Kerberos Authentication and Avatica

[F21 <f2...@gmail.com>]

Recently, I came across a maintained pure-go kerberos client and server [0].

I am now in the process of adding SPNEGO authentication to the Go 
avatica client [1].

For the implementation, the plan is to make it as close to the official 
(java) client's implementation as possible. For SPNEGO, to Java client 
uses these 2 parameters: principal and keytab.

The keytab parameter is easy to understand: a path to a keytab file.

I'd like to confirm what a valid string for the principal looks like.
- Is it a Service Principal Name?
- What are the valid formats for the principal? A valid SPN looks like 
User1/User2@realm.
- For the above example, I am assuming user2 can be optional.
- Can the realm be optional?

Cheers,
Francis

[0] https://github.com/jcmturner/gokrb5
[1] https://github.com/Boostport/avatica

Re: Kerberos Authentication and Avatica

[F21 <f2...@gmail.com>]

Thanks for the pointers, Josh :)

I'll post back to the list when a release has been tagged.

On 11/07/2017 11:38 AM, Josh Elser wrote:
> On Jul 10, 2017 20:18, "F21" <f2...@gmail.com> wrote:
>
> Hey Josh,
>
> Thanks for clearing things up. In Go, it is not idiomatic for a database
> driver to reach out to environment variables. I think I will add an
> additional parameter called `krb5Conf` for users to point the driver to the
> location of `krb5.conf`. In the event that it is not provided, I plan to
> search common locations listed here: https://www.ibm.com/support/kn
> owledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rs
> ec_SPNEGO_config_krb5.html and https://docs.oracle.com/javase
> /8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
>
>
> Sounds reasonable to me!
>
> Regarding the use-case where the user performs authentication and passes
> the ticket to Avatica, what does the driver configuration look like? In
> particular, if I were using the Java driver, is it correct to assume that
> I'd set `authentication` to `SPNEGO` and leave `keytab` and `principal` as
> blank? In that case, I am assuming the Java Kerberos library would find the
> cached ticket and set up the appropriate HTTP requests.
>
>
> Exactly right. The user does nothing special, and then the underlying Java
> security code provides it when the HTTP client library asks for the ticket.
>
> Cheers,
> Francis
>
> On 11/07/2017 12:49 AM, Josh Elser wrote:
>
>> Hey Francis,
>>
>> On 7/10/17 7:09 AM, F21 wrote:
>>
>>> Follow up questions:
>>> - According to the client reference for the principal parameter [0], the
>>> Java client is able to perform a Kerberos login before contacting the
>>> Avatica server. There appears to be no way to set the KDC address into the
>>> client. How does the Java client perform Kerberos logins?
>>>
>> This is convention for Java. There are expected locations at which a file,
>> krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf.
>>
>> - There is also an option for the user to perform the login themselves. In
>>> this case, how does the Java client pass the Kerberos ticket to the Avatica
>>> server?
>>>
>> Again, convention. On Linux, the location of a user's ticket cache is
>> defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be
>> overriden by the environment variable KRB5CCNAME. All of this is handled by
>> Java itself.
>>
>> This is definitely the common case for interactive users.
>>
>> [0] https://calcite.apache.org/avatica/docs/client_reference.htm
>>> l#principal
>>>
>>> On 10/07/2017 3:57 PM, F21 wrote:
>>>
>>>> Recently, I came across a maintained pure-go kerberos client and server
>>>> [0].
>>>>
>>>> I am now in the process of adding SPNEGO authentication to the Go
>>>> avatica client [1].
>>>>
>>>> For the implementation, the plan is to make it as close to the official
>>>> (java) client's implementation as possible. For SPNEGO, to Java client uses
>>>> these 2 parameters: principal and keytab.
>>>>
>>>> The keytab parameter is easy to understand: a path to a keytab file.
>>>>
>>>> I'd like to confirm what a valid string for the principal looks like.
>>>> - Is it a Service Principal Name?
>>>> - What are the valid formats for the principal? A valid SPN looks like
>>>> User1/User2@realm.
>>>> - For the above example, I am assuming user2 can be optional.
>>>> - Can the realm be optional?
>>>>
>> See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-use
>> r/What-is-a-Kerberos-Principal_003f.html. This page does a very good job
>> at concisely expressing what a Kerberos principal is and what can be
>> implied (based on krb5.conf).
>>
>> Let me know if you still have questions.
>>
>> Cheers,
>>>> Francis
>>>>
>>>> [0] https://github.com/jcmturner/gokrb5
>>>> [1] https://github.com/Boostport/avatica
>>>>
>>>
>>>

Re: Kerberos Authentication and Avatica

[Josh Elser <el...@apache.org>]

On Jul 10, 2017 20:18, "F21" <f2...@gmail.com> wrote:

Hey Josh,

Thanks for clearing things up. In Go, it is not idiomatic for a database
driver to reach out to environment variables. I think I will add an
additional parameter called `krb5Conf` for users to point the driver to the
location of `krb5.conf`. In the event that it is not provided, I plan to
search common locations listed here: https://www.ibm.com/support/kn
owledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rs
ec_SPNEGO_config_krb5.html and https://docs.oracle.com/javase
/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html


Sounds reasonable to me!

Regarding the use-case where the user performs authentication and passes
the ticket to Avatica, what does the driver configuration look like? In
particular, if I were using the Java driver, is it correct to assume that
I'd set `authentication` to `SPNEGO` and leave `keytab` and `principal` as
blank? In that case, I am assuming the Java Kerberos library would find the
cached ticket and set up the appropriate HTTP requests.


Exactly right. The user does nothing special, and then the underlying Java
security code provides it when the HTTP client library asks for the ticket.

Cheers,
Francis

On 11/07/2017 12:49 AM, Josh Elser wrote:

> Hey Francis,
>
> On 7/10/17 7:09 AM, F21 wrote:
>
>> Follow up questions:
>> - According to the client reference for the principal parameter [0], the
>> Java client is able to perform a Kerberos login before contacting the
>> Avatica server. There appears to be no way to set the KDC address into the
>> client. How does the Java client perform Kerberos logins?
>>
>
> This is convention for Java. There are expected locations at which a file,
> krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf.
>
> - There is also an option for the user to perform the login themselves. In
>> this case, how does the Java client pass the Kerberos ticket to the Avatica
>> server?
>>
>
> Again, convention. On Linux, the location of a user's ticket cache is
> defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be
> overriden by the environment variable KRB5CCNAME. All of this is handled by
> Java itself.
>
> This is definitely the common case for interactive users.
>
> [0] https://calcite.apache.org/avatica/docs/client_reference.htm
>> l#principal
>>
>> On 10/07/2017 3:57 PM, F21 wrote:
>>
>>> Recently, I came across a maintained pure-go kerberos client and server
>>> [0].
>>>
>>> I am now in the process of adding SPNEGO authentication to the Go
>>> avatica client [1].
>>>
>>> For the implementation, the plan is to make it as close to the official
>>> (java) client's implementation as possible. For SPNEGO, to Java client uses
>>> these 2 parameters: principal and keytab.
>>>
>>> The keytab parameter is easy to understand: a path to a keytab file.
>>>
>>> I'd like to confirm what a valid string for the principal looks like.
>>> - Is it a Service Principal Name?
>>> - What are the valid formats for the principal? A valid SPN looks like
>>> User1/User2@realm.
>>> - For the above example, I am assuming user2 can be optional.
>>> - Can the realm be optional?
>>>
>>
> See http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-use
> r/What-is-a-Kerberos-Principal_003f.html. This page does a very good job
> at concisely expressing what a Kerberos principal is and what can be
> implied (based on krb5.conf).
>
> Let me know if you still have questions.
>
> Cheers,
>>> Francis
>>>
>>> [0] https://github.com/jcmturner/gokrb5
>>> [1] https://github.com/Boostport/avatica
>>>
>>
>>
>>

Re: Kerberos Authentication and Avatica

[F21 <f2...@gmail.com>]

Hey Josh,

Thanks for clearing things up. In Go, it is not idiomatic for a database 
driver to reach out to environment variables. I think I will add an 
additional parameter called `krb5Conf` for users to point the driver to 
the location of `krb5.conf`. In the event that it is not provided, I 
plan to search common locations listed here: 
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rsec_SPNEGO_config_krb5.html 
and 
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html 


Regarding the use-case where the user performs authentication and passes 
the ticket to Avatica, what does the driver configuration look like? In 
particular, if I were using the Java driver, is it correct to assume 
that I'd set `authentication` to `SPNEGO` and leave `keytab` and 
`principal` as blank? In that case, I am assuming the Java Kerberos 
library would find the cached ticket and set up the appropriate HTTP 
requests.

Cheers,
Francis

On 11/07/2017 12:49 AM, Josh Elser wrote:
> Hey Francis,
>
> On 7/10/17 7:09 AM, F21 wrote:
>> Follow up questions:
>> - According to the client reference for the principal parameter [0], 
>> the Java client is able to perform a Kerberos login before contacting 
>> the Avatica server. There appears to be no way to set the KDC address 
>> into the client. How does the Java client perform Kerberos logins?
>
> This is convention for Java. There are expected locations at which a 
> file, krb5.conf, is located on platforms. For Linux, this is 
> /etc/krb5.conf.
>
>> - There is also an option for the user to perform the login 
>> themselves. In this case, how does the Java client pass the Kerberos 
>> ticket to the Avatica server?
>
> Again, convention. On Linux, the location of a user's ticket cache is 
> defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be 
> overriden by the environment variable KRB5CCNAME. All of this is 
> handled by Java itself.
>
> This is definitely the common case for interactive users.
>
>> [0] 
>> https://calcite.apache.org/avatica/docs/client_reference.html#principal
>>
>> On 10/07/2017 3:57 PM, F21 wrote:
>>> Recently, I came across a maintained pure-go kerberos client and 
>>> server [0].
>>>
>>> I am now in the process of adding SPNEGO authentication to the Go 
>>> avatica client [1].
>>>
>>> For the implementation, the plan is to make it as close to the 
>>> official (java) client's implementation as possible. For SPNEGO, to 
>>> Java client uses these 2 parameters: principal and keytab.
>>>
>>> The keytab parameter is easy to understand: a path to a keytab file.
>>>
>>> I'd like to confirm what a valid string for the principal looks like.
>>> - Is it a Service Principal Name?
>>> - What are the valid formats for the principal? A valid SPN looks 
>>> like User1/User2@realm.
>>> - For the above example, I am assuming user2 can be optional.
>>> - Can the realm be optional?
>
> See 
> http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html. 
> This page does a very good job at concisely expressing what a Kerberos 
> principal is and what can be implied (based on krb5.conf).
>
> Let me know if you still have questions.
>
>>> Cheers,
>>> Francis
>>>
>>> [0] https://github.com/jcmturner/gokrb5
>>> [1] https://github.com/Boostport/avatica
>>
>>

Re: Kerberos Authentication and Avatica

[Josh Elser <el...@apache.org>]

Hey Francis,

On 7/10/17 7:09 AM, F21 wrote:
> Follow up questions:
> - According to the client reference for the principal parameter [0], the 
> Java client is able to perform a Kerberos login before contacting the 
> Avatica server. There appears to be no way to set the KDC address into 
> the client. How does the Java client perform Kerberos logins?

This is convention for Java. There are expected locations at which a 
file, krb5.conf, is located on platforms. For Linux, this is /etc/krb5.conf.

> - There is also an option for the user to perform the login themselves. 
> In this case, how does the Java client pass the Kerberos ticket to the 
> Avatica server?

Again, convention. On Linux, the location of a user's ticket cache is 
defined to be /tmp/krb5cc_$(id -u $(whoami)). This location can be 
overriden by the environment variable KRB5CCNAME. All of this is handled 
by Java itself.

This is definitely the common case for interactive users.

> [0] https://calcite.apache.org/avatica/docs/client_reference.html#principal
> 
> On 10/07/2017 3:57 PM, F21 wrote:
>> Recently, I came across a maintained pure-go kerberos client and 
>> server [0].
>>
>> I am now in the process of adding SPNEGO authentication to the Go 
>> avatica client [1].
>>
>> For the implementation, the plan is to make it as close to the 
>> official (java) client's implementation as possible. For SPNEGO, to 
>> Java client uses these 2 parameters: principal and keytab.
>>
>> The keytab parameter is easy to understand: a path to a keytab file.
>>
>> I'd like to confirm what a valid string for the principal looks like.
>> - Is it a Service Principal Name?
>> - What are the valid formats for the principal? A valid SPN looks like 
>> User1/User2@realm.
>> - For the above example, I am assuming user2 can be optional.
>> - Can the realm be optional?

See 
http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html. 
This page does a very good job at concisely expressing what a Kerberos 
principal is and what can be implied (based on krb5.conf).

Let me know if you still have questions.

>> Cheers,
>> Francis
>>
>> [0] https://github.com/jcmturner/gokrb5
>> [1] https://github.com/Boostport/avatica
> 
> 

Re: Kerberos Authentication and Avatica

[F21 <f2...@gmail.com>]

Follow up questions:
- According to the client reference for the principal parameter [0], the 
Java client is able to perform a Kerberos login before contacting the 
Avatica server. There appears to be no way to set the KDC address into 
the client. How does the Java client perform Kerberos logins?

- There is also an option for the user to perform the login themselves. 
In this case, how does the Java client pass the Kerberos ticket to the 
Avatica server?

[0] https://calcite.apache.org/avatica/docs/client_reference.html#principal

On 10/07/2017 3:57 PM, F21 wrote:
> Recently, I came across a maintained pure-go kerberos client and 
> server [0].
>
> I am now in the process of adding SPNEGO authentication to the Go 
> avatica client [1].
>
> For the implementation, the plan is to make it as close to the 
> official (java) client's implementation as possible. For SPNEGO, to 
> Java client uses these 2 parameters: principal and keytab.
>
> The keytab parameter is easy to understand: a path to a keytab file.
>
> I'd like to confirm what a valid string for the principal looks like.
> - Is it a Service Principal Name?
> - What are the valid formats for the principal? A valid SPN looks like 
> User1/User2@realm.
> - For the above example, I am assuming user2 can be optional.
> - Can the realm be optional?
>
> Cheers,
> Francis
>
> [0] https://github.com/jcmturner/gokrb5
> [1] https://github.com/Boostport/avatica