feat(security): init kerberos

[levy5307]

If the config of enable_auth is true, we should init kerberos.
Here is the detail procedure:

1. set envs which are used in kerberos, like KRB5CCNAME, KRB5_CONFIG and so on.
2. create a kerberos context.
3. convert a string principal name to a krb5_principal structure. principal and username that logged in as, this determines "who I am"
4. get a handle for a key table. key table is the file to store principals and it's correponding key.
5. acquire credential cache handle and initialize credential cache. The credential cache is used for storing credentials.
6. allocate a new initial credential options structure, the options are used for getting credentials.
7. get and schedule to renew credentials from KDC and store it into _ccache

New configuration added

[security]
+ krb5_keytab =
+ krb5_config =
+ krb5_principal =

[acelyc111]

So don't forget to update docs

[levy5307]

Which docs do you mean?

[neverchanje]

http://pegasus.apache.org/overview/compilation & https://github.com/XiaoMi/pegasus/blob/master/docs/installation.md

[acelyc111]

Will you try to find credential in krb5_ccache in other PRs?

[vagetablechicken]

It's not internal
https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

[levy5307]

I have read some docs of kerberos. It says
The credential cache file holds Kerberos protocol credentials (for example, tickets, session keys, and other identifying information) in semipermanent storage. The Kerberos protocol reads credentials from the cache as they are required and stores new credentials in the cache as they are obtained. This relieves the application of the responsibility for managing the credentials itself. in https://www.ibm.com/support/knowledgecenter/en/SSGSMK_7.1.0/management_sym/sym_kerberos_configuring_credential_cache_file.html

And I have read the corresponding code in kudu, there are no code trying to find credentials in krb5_ccache. It only put credentials into krb5_ccache.

[vagetablechicken]

so you mean krb5_cc_ funcs are useless? You should read more. It's not for internal. I didn't say we need to use it.

[levy5307]

The Kerberos protocol reads credentials from the cache as they are required and stores new credentials in the cache as they are obtained. I didn't say they are useless

[levy5307]

So what the credential cache is used for in your opinion? @vagetablechicken

[vagetablechicken]

What I said is the basic conceptive problem. krb5_ccache is not for krb internal. The owner can use it to avoid unnecessary connections.
There's no need to optimize prematurely.

[acelyc111]

Take a look at https://github.com/apache/kudu/blob/master/src/kudu/security/init.cc may help.

[neverchanje]

Suggested change

	bool init(bool is_server);
	extern bool init_server();
	extern bool init_client();

[levy5307]

I think there is no need to split the function into two functions. Because they are almost same