curl-library
Fw: Kerberos Directory Cache Multiple Users same realm issue
Date: 10 Jul 2014 08:39:46 -0000
Hi,
Resending after removing links.....
We are facing issue with multiple crendentials present in the cache and when other users trying to connect curl fails and throwing expecting only the user from the primary cache.How the curl library works in case of kerberos directory cache which is updated with multiple credentials as shown below.
We have 2 different principals each attached to the same realm and when trying to connect using the curl, it always loading the primary cache and not searching for other credentials in the cache and failing.
klist -A output snippet showing 2 different credentials,
Ticket cache: DIR::/etc/netwitness/wc_cache_dir/tktSQ8abuDefault principal: gpadmin_at_EXAMPLE.COM
Valid starting Expires Service principal07/09/14 18:31:12 07/10/14 18:22:55 krbtgt/EXAMPLE.COM_at_EXAMPLE.COM renew until 07/09/14 18:31:12
Ticket cache: DIR::/etc/netwitness/wc_cache_dir/tktEJgnPEDefault principal: hdfs/pivhdsne.krbnet_at_EXAMPLE.COM
Valid starting Expires Service principal07/09/14 18:30:54 07/10/14 18:22:38 krbtgt/EXAMPLE.COM_at_EXAMPLE.COM renew until 07/09/14 18:30:54
Here our cache has 2 users gpadmin and hdfs, when user tries to connect with gpadmin user curl works fine and when user switches to hdfs curl fails with error. Is there any way to provide the username parameter in the curl negotiate, even though we are proving the users in the -u hdfs: it's not considering the curl user and authentication fails.
curl -i --negotiate -u hdfs: "http://10.31.251.254:50070/webhdfs/v1/?user.name=hdfs&op=LISTSTATUS"HTTP/1.1 401 Date: Wed, 09 Jul 2014 13:19:56 GMTPragma: no-cacheDate: Wed, 09 Jul 2014 13:19:56 GMTPragma: no-cacheWWW-Authenticate: NegotiateSet-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMTContent-Type: text/html;charset=ISO-8859-1Cache-Control: must-revalidate,no-cache,no-storeContent-Length: 1358Server: Jetty(7.6.10.v20130312)
HTTP/1.1 401 UnauthorizedDate: Wed, 09 Jul 2014 13:19:56 GMTPragma: no-cacheCache-Control: no-cacheDate: Wed, 09 Jul 2014 13:19:56 GMTPragma: no-cacheSet-Cookie: hadoop.auth="u=gpadmin&p=gpadmin_at_EXAMPLE.COM&t=kerberos&e=1404947996223&s=KfBg3KDnhd5dxYvHMUYmDPqdEy4=";Path=/Expires: Thu, 01 Jan 1970 00:00:00 GMTContent-Type: application/jsonTransfer-Encoding: chunkedServer: Jetty(7.6.10.v20130312)
{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=hdfs != expected=gpadmin"}}
Can anyone suggest how to make curl library to scan kerberos directory cache and load the proper principal for the particular user.
Regards,
Sathish Valluri
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-10