cURL / Mailing Lists / curl-library / Single Mail

curl-library

FW: Kerberos Directory cache

From: Valluri, Sathish <sathish.valluri_at_emc.com>
Date: Thu, 10 Jul 2014 14:57:00 +0000

Resending after disabling HTML text....

-----Original Message-----
From: Valluri, Sathish
Sent: Thursday, July 10, 2014 8:13 PM
To: 'curl-library_at_cool.haxx.se'
Subject: Kerberos Directory cache

Hi,

We are facing issue with multiple crendentials present in the Kerberos credential cache and when other users trying to connect curl fails and throwing expecting only the user from the primary cache.
We have 2 different principals each attached to the same realm and when trying to connect using the curl, it always loading the primary cache and not searching for other credentials in the cache and failing.

klist -A output snippet showing 2 different credentials,

Ticket cache: DIR::/etc/netwitness/wc_cache_dir/tktSQ8abu
Default principal: gpadmin_at_EXAMPLE.COM

Valid starting Expires Service principal
07/09/14 18:31:12 07/10/14 18:22:55 krbtgt/EXAMPLE.COM_at_EXAMPLE.COM
            renew until 07/09/14 18:31:12

Ticket cache: DIR::/etc/netwitness/wc_cache_dir/tktEJgnPE
Default principal: hdfs/pivhdsne.krbnet_at_EXAMPLE.COM

Valid starting Expires Service principal
07/09/14 18:30:54 07/10/14 18:22:38 krbtgt/EXAMPLE.COM_at_EXAMPLE.COM
            renew until 07/09/14 18:30:54

Here our cache has 2 users gpadmin and hdfs, when user tries to connect with gpadmin user curl works fine and when user switches to hdfs curl fails with error. Is there any way to provide the username parameter in the curl negotiate, even though we are proving the users in the -u hdfs: it's not considering the curl user and authentication fails.

curl -i --negotiate -u hdfs: "http://10.31.251.254:50070/webhdfs/v1/?user.name=hdfs&op=LISTSTATUS"
HTTP/1.1 401
Date: Wed, 09 Jul 2014 13:19:56 GMT
Pragma: no-cache
Date: Wed, 09 Jul 2014 13:19:56 GMT
Pragma: no-cache
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1358
Server: Jetty(7.6.10.v20130312)

HTTP/1.1 401 Unauthorized
Date: Wed, 09 Jul 2014 13:19:56 GMT
Pragma: no-cache
Cache-Control: no-cache
Date: Wed, 09 Jul 2014 13:19:56 GMT
Pragma: no-cache
Set-Cookie: hadoop.auth="u=gpadmin&p=gpadmin_at_EXAMPLE.COM&t=kerberos&e=1404947996223&s=KfBg3KDnhd5dxYvHMUYmDPqdEy4=";Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Server: Jetty(7.6.10.v20130312)

{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=hdfs != expected=gpadmin"}}

Can anyone suggest how to make curl library to scan kerberos directory cache and load the proper principal for the particular user.

Regards
Sathish Valluri

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-10