Kerberos 5 Configuration

Since the SPNEGO mechanism will call JGSS, which in turns calls the Kerberos V5 login module to do real works. Kerberos 5 configurations are needed. which includes:

  • Some way to provide Kerberos configurations. This can be achieved with the Java system property java.security.krb5.conf. For example:
            java -Djava.security.krb5.conf=krb5.conf \

                 -Djavax.security.auth.useSubjectCredsOnly=false \

                 ClassName
  • A JAAS config file denoting what login module to use. HTTP SPNEGO codes will look for the standard entry named com.sun.security.jgss.krb5.initiate.

For example, you can provide a file spnegoLogin.conf:

          com.sun.security.jgss.krb5.initiate {

              com.sun.security.auth.module.Krb5LoginModule

                  required useTicketCache=true;

          };

and run java with:

            java -Djava.security.krb5.conf=krb5.conf \

                 -Djava.security.auth.login.config=spnegoLogin.conf \

                 -Djavax.security.auth.useSubjectCredsOnly=false \

                 ClassName

JAAS:https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzaha/rzahajaas10.htm

ZooKeeperSaslClient

在使用带Kerberos的zookeeper时,连接前需要进行认证,但是需要通过jaas机制去登陆Kerberos,这时候需要给JVM设置jaas.conf配置文件,zookeeper源码种等登陆模块如下:

public ZooKeeperSaslClient(String serverPrincipal, ZKClientConfig clientConfig) throws LoginException {

        this.saslState = ZooKeeperSaslClient.SaslState.INITIAL;

        this.gotLastPacket = false;

        String clientSection = clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client");

        this.clientConfig = clientConfig;

        AppConfigurationEntry[] entries = null;

        Object runtimeException = null;

        try {

            entries = Configuration.getConfiguration().getAppConfigurationEntry(clientSection);

        } catch (SecurityException var8) {

            runtimeException = var8;

        } catch (IllegalArgumentException var9) {

            runtimeException = var9;

        }

        if (entries != null) {

            this.configStatus = "Will attempt to SASL-authenticate using Login Context section '" + clientSection + "'";

            this.saslClient = this.createSaslClient(serverPrincipal, clientSection);

        } else {

            this.saslState = ZooKeeperSaslClient.SaslState.FAILED;

            String explicitClientSection = clientConfig.getProperty("zookeeper.sasl.clientconfig");

            if (explicitClientSection != null) {

                if (runtimeException != null) {

                    throw new LoginException("Zookeeper client cannot authenticate using the " + explicitClientSection + " section of the supplied JAAS configuration: '" + clientConfig.getJaasConfKey() + "' because of a RuntimeException: " + runtimeException);

                }

                throw new LoginException("Client cannot SASL-authenticate because the specified JAAS configuration section '" + explicitClientSection + "' could not be found.");

            }

            String msg = "Will not attempt to authenticate using SASL ";

            if (runtimeException != null) {

                msg = msg + "(" + runtimeException + ")";

            } else {

                msg = msg + "(unknown error)";

            }

            this.configStatus = msg;

            this.isSASLConfigured = false;

            if (clientConfig.getJaasConfKey() != null) {

                if (runtimeException != null) {

                    throw new LoginException("Zookeeper client cannot authenticate using the '" + clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client") + "' section of the supplied JAAS configuration: '" + clientConfig.getJaasConfKey() + "' because of a RuntimeException: " + runtimeException);

                }

                throw new LoginException("No JAAS configuration section named '" + clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client") + "' was found in specified JAAS configuration file: '" + clientConfig.getJaasConfKey() + "'.");

            }

        }

    }

可以看处,默认读取的时Client模块下的配置,也会从zookeeper.sasl.clientconfig种读取。其登陆代码如下:

private SaslClient createSaslClient(String servicePrincipal, String loginContext) throws LoginException {

        try {

            if (!this.initializedLogin) {

                synchronized(this) {

                    if (this.login == null) {

                        if (LOG.isDebugEnabled()) {

                            LOG.debug("JAAS loginContext is: " + loginContext);

                        }

                        this.login = new Login(loginContext, new ZooKeeperSaslClient.ClientCallbackHandler((String)null), this.clientConfig);

                        this.login.startThreadIfNeeded();

                        this.initializedLogin = true;

                    }

                }

            }

            Subject subject = this.login.getSubject();

            SaslClient saslClient;

            if (subject.getPrincipals().isEmpty()) {

                LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");

                String[] mechs = new String[]{"DIGEST-MD5"};

                String username = (String)((String)subject.getPublicCredentials().toArray()[0]);

                String password = (String)((String)subject.getPrivateCredentials().toArray()[0]);

                saslClient = Sasl.createSaslClient(mechs, username, "zookeeper", "zk-sasl-md5", (Map)null, new ZooKeeperSaslClient.ClientCallbackHandler(password));

                return saslClient;

            } else {

                boolean usingNativeJgss = this.clientConfig.getBoolean("sun.security.jgss.native");

                if (usingNativeJgss) {

                    try {

                        GSSManager manager = GSSManager.getInstance();

                        Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");

                        GSSCredential cred = manager.createCredential((GSSName)null, 0, krb5Mechanism, 1);

                        subject.getPrivateCredentials().add(cred);

                    } catch (GSSException var16) {

                        LOG.warn("Cannot add private credential to subject; authentication at the server may fail", var16);

                    }

                }

                Object[] principals = subject.getPrincipals().toArray();

                Principal clientPrincipal = (Principal)principals[0];

                KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName());

                String serverRealm = this.clientConfig.getProperty("zookeeper.server.realm", clientKerberosName.getRealm());

                KerberosName serviceKerberosName = new KerberosName(servicePrincipal + "@" + serverRealm);

                final String serviceName = serviceKerberosName.getServiceName();

                final String serviceHostname = serviceKerberosName.getHostName();

                final String clientPrincipalName = clientKerberosName.toString();

                try {

                    saslClient = (SaslClient)Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() {

                        public SaslClient run() throws SaslException {

                            ZooKeeperSaslClient.LOG.info("Client will use GSSAPI as SASL mechanism.");

                            String[] mechs = new String[]{"GSSAPI"};

                            ZooKeeperSaslClient.LOG.debug("creating sasl client: client=" + clientPrincipalName + ";service=" + serviceName + ";serviceHostname=" + serviceHostname);

                            SaslClient saslClient = Sasl.createSaslClient(mechs, clientPrincipalName, serviceName, serviceHostname, (Map)null, new ZooKeeperSaslClient.ClientCallbackHandler((String)null));

                            return saslClient;

                        }

                    });

                    return saslClient;

                } catch (Exception var15) {

                    LOG.error("Exception while trying to create SASL client", var15);

                    var15.printStackTrace();

                    return null;

                }

            }

        } catch (LoginException var18) {

            throw var18;

        } catch (Exception var19) {

            LOG.error("Exception while trying to create SASL client: " + var19);

            return null;

        }

    }

This is jaas.conf:

Client {

      com.sun.security.auth.module.Krb5LoginModule required

      useKeyTab=true

      doNotPrompt=true

      useTicketCache=true

      principal="test"

      keyTab="/home/keytab/user.keytab";

   };

Then set Java Options like :

--Djava.security.auth.login.config=/data/disk1/conf/jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false

其他情况下,会使用com.sun.security.jgss.krb5.initiate来登陆,所以jaas.conf的配置如下:

com.sun.security.jgss.krb5.initiate {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/data/disk1/conf/test.keytab"

  principal="test"

  doNotPrompt=true;

};

使用JAAS文件登陆kerberos(zookeeper)的更多相关文章

  1. 关于hadoop登陆kerberos时设置环境变量问题的思考

    中心思想,设置kerberos环境变量时,发现JDK源码当中的一个问题,故描述如下. 在平时的使用中,如果hadoop集群配置kerberos认证的话,使用java访问hdfs或者hive时,需要先进 ...

  2. Kafka启用SASL_PLAINTEXT动态配置JAAS文件的几种方式

    Kafka是广泛使用消息服务,很多情况下关于认证部分我都是默认的配置,也就是不需要用户名/密码,也不配置证书.在内网或者在项目组内部可以,但是设计的跨部门时一般处于安全考虑都需要加上认证,防止kafk ...

  3. ssh通过pem文件登陆服务器

    一些为了安全操作,推荐使用私钥进行登录服务器,拿jenkins来说,默认的验证方式就是私钥 实现方式 先在本机通过ssh-keygen直接生成公私钥 如下在当前文件夹下生成my.pem(私钥)和my. ...

  4. paramiko 基于密钥文件登陆

    首先密钥登陆远程的原理 client 端 将公钥放在远程机器authorized_keys: 使用 ssh-copy-id  app@ip 接着在client机器生成密钥 使用ssh-keygen - ...

  5. 权限过大 ssh协议通过pem文件登陆

    root@oneweek:~# ssh -i uat.pem root@110.5.15.6@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ...

  6. Zookeeper集群安装(开启kerberos)

    安装规划 zookeeper集群模式,安装到如下三台机器 10.43.159.237 zdh-237 10.43.159.238 zdh-238 10.43.159.239 zdh-239 Kerbe ...

  7. centos7配置kerberos服务,并使用JAAS登录

    准备两个虚拟机:192.168.1.101.192.168.1.102,101作为kerberos的server端,102作为kerberos的client端.开启88端口. 1.安装kerberos ...

  8. ZooKeeper日志与快照文件简单分析

    有用过Zookeeper的都知道zoo.cfg配置文件中有dataDir配置项用于存储数据,不过可能有些人不太清楚这个目录具体存储的是那些数据,默认情况下这个目录是用于存储Log(事务日志)与Snap ...

  9. 为CDH 5.7集群添加Kerberos身份验证及Sentry权限控制

    转载请注明出处:http://www.cnblogs.com/xiaodf/ 4. 为CDH 5集群添加Kerberos身份验证 4.1 安装sentry1.点击“操作”,“添加服务”:2.选择sen ...

  10. kafka集群安全化之启用kerberos与acl

    一.背景 在我们部署完kafka之后,虽然我们已经可以“肆意”的用kafka了,但是在一个大公司的实际生产环境中,kafka集群往往十分庞大,每个使用者都应该只关心自己所负责的Topic,并且对其他人 ...

随机推荐

  1. 【HZERO】安全体系

    安全体系 https://open.hand-china.com/community/detail/521336056218521600#前言前言open&doc-0

  2. 遇到 Request header is too large,你是如何解决的?

    看到群里有小伙伴问,这个异常要怎么解决: java.lang.IllegalArgumentException: Request header is too large 异常原因 根据Exceptio ...

  3. 通过 Homebrew 在 Mac OS X 上安装和配置 Redis

    通过使用 Homebrew,可以大大降低在 Mac OS X 上设置和配置开发环境的成本. 让我们安装 Redis. $ brew install redis 安装后,我们将看到一些有关配置注意事项的 ...

  4. JSP | JavaBean 的基本使用方法与 IDEA 配置

    上一篇重新编写了 IDEA 2021.2 新建JavaWeb项目及Tomcat部署, 接下来的本篇文章才是核心,JavaBean的基本使用方法与 IDEA 配置 JavaBean概述 JavaBean ...

  5. CodeForces-339B-Xenia and Ringroad (循环队列,水题)

    Xenia lives in a city that has n houses built along the main ringroad. The ringroad houses are numbe ...

  6. Codeforces Round #663 (Div. 2) (A~C题,C题 Good)

    比赛链接:Here 1391A. Suborrays 简单构造题, 把 \(n\) 放最前面,接着补 \(1\) ~ \(n - 1\) 即可 1391B. Fix You \((1,1)\) -&g ...

  7. Tomcat 优雅关闭之路

    本文首发于 vivo互联网技术 微信公众号 链接:https://mp.weixin.qq.com/s/ZqkmoAR4JEYr0x0Suoq7QQ作者:马运杰 本文通过阅读Tomcat启动和关闭流程 ...

  8. 创新推出 | Serverless 调试大杀器:端云联调

    背景 说起当前最火一个技术, 不可避免地讨论到一个概念: Serverless.作为一种新型的应用架构,Serverless 让我们摆脱了维护基础设施的繁琐,只需要上传代码包或者镜像, 即可得到一个弹 ...

  9. C#设计模式15——观察者模式的写法

    是什么: 观察者模式是一种设计模式,它定义了对象之间的一种一对多的依赖关系,使得当一个对象状态发生改变时,它的所有依赖者都能够得到相应的通知并作出相应的反应.观察者模式也被称为发布-订阅模式. 为什么 ...

  10. springboot启动流程 (3) 自动装配

    在SpringBoot中,EnableAutoConfiguration注解用于开启自动装配功能. 本文将详细分析该注解的工作流程. EnableAutoConfiguration注解 启用Sprin ...