The documentation describing how to connect to a kerberos secured endpoint shows the following: <pre class="prettyprint"><code>curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..." </code></pre> The <code>-u</code> flag has to be provided but is ignored by curl. Does the <code>--negotiate</code> option cause curl to look for a keytab that was created beforehand with the <code>kinit</code> command, or will curl prompt for credentials? If it looks for a keytab file, what filename will the command be looking for?

Being a once-in-a-while-contributor to <code>curl</code> in that area. Here is what you need to know: <code>curl(1)</code> itself knows nothing about Kerberos and will not interact neither with your credential cache nor your keytab file. It will delegate all calls to a GSS-API implementation which will do the magic for you. What magic depends on the library, Heimdal and MIT Kerberos. Based on your question, I assume that you have little knowledge about Kerberos and want simply automate API calls to a REST endpoints secured by SPNEGO. Here is what you need to do: <ol> <li>Have a Unix-like OS</li> <li>Install at least MIT Kerberos 1.11</li> <li>Install at least <code>curl</code> 7.38.0 against MIT Kerberos</li> <li>Verify this with <code>curl --version</code> mentioning GSS-API and SPNEGO and with <code>ldd</code> linked against your MIT Kerberos version.</li> <li>Create a client keytab for the service principal with <code>ktutil</code> or <code>mskutil</code> </li> <li>Try to obtain a TGT with that client keytab by <code>kinit -k -t <path-to-keytab> <principal-from-keytab></code> </li> <li>Verify with <code>klist</code> that you have a ticket cache</li> </ol> Environment is now ready to go: <ol start="8"> <li>Export <code>KRB5CCNAME=<some-non-default-path></code> </li> <li>Export <code>KRB5_CLIENT_KTNAME=<path-to-keytab></code> </li> <li>Invoke <code>curl --negotiate -u : <URL></code> </li> </ol> MIT Kerberos will detect that both environment variables are set, inspect them, automatically obtain a TGT with your keytab, request a service ticket and pass to <code>curl</code>. You are done. Note: this will not work with Heimdal.

<ol> <li> Check curl version <code>$ curl -V</code> - It should support the feature "GSS-Negotiate" </li> <li> Login using <code>kinit</code> <code>$ kinit <user-id></code> </li> <li> Use curl <code>$ curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:14000/webhdfs/v1/?op=liststatus</code> "--negotiate" option enables SPNEGO "-u" option is required but ignored (the principle specified during kinit is used) "-b" & "-c" options are used to store and send http cookies. </li> </ol>

When using --negotiate with curl, is a keytab file required?

The documentation describing how to connect to a kerberos secured endpoint shows the following:

curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..."

The -u flag has to be provided but is ignored by curl.

Does the --negotiate option cause curl to look for a keytab that was created beforehand with the kinit command, or will curl prompt for credentials?

If it looks for a keytab file, what filename will the command be looking for?

Does Curl support Kerberos?

Here is what you need to know: curl(1) itself knows nothing about Kerberos and will not interact neither with your credential cache nor your keytab file. It will delegate all calls to a GSS-API implementation which will do the magic for you.

What is Kinit Kerberos?

kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tool that are commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.

Being a once-in-a-while-contributor to curl in that area. Here is what you need to know:

curl(1) itself knows nothing about Kerberos and will not interact neither with your credential cache nor your keytab file. It will delegate all calls to a GSS-API implementation which will do the magic for you. What magic depends on the library, Heimdal and MIT Kerberos.

Based on your question, I assume that you have little knowledge about Kerberos and want simply automate API calls to a REST endpoints secured by SPNEGO.

Here is what you need to do:

Have a Unix-like OS
Install at least MIT Kerberos 1.11
Install at least curl 7.38.0 against MIT Kerberos
Verify this with curl --version mentioning GSS-API and SPNEGO and with ldd linked against your MIT Kerberos version.
Create a client keytab for the service principal with ktutil or mskutil
Try to obtain a TGT with that client keytab by kinit -k -t <path-to-keytab> <principal-from-keytab>
Verify with klist that you have a ticket cache

Environment is now ready to go:

Export KRB5CCNAME=<some-non-default-path>
Export KRB5_CLIENT_KTNAME=<path-to-keytab>
Invoke curl --negotiate -u : <URL>

MIT Kerberos will detect that both environment variables are set, inspect them, automatically obtain a TGT with your keytab, request a service ticket and pass to curl. You are done.

Note: this will not work with Heimdal.

Check curl version

$ curl -V - It should support the feature "GSS-Negotiate"
Login using kinit

$ kinit <user-id>
Use curl

$ curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:14000/webhdfs/v1/?op=liststatus

"--negotiate" option enables SPNEGO

"-u" option is required but ignored (the principle specified during kinit is used)

"-b" & "-c" options are used to store and send http cookies.

When using --negotiate with curl, is a keytab file required?

Tags:

curl

hadoop

kerberos

webhdfs

keytab

Chris Snow

People also ask

2 Answers

Michael-O

Avinash Reddy

Recent Activity

Donate For Us

When using --negotiate with curl, is a keytab file required?

Tags:

curl

hadoop

kerberos

webhdfs

keytab

Chris Snow

People also ask

2 Answers

Michael-O

Avinash Reddy

Related questions

Recent Activity

Donate For Us