hadoop - When using --negotiate with curl, is a keytab file required? -

the documentation describing how connect kerberos secured endpoint shows following:

curl -i --negotiate -u : "http://<host>:<port>/webhdfs/v1/<path>?op=..." 

the -u flag has provided ignored curl.

does --negotiate option cause curl keytab created beforehand kinit command, or curl prompt credentials?

if looks keytab file, filename command looking for?

being once-in-a-while-contributor curl in area. here need know:

curl(1) knows nothing kerberos , not interact neither credential cache nor keytab file. delegate calls gss-api implementation magic you. magic depends on library, heimdal , mit kerberos.

based on question, assume have little knowledge kerberos , want automate api calls rest endpoints secured spnego.

here need do:

1. have unix-like os
2. install @ least mit kerberos 1.11
3. install @ least curl 7.38.0 against mit kerberos
4. verify curl --version mentioning gss-api and spnego , ldd linked against mit kerberos version.
5. create client keytab service principal ktutil or mskutil
6. try obtain tgt client keytab kinit -k -t <path-to-keytab> <principal-from-keytab>
7. verify klist have ticket cache

environment ready go:

8. export krb5ccname=<some-non-default-path>
9. export krb5_client_ktname=<path-to-keytab>
10. invoke curl --negotiate -u : <url>

mit kerberos detect both environment variables set, inspect them, automatically obtain tgt keytab, request service ticket , pass curl. done.

note: not work heimdal.