Kerberos 5 Configuration

Since the SPNEGO mechanism will call JGSS, which in turns calls the Kerberos V5 login module to do real works. Kerberos 5 configurations are needed. which includes:

  • Some way to provide Kerberos configurations. This can be achieved with the Java system property java.security.krb5.conf. For example:
            java -Djava.security.krb5.conf=krb5.conf \

                 -Djavax.security.auth.useSubjectCredsOnly=false \

                 ClassName
  • A JAAS config file denoting what login module to use. HTTP SPNEGO codes will look for the standard entry named com.sun.security.jgss.krb5.initiate.

For example, you can provide a file spnegoLogin.conf:

          com.sun.security.jgss.krb5.initiate {

              com.sun.security.auth.module.Krb5LoginModule

                  required useTicketCache=true;

          };

and run java with:

            java -Djava.security.krb5.conf=krb5.conf \

                 -Djava.security.auth.login.config=spnegoLogin.conf \

                 -Djavax.security.auth.useSubjectCredsOnly=false \

                 ClassName

JAAS:https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzaha/rzahajaas10.htm

ZooKeeperSaslClient

在使用带Kerberos的zookeeper时,连接前需要进行认证,但是需要通过jaas机制去登陆Kerberos,这时候需要给JVM设置jaas.conf配置文件,zookeeper源码种等登陆模块如下:

public ZooKeeperSaslClient(String serverPrincipal, ZKClientConfig clientConfig) throws LoginException {

        this.saslState = ZooKeeperSaslClient.SaslState.INITIAL;

        this.gotLastPacket = false;

        String clientSection = clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client");

        this.clientConfig = clientConfig;

        AppConfigurationEntry[] entries = null;

        Object runtimeException = null;

        try {

            entries = Configuration.getConfiguration().getAppConfigurationEntry(clientSection);

        } catch (SecurityException var8) {

            runtimeException = var8;

        } catch (IllegalArgumentException var9) {

            runtimeException = var9;

        }

        if (entries != null) {

            this.configStatus = "Will attempt to SASL-authenticate using Login Context section '" + clientSection + "'";

            this.saslClient = this.createSaslClient(serverPrincipal, clientSection);

        } else {

            this.saslState = ZooKeeperSaslClient.SaslState.FAILED;

            String explicitClientSection = clientConfig.getProperty("zookeeper.sasl.clientconfig");

            if (explicitClientSection != null) {

                if (runtimeException != null) {

                    throw new LoginException("Zookeeper client cannot authenticate using the " + explicitClientSection + " section of the supplied JAAS configuration: '" + clientConfig.getJaasConfKey() + "' because of a RuntimeException: " + runtimeException);

                }

                throw new LoginException("Client cannot SASL-authenticate because the specified JAAS configuration section '" + explicitClientSection + "' could not be found.");

            }

            String msg = "Will not attempt to authenticate using SASL ";

            if (runtimeException != null) {

                msg = msg + "(" + runtimeException + ")";

            } else {

                msg = msg + "(unknown error)";

            }

            this.configStatus = msg;

            this.isSASLConfigured = false;

            if (clientConfig.getJaasConfKey() != null) {

                if (runtimeException != null) {

                    throw new LoginException("Zookeeper client cannot authenticate using the '" + clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client") + "' section of the supplied JAAS configuration: '" + clientConfig.getJaasConfKey() + "' because of a RuntimeException: " + runtimeException);

                }

                throw new LoginException("No JAAS configuration section named '" + clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client") + "' was found in specified JAAS configuration file: '" + clientConfig.getJaasConfKey() + "'.");

            }

        }

    }

可以看处,默认读取的时Client模块下的配置,也会从zookeeper.sasl.clientconfig种读取。其登陆代码如下:

private SaslClient createSaslClient(String servicePrincipal, String loginContext) throws LoginException {

        try {

            if (!this.initializedLogin) {

                synchronized(this) {

                    if (this.login == null) {

                        if (LOG.isDebugEnabled()) {

                            LOG.debug("JAAS loginContext is: " + loginContext);

                        }

                        this.login = new Login(loginContext, new ZooKeeperSaslClient.ClientCallbackHandler((String)null), this.clientConfig);

                        this.login.startThreadIfNeeded();

                        this.initializedLogin = true;

                    }

                }

            }

            Subject subject = this.login.getSubject();

            SaslClient saslClient;

            if (subject.getPrincipals().isEmpty()) {

                LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");

                String[] mechs = new String[]{"DIGEST-MD5"};

                String username = (String)((String)subject.getPublicCredentials().toArray()[0]);

                String password = (String)((String)subject.getPrivateCredentials().toArray()[0]);

                saslClient = Sasl.createSaslClient(mechs, username, "zookeeper", "zk-sasl-md5", (Map)null, new ZooKeeperSaslClient.ClientCallbackHandler(password));

                return saslClient;

            } else {

                boolean usingNativeJgss = this.clientConfig.getBoolean("sun.security.jgss.native");

                if (usingNativeJgss) {

                    try {

                        GSSManager manager = GSSManager.getInstance();

                        Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");

                        GSSCredential cred = manager.createCredential((GSSName)null, 0, krb5Mechanism, 1);

                        subject.getPrivateCredentials().add(cred);

                    } catch (GSSException var16) {

                        LOG.warn("Cannot add private credential to subject; authentication at the server may fail", var16);

                    }

                }

                Object[] principals = subject.getPrincipals().toArray();

                Principal clientPrincipal = (Principal)principals[0];

                KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName());

                String serverRealm = this.clientConfig.getProperty("zookeeper.server.realm", clientKerberosName.getRealm());

                KerberosName serviceKerberosName = new KerberosName(servicePrincipal + "@" + serverRealm);

                final String serviceName = serviceKerberosName.getServiceName();

                final String serviceHostname = serviceKerberosName.getHostName();

                final String clientPrincipalName = clientKerberosName.toString();

                try {

                    saslClient = (SaslClient)Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() {

                        public SaslClient run() throws SaslException {

                            ZooKeeperSaslClient.LOG.info("Client will use GSSAPI as SASL mechanism.");

                            String[] mechs = new String[]{"GSSAPI"};

                            ZooKeeperSaslClient.LOG.debug("creating sasl client: client=" + clientPrincipalName + ";service=" + serviceName + ";serviceHostname=" + serviceHostname);

                            SaslClient saslClient = Sasl.createSaslClient(mechs, clientPrincipalName, serviceName, serviceHostname, (Map)null, new ZooKeeperSaslClient.ClientCallbackHandler((String)null));

                            return saslClient;

                        }

                    });

                    return saslClient;

                } catch (Exception var15) {

                    LOG.error("Exception while trying to create SASL client", var15);

                    var15.printStackTrace();

                    return null;

                }

            }

        } catch (LoginException var18) {

            throw var18;

        } catch (Exception var19) {

            LOG.error("Exception while trying to create SASL client: " + var19);

            return null;

        }

    }

This is jaas.conf:

Client {

      com.sun.security.auth.module.Krb5LoginModule required

      useKeyTab=true

      doNotPrompt=true

      useTicketCache=true

      principal="test"

      keyTab="/home/keytab/user.keytab";

   };

Then set Java Options like :

--Djava.security.auth.login.config=/data/disk1/conf/jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false

其他情况下,会使用com.sun.security.jgss.krb5.initiate来登陆,所以jaas.conf的配置如下:

com.sun.security.jgss.krb5.initiate {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/data/disk1/conf/test.keytab"

  principal="test"

  doNotPrompt=true;

};

使用JAAS文件登陆kerberos(zookeeper)的更多相关文章

  1. 关于hadoop登陆kerberos时设置环境变量问题的思考

    中心思想,设置kerberos环境变量时,发现JDK源码当中的一个问题,故描述如下. 在平时的使用中,如果hadoop集群配置kerberos认证的话,使用java访问hdfs或者hive时,需要先进 ...

  2. Kafka启用SASL_PLAINTEXT动态配置JAAS文件的几种方式

    Kafka是广泛使用消息服务,很多情况下关于认证部分我都是默认的配置,也就是不需要用户名/密码,也不配置证书.在内网或者在项目组内部可以,但是设计的跨部门时一般处于安全考虑都需要加上认证,防止kafk ...

  3. ssh通过pem文件登陆服务器

    一些为了安全操作,推荐使用私钥进行登录服务器,拿jenkins来说,默认的验证方式就是私钥 实现方式 先在本机通过ssh-keygen直接生成公私钥 如下在当前文件夹下生成my.pem(私钥)和my. ...

  4. paramiko 基于密钥文件登陆

    首先密钥登陆远程的原理 client 端 将公钥放在远程机器authorized_keys: 使用 ssh-copy-id  app@ip 接着在client机器生成密钥 使用ssh-keygen - ...

  5. 权限过大 ssh协议通过pem文件登陆

    root@oneweek:~# ssh -i uat.pem root@110.5.15.6@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ...

  6. Zookeeper集群安装(开启kerberos)

    安装规划 zookeeper集群模式,安装到如下三台机器 10.43.159.237 zdh-237 10.43.159.238 zdh-238 10.43.159.239 zdh-239 Kerbe ...

  7. centos7配置kerberos服务,并使用JAAS登录

    准备两个虚拟机:192.168.1.101.192.168.1.102,101作为kerberos的server端,102作为kerberos的client端.开启88端口. 1.安装kerberos ...

  8. ZooKeeper日志与快照文件简单分析

    有用过Zookeeper的都知道zoo.cfg配置文件中有dataDir配置项用于存储数据,不过可能有些人不太清楚这个目录具体存储的是那些数据,默认情况下这个目录是用于存储Log(事务日志)与Snap ...

  9. 为CDH 5.7集群添加Kerberos身份验证及Sentry权限控制

    转载请注明出处:http://www.cnblogs.com/xiaodf/ 4. 为CDH 5集群添加Kerberos身份验证 4.1 安装sentry1.点击“操作”,“添加服务”:2.选择sen ...

  10. kafka集群安全化之启用kerberos与acl

    一.背景 在我们部署完kafka之后,虽然我们已经可以“肆意”的用kafka了,但是在一个大公司的实际生产环境中,kafka集群往往十分庞大,每个使用者都应该只关心自己所负责的Topic,并且对其他人 ...

随机推荐

  1. 打破虚拟边界的视频交互新方式,AR隔空书写的应用理念和探索实践

    AR隔空书写演示 随着技术的发展和超视频化的时代驱动,交互的形式日渐丰富.从屏幕点触,到语音交互,人脸.指纹.声纹,再到近年流行的AR和VR--人类早在语言出现之前便习惯使用肢体和手势这种近乎本能的沟 ...

  2. 【JAVA基础】Swagger使用

    Swagger使用 刷新权限 自定标签名称

  3. Educational Codeforces Round 6 620E. New Year Tree(DFS序+线段树)

    题目链接:点击打开链接 题意:给你一棵树,编号1~n,告诉你根结点是1. 每次有两个操作: 1,将以v为根的子树的结点全部染成颜色c 2,问以v为根的紫书的结点的颜色种类. 思路:如果这是一条线段的话 ...

  4. Maven项目手动配置依赖项

    1.问题 很多时候,我们依靠其本身的识别功能,并不能很好的识别依赖项(尤其是指定版本),且对于一些位于 <\build>不能自动去下载,这时候我们就要去手动配置依赖项 2.解决 2.1 首 ...

  5. css - 伪元素清除浮动

    .clearfix:after{ content:""; /*设置内容为空*/ height:0; /*高度为0*/ line-height:0; /*行高为0*/ display ...

  6. [转帖]LVS入门篇(五)之LVS+Keepalived实战

    LVS入门篇(五)之LVS+Keepalived实战 https://www.cnblogs.com/linuxk/p/9365189.html 一.实验架构和环境说明 (1)本次基于VMware W ...

  7. ebpf 单行程序学习

    ebpf 单行程序学习 背景 公司方神借给我一本: <BPF之巅:洞悉linux系统和应用性能>纸质书 拿回家晚上在沙发上看了几天. 感觉书很厚看的不是很系统. 仅能凭自己的感觉总结一下这 ...

  8. [转帖]Linux磁盘I/O(一):Cache,Buffer和sync

    Cache和Buffer的区别 磁盘是一个块设备,可以划分为不同的分区:在分区之上再创建文件系统,挂载到某个目录,之后才可以在这个目录中读写文件.Linux 中"一切皆文件",我们 ...

  9. [转帖]Cgroups资源限制

    https://cloud.tencent.com/developer/article/2108816?areaSource=105001.13&traceId=QzVtWN5jGl8zeYZ ...

  10. [转帖]Redis命令详解:Keys

    https://jackeyzhe.github.io/2018/09/22/Redis%E5%91%BD%E4%BB%A4%E8%AF%A6%E8%A7%A3%EF%BC%9AKeys/ 介绍完Re ...