发表新帖
发表新帖

When using --negotiate with curl, is a keytab file required?

前端 未结
关注
3 726
再見小時候
再見小時候 2020-12-02 09:16

The documentation describing how to connect to a kerberos secured endpoint shows the following:

curl -i --negotiate -u : \"http://:/w
相关标签:
3条回答
  • 梦谈多话
    2020-12-02 10:05

    Answer is:

    [
  {
    "operation": "shift",
    "spec": {
      "scheduler": {
        "schedulerInfo": {
          "usedCapacity": "root",
          "queues": {
            "queue": {
              "*": {
                "@usedCapacity": "@queueName"
              }
            }
          }
        }
      }
    }
  },
  {
    "operation": "shift",
    "spec": {
      "*": "&UsedCapacity"
    }
  }
]
    0 讨论(0)
  • 故里飘歌
    2020-12-02 10:08

    Being a once-in-a-while-contributor to curl in that area. Here is what you need to know:

    curl(1) itself knows nothing about Kerberos and will not interact neither with your credential cache nor your keytab file. It will delegate all calls to a GSS-API implementation which will do the magic for you. What magic depends on the library, Heimdal and MIT Kerberos.

    Based on your question, I assume that you have little knowledge about Kerberos and want simply automate API calls to a REST endpoints secured by SPNEGO.

    Here is what you need to do:

    1. Have a Unix-like OS
    2. Install at least MIT Kerberos 1.11
    3. Install at least curl 7.38.0 against MIT Kerberos
    4. Verify this with curl --version mentioning GSS-API and SPNEGO and with ldd linked against your MIT Kerberos version.
    5. Create a client keytab for the service principal with ktutil or mskutil
    6. Try to obtain a TGT with that client keytab by kinit -k -t <path-to-keytab> <principal-from-keytab>
    7. Verify with klist that you have a ticket cache

    Environment is now ready to go:

    1. Export KRB5CCNAME=<some-non-default-path>
    2. Export KRB5_CLIENT_KTNAME=<path-to-keytab>
    3. Invoke curl --negotiate -u : <URL>

    MIT Kerberos will detect that both environment variables are set, inspect them, automatically obtain a TGT with your keytab, request a service ticket and pass to curl. You are done.

    Note: this will not work with Heimdal.

    0 讨论(0)
  • 清歌不尽
    2020-12-02 10:15

    1. Check curl version

      $ curl -V - It should support the feature "GSS-Negotiate"

    2. Login using kinit

      $ kinit <user-id>

    3. Use curl

      $ curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:14000/webhdfs/v1/?op=liststatus

      "--negotiate" option enables SPNEGO

      "-u" option is required but ignored (the principle specified during kinit is used)

      "-b" & "-c" options are used to store and send http cookies.

    0 讨论(0)
 看不清?
提交回复
热议问题