Skip to main content

Securing MarkLogic Server

Kerberos Authentication Using xdmp:http-* Functions

Kerberos authentication is supported by the xdmp:http-get(), xdmp:http-post(), xdmp:http-put(), and xdmp:http-delete() functions with the negotiate authentication option. When negotiate is specified, the username and password are not used. Instead, the server authenticates with the keytab file identified by an environment variable. This effectively does a kinit operation with the keytab file and then starts the MarkLogic Server.

To use this feature, you must set the following environment variables:

Environment Variable

Value

MARKLOGIC_KEYTAB

Path to the Kerberos client keytab file.

MARKLOGIC_PRINCIPAL

Kerberos Principal.

For example, to authenticate xdmp:http-get() for Kerberos, your function would look like the following.

XQuery:

xdmp:http-get("http://atsoi-z620.marklogic.com:8008/ticket.xqy",
<options xmlns="xdmp:http">
    <authentication method="negotiate">
    </authentication>
</options>)

JavaScript:

xdmp.httpGet("http://atsoi-z620.marklogic.com:8008/ticket.xqy",
{ "authentication": { "method" : "negotiate" } })

The xdmp:http-get(), xdmp:http-post(), xdmp:http-put(), and xdmp:http-delete() functions include a kerberos-ticket-forwarding option to enable the use of a user credential instead of MARKLOGIC_PRINCIPAL.

For example, to forward the ticket (if the user ticket is forwardable), do the following.

XQuery:

xdmp:http-get(“http://myhost.com:8005/index.xqy”, 
  <options xmlns="xdmp:http"> 
    <authentication method="negotiate"> 
    </authentication> 
    <kerberos-ticket-forwarding>{”optional”} 
    </kerberos-ticket-forwarding> 
  </options>)

JavaScript:

xdmp:httpGet(“http://myhost.com:8005/index.xqy”, 
  { 
    "authentication": {"method" : "negotiate"}, 
    "kerberosTicketForwarding": “optional” 
  })

The xdmp:http-get()xdmp:http-post()xdmp:http-put() , and xdmp:http-delete() functions also have a proxy option to support proxy and proxy tunneling. When an HTTP or HTTPS request is sent to proxy server, the proxy server will forward the request to the destination.

For example, to forward requests to a proxy server, named http://proxy.marklogic.com:8080, do the following.

XQuery:

xdmp:http-get("http://targethost.marklogic.com/index.html",
  <options xmlns="xdmp:http">
    <proxy>http://proxy.marklogic.com:8080</proxy>
  </options>)

JavaScript:

xdmp.httpGet("http://targethost.marklogic.com/index.html", 
   {proxy:"http://proxy.marklogic.com:8080"})
In this section: