当使用 - 与curl协商时,是否需要keytab文件? [英] When using --negotiate with curl, is a keytab file required?
问题描述
描述如何使用文档连接到kerberos安全端点显示如下:
curl -i --negotiate -u:http://< ; HOST>:< PORT> / webhdfs / v1 /< PATH>?op = ...
必须提供 -u
标志,但被curl忽略。
$ - negotiate
选项是否会导致curl查找预先使用<$ c创建的密钥表$ c> kinit 命令,或者会提示输入凭据?
如果查找keytab文件,命令将查找哪个文件名对于 curl $ c $ c>在该区域。这里是你需要知道的:
curl(1)
本身对Kerberos一无所知,与您的凭证缓存或您的密钥表文件。它会将所有的调用委托给一个GSS-API实现,它将为你带来魔力。什么魔力取决于图书馆,Heimdal和MIT Kerberos。基于你的问题,我假设你对Kerberos知之甚少,并希望简单地将API调用自动化到REST终端获得SPNEGO的保障。
以下是您需要做的事情:
- 安装一个类Unix操作系统
- 至少安装MIT Kerberos 1.11
- 安装至少
curl
7.38.0针对MIT Kerberos - 使用
curl --version
提及GSS-API 和 SPNEGO和ldd
与您的MIT Kerberos版本链接。 - 为服务主体创建一个客户端 keytab使用
ktutil
或mskutil
- 尝试获取 client keytab由
kinit -k -t< path-to-keytab> < principal-from-keytab>
- 通过
klist
验证您有票证缓存 li>
环境已准备就绪:
- 导出
KRB5CCNAME =< some-non-default-path>
- 导出
KRB5_CLIENT_KTNAME =< path-to-keytab>
- 调用
curl --negotiate -u:< URL> $ c $
- Have a Unix-like OS
- Install at least MIT Kerberos 1.11
- Install at least
curl
7.38.0 against MIT Kerberos - Verify this with
curl --version
mentioning GSS-API and SPNEGO and withldd
linked against your MIT Kerberos version. - Create a client keytab for the service principal with
ktutil
ormskutil
- Try to obtain a TGT with that client keytab by
kinit -k -t <path-to-keytab> <principal-from-keytab>
- Verify with
klist
that you have a ticket cache - Export
KRB5CCNAME=<some-non-default-path>
- Export
KRB5_CLIENT_KTNAME=<path-to-keytab>
- Invoke
curl --negotiate -u : <URL>
MIT Kerberos会检测到设置了两个环境变量,检查它们,使用keytab自动获取TGT,请求服务并传递给 curl
。您完成了。
注意:这对Heimdal无效。
The documentation describing how to connect to a kerberos secured endpoint shows the following:
curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..."
The -u
flag has to be provided but is ignored by curl.
Does the --negotiate
option cause curl to look for a keytab that was created beforehand with the kinit
command, or will curl prompt for credentials?
If it looks for a keytab file, what filename will the command be looking for?
Being a once-in-a-while-contributor to curl
in that area. Here is what you need to know:
curl(1)
itself knows nothing about Kerberos and will not interact neither with your credential cache nor your keytab file. It will delegate all calls to a GSS-API implementation which will do the magic for you. What magic depends on the library, Heimdal and MIT Kerberos.
Based on your question, I assume that you have little knowledge about Kerberos and want simply automate API calls to a REST endpoints secured by SPNEGO.
Here is what you need to do:
Environment is now ready to go:
MIT Kerberos will detect that both environment variables are set, inspect them, automatically obtain a TGT with your keytab, request a service ticket and pass to curl
. You are done.
Note: this will not work with Heimdal.
这篇关于当使用 - 与curl协商时,是否需要keytab文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!