client perform Kerberos logins?
- There is also an option for the user to perform the login themselves.
In this case, how does the Java client pass the Kerberos ticket to the
Avatica server?
[0] https://calcite.apache.org/avatica/docs/client_reference.html#principal
On 10/07/2017 3:57 PM, F21 wrote:
> Recently, I came across a maintained pure-go kerberos client and
> server [0].
>
> I am now in the process of adding SPNEGO authentication to the Go
> avatica client [1].
>
> For the implementation, the plan is to make it as close to the
> official (java) client's implementation as possible. For SPNEGO, to
> Java client uses these 2 parameters: principal and keytab.
>
> The keytab parameter is easy to understand: a path to a keytab file.
>
> I'd like to confirm what a valid string for the principal looks like.
> - Is it a Service Principal Name?
> - What are the valid formats for the principal? A valid SPN looks like
> User1/User2@realm.
> - For the above example, I am assuming user2 can be optional.
> - Can the realm be optional?
>
> Cheers,
> Francis
>
> [0] https://github.com/jcmturner/gokrb5
> [1] https://github.com/Boostport/avatica