Kerberos 5 Configuration

Since the SPNEGO mechanism will call JGSS, which in turns calls the Kerberos V5 login module to do real works. Kerberos 5 configurations are needed. which includes:

  • Some way to provide Kerberos configurations. This can be achieved with the Java system property java.security.krb5.conf. For example:
            java -Djava.security.krb5.conf=krb5.conf \

                 -Djavax.security.auth.useSubjectCredsOnly=false \

                 ClassName
  • A JAAS config file denoting what login module to use. HTTP SPNEGO codes will look for the standard entry named com.sun.security.jgss.krb5.initiate.

For example, you can provide a file spnegoLogin.conf:

          com.sun.security.jgss.krb5.initiate {

              com.sun.security.auth.module.Krb5LoginModule

                  required useTicketCache=true;

          };

and run java with:

            java -Djava.security.krb5.conf=krb5.conf \

                 -Djava.security.auth.login.config=spnegoLogin.conf \

                 -Djavax.security.auth.useSubjectCredsOnly=false \

                 ClassName

JAAS:https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzaha/rzahajaas10.htm

ZooKeeperSaslClient

在使用带Kerberos的zookeeper时,连接前需要进行认证,但是需要通过jaas机制去登陆Kerberos,这时候需要给JVM设置jaas.conf配置文件,zookeeper源码种等登陆模块如下:

public ZooKeeperSaslClient(String serverPrincipal, ZKClientConfig clientConfig) throws LoginException {

        this.saslState = ZooKeeperSaslClient.SaslState.INITIAL;

        this.gotLastPacket = false;

        String clientSection = clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client");

        this.clientConfig = clientConfig;

        AppConfigurationEntry[] entries = null;

        Object runtimeException = null;

        try {

            entries = Configuration.getConfiguration().getAppConfigurationEntry(clientSection);

        } catch (SecurityException var8) {

            runtimeException = var8;

        } catch (IllegalArgumentException var9) {

            runtimeException = var9;

        }

        if (entries != null) {

            this.configStatus = "Will attempt to SASL-authenticate using Login Context section '" + clientSection + "'";

            this.saslClient = this.createSaslClient(serverPrincipal, clientSection);

        } else {

            this.saslState = ZooKeeperSaslClient.SaslState.FAILED;

            String explicitClientSection = clientConfig.getProperty("zookeeper.sasl.clientconfig");

            if (explicitClientSection != null) {

                if (runtimeException != null) {

                    throw new LoginException("Zookeeper client cannot authenticate using the " + explicitClientSection + " section of the supplied JAAS configuration: '" + clientConfig.getJaasConfKey() + "' because of a RuntimeException: " + runtimeException);

                }

                throw new LoginException("Client cannot SASL-authenticate because the specified JAAS configuration section '" + explicitClientSection + "' could not be found.");

            }

            String msg = "Will not attempt to authenticate using SASL ";

            if (runtimeException != null) {

                msg = msg + "(" + runtimeException + ")";

            } else {

                msg = msg + "(unknown error)";

            }

            this.configStatus = msg;

            this.isSASLConfigured = false;

            if (clientConfig.getJaasConfKey() != null) {

                if (runtimeException != null) {

                    throw new LoginException("Zookeeper client cannot authenticate using the '" + clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client") + "' section of the supplied JAAS configuration: '" + clientConfig.getJaasConfKey() + "' because of a RuntimeException: " + runtimeException);

                }

                throw new LoginException("No JAAS configuration section named '" + clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client") + "' was found in specified JAAS configuration file: '" + clientConfig.getJaasConfKey() + "'.");

            }

        }

    }

可以看处,默认读取的时Client模块下的配置,也会从zookeeper.sasl.clientconfig种读取。其登陆代码如下:

private SaslClient createSaslClient(String servicePrincipal, String loginContext) throws LoginException {

        try {

            if (!this.initializedLogin) {

                synchronized(this) {

                    if (this.login == null) {

                        if (LOG.isDebugEnabled()) {

                            LOG.debug("JAAS loginContext is: " + loginContext);

                        }

                        this.login = new Login(loginContext, new ZooKeeperSaslClient.ClientCallbackHandler((String)null), this.clientConfig);

                        this.login.startThreadIfNeeded();

                        this.initializedLogin = true;

                    }

                }

            }

            Subject subject = this.login.getSubject();

            SaslClient saslClient;

            if (subject.getPrincipals().isEmpty()) {

                LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");

                String[] mechs = new String[]{"DIGEST-MD5"};

                String username = (String)((String)subject.getPublicCredentials().toArray()[0]);

                String password = (String)((String)subject.getPrivateCredentials().toArray()[0]);

                saslClient = Sasl.createSaslClient(mechs, username, "zookeeper", "zk-sasl-md5", (Map)null, new ZooKeeperSaslClient.ClientCallbackHandler(password));

                return saslClient;

            } else {

                boolean usingNativeJgss = this.clientConfig.getBoolean("sun.security.jgss.native");

                if (usingNativeJgss) {

                    try {

                        GSSManager manager = GSSManager.getInstance();

                        Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");

                        GSSCredential cred = manager.createCredential((GSSName)null, 0, krb5Mechanism, 1);

                        subject.getPrivateCredentials().add(cred);

                    } catch (GSSException var16) {

                        LOG.warn("Cannot add private credential to subject; authentication at the server may fail", var16);

                    }

                }

                Object[] principals = subject.getPrincipals().toArray();

                Principal clientPrincipal = (Principal)principals[0];

                KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName());

                String serverRealm = this.clientConfig.getProperty("zookeeper.server.realm", clientKerberosName.getRealm());

                KerberosName serviceKerberosName = new KerberosName(servicePrincipal + "@" + serverRealm);

                final String serviceName = serviceKerberosName.getServiceName();

                final String serviceHostname = serviceKerberosName.getHostName();

                final String clientPrincipalName = clientKerberosName.toString();

                try {

                    saslClient = (SaslClient)Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() {

                        public SaslClient run() throws SaslException {

                            ZooKeeperSaslClient.LOG.info("Client will use GSSAPI as SASL mechanism.");

                            String[] mechs = new String[]{"GSSAPI"};

                            ZooKeeperSaslClient.LOG.debug("creating sasl client: client=" + clientPrincipalName + ";service=" + serviceName + ";serviceHostname=" + serviceHostname);

                            SaslClient saslClient = Sasl.createSaslClient(mechs, clientPrincipalName, serviceName, serviceHostname, (Map)null, new ZooKeeperSaslClient.ClientCallbackHandler((String)null));

                            return saslClient;

                        }

                    });

                    return saslClient;

                } catch (Exception var15) {

                    LOG.error("Exception while trying to create SASL client", var15);

                    var15.printStackTrace();

                    return null;

                }

            }

        } catch (LoginException var18) {

            throw var18;

        } catch (Exception var19) {

            LOG.error("Exception while trying to create SASL client: " + var19);

            return null;

        }

    }

This is jaas.conf:

Client {

      com.sun.security.auth.module.Krb5LoginModule required

      useKeyTab=true

      doNotPrompt=true

      useTicketCache=true

      principal="test"

      keyTab="/home/keytab/user.keytab";

   };

Then set Java Options like :

--Djava.security.auth.login.config=/data/disk1/conf/jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false

其他情况下,会使用com.sun.security.jgss.krb5.initiate来登陆,所以jaas.conf的配置如下:

com.sun.security.jgss.krb5.initiate {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/data/disk1/conf/test.keytab"

  principal="test"

  doNotPrompt=true;

};

使用JAAS文件登陆kerberos(zookeeper)的更多相关文章

  1. 关于hadoop登陆kerberos时设置环境变量问题的思考

    中心思想,设置kerberos环境变量时,发现JDK源码当中的一个问题,故描述如下. 在平时的使用中,如果hadoop集群配置kerberos认证的话,使用java访问hdfs或者hive时,需要先进 ...

  2. Kafka启用SASL_PLAINTEXT动态配置JAAS文件的几种方式

    Kafka是广泛使用消息服务,很多情况下关于认证部分我都是默认的配置,也就是不需要用户名/密码,也不配置证书.在内网或者在项目组内部可以,但是设计的跨部门时一般处于安全考虑都需要加上认证,防止kafk ...

  3. ssh通过pem文件登陆服务器

    一些为了安全操作,推荐使用私钥进行登录服务器,拿jenkins来说,默认的验证方式就是私钥 实现方式 先在本机通过ssh-keygen直接生成公私钥 如下在当前文件夹下生成my.pem(私钥)和my. ...

  4. paramiko 基于密钥文件登陆

    首先密钥登陆远程的原理 client 端 将公钥放在远程机器authorized_keys: 使用 ssh-copy-id  app@ip 接着在client机器生成密钥 使用ssh-keygen - ...

  5. 权限过大 ssh协议通过pem文件登陆

    root@oneweek:~# ssh -i uat.pem root@110.5.15.6@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ...

  6. Zookeeper集群安装(开启kerberos)

    安装规划 zookeeper集群模式,安装到如下三台机器 10.43.159.237 zdh-237 10.43.159.238 zdh-238 10.43.159.239 zdh-239 Kerbe ...

  7. centos7配置kerberos服务,并使用JAAS登录

    准备两个虚拟机:192.168.1.101.192.168.1.102,101作为kerberos的server端,102作为kerberos的client端.开启88端口. 1.安装kerberos ...

  8. ZooKeeper日志与快照文件简单分析

    有用过Zookeeper的都知道zoo.cfg配置文件中有dataDir配置项用于存储数据,不过可能有些人不太清楚这个目录具体存储的是那些数据,默认情况下这个目录是用于存储Log(事务日志)与Snap ...

  9. 为CDH 5.7集群添加Kerberos身份验证及Sentry权限控制

    转载请注明出处:http://www.cnblogs.com/xiaodf/ 4. 为CDH 5集群添加Kerberos身份验证 4.1 安装sentry1.点击“操作”,“添加服务”:2.选择sen ...

  10. kafka集群安全化之启用kerberos与acl

    一.背景 在我们部署完kafka之后,虽然我们已经可以“肆意”的用kafka了,但是在一个大公司的实际生产环境中,kafka集群往往十分庞大,每个使用者都应该只关心自己所负责的Topic,并且对其他人 ...

随机推荐

  1. 探究Presto SQL引擎(2)-浅析Join

    作者:vivo互联网技术-Shuai Guangying 在<探究Presto SQL引擎(1)-巧用Antlr>中,我们介绍了Antlr的基本用法以及如何使用Antlr4实现解析SQL查 ...

  2. vue中mixin作用

  3. python进阶(5)--函数

    文档目录: 一.函数体二.实参与形参三.返回值四.举例:函数+while循环五.举例:列表/元组/字典传递六.模块与函数的导入 ------------------------------------ ...

  4. Vue第二篇 Vue的常用指令

    01-demo <!DOCTYPE html> <html lang="en"> <head> <meta charset="U ...

  5. linux 查看服务器cpu 与内存配置

    转载请注明出处: 1. 通过 lscpu 命令查看 服务器的cpu 配置 显示格式: Architecture: #架构 CPU(s): #逻辑cpu颗数 Thread(s) per core: #每 ...

  6. 2023年度总结,互联网寒冬是躺平OR寻找风口

    一.前言 又到了年底,这一年过的真的好快,犹如白驹过隙. 身体快跃过去了,灵魂还没有. 拿起键盘却迟迟无法下手,经过三天终于完成了! 这是很颓很丧的一年,很难看到自己的成长,就像登山卡在半山腰,开车堵 ...

  7. 【SHELL】命令补全

    # 指定文件 dodo_path=/home/skull/work/scripts/dodo echo "hello skull" ## COMP_WORDS 是一个 bash 内 ...

  8. 【C】《C专家编程》阅读体会

     [来源]https://mp.weixin.qq.com/s/0kmN5knql4yrOuUcnebwIQ

  9. 如何从零开始实现TDOA技术的 UWB 精确定位系统(5)

    这是一个系列文章<如何从零开始实现TDOA技术的 UWB 精确定位系统>第5部分. 重要提示(劝退说明): Q:做这个定位系统需要基础么? A:文章不是写给小白看的,需要有电子技术和软件编 ...

  10. [转帖]配置 Windows XP 正常上网(TLS HTTPS),连接到 NAS

    https://zhuanlan.zhihu.com/p/208685816# 学习一下. 知乎用户8kqKq9 等 45 人赞同了该文章 Windows XP 是经典的.高效的.可靠的.性能良好的操 ...