Kerberos 5 Configuration

Since the SPNEGO mechanism will call JGSS, which in turns calls the Kerberos V5 login module to do real works. Kerberos 5 configurations are needed. which includes:

  • Some way to provide Kerberos configurations. This can be achieved with the Java system property java.security.krb5.conf. For example:
            java -Djava.security.krb5.conf=krb5.conf \

                 -Djavax.security.auth.useSubjectCredsOnly=false \

                 ClassName
  • A JAAS config file denoting what login module to use. HTTP SPNEGO codes will look for the standard entry named com.sun.security.jgss.krb5.initiate.

For example, you can provide a file spnegoLogin.conf:

          com.sun.security.jgss.krb5.initiate {

              com.sun.security.auth.module.Krb5LoginModule

                  required useTicketCache=true;

          };

and run java with:

            java -Djava.security.krb5.conf=krb5.conf \

                 -Djava.security.auth.login.config=spnegoLogin.conf \

                 -Djavax.security.auth.useSubjectCredsOnly=false \

                 ClassName

JAAS:https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzaha/rzahajaas10.htm

ZooKeeperSaslClient

在使用带Kerberos的zookeeper时,连接前需要进行认证,但是需要通过jaas机制去登陆Kerberos,这时候需要给JVM设置jaas.conf配置文件,zookeeper源码种等登陆模块如下:

public ZooKeeperSaslClient(String serverPrincipal, ZKClientConfig clientConfig) throws LoginException {

        this.saslState = ZooKeeperSaslClient.SaslState.INITIAL;

        this.gotLastPacket = false;

        String clientSection = clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client");

        this.clientConfig = clientConfig;

        AppConfigurationEntry[] entries = null;

        Object runtimeException = null;

        try {

            entries = Configuration.getConfiguration().getAppConfigurationEntry(clientSection);

        } catch (SecurityException var8) {

            runtimeException = var8;

        } catch (IllegalArgumentException var9) {

            runtimeException = var9;

        }

        if (entries != null) {

            this.configStatus = "Will attempt to SASL-authenticate using Login Context section '" + clientSection + "'";

            this.saslClient = this.createSaslClient(serverPrincipal, clientSection);

        } else {

            this.saslState = ZooKeeperSaslClient.SaslState.FAILED;

            String explicitClientSection = clientConfig.getProperty("zookeeper.sasl.clientconfig");

            if (explicitClientSection != null) {

                if (runtimeException != null) {

                    throw new LoginException("Zookeeper client cannot authenticate using the " + explicitClientSection + " section of the supplied JAAS configuration: '" + clientConfig.getJaasConfKey() + "' because of a RuntimeException: " + runtimeException);

                }

                throw new LoginException("Client cannot SASL-authenticate because the specified JAAS configuration section '" + explicitClientSection + "' could not be found.");

            }

            String msg = "Will not attempt to authenticate using SASL ";

            if (runtimeException != null) {

                msg = msg + "(" + runtimeException + ")";

            } else {

                msg = msg + "(unknown error)";

            }

            this.configStatus = msg;

            this.isSASLConfigured = false;

            if (clientConfig.getJaasConfKey() != null) {

                if (runtimeException != null) {

                    throw new LoginException("Zookeeper client cannot authenticate using the '" + clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client") + "' section of the supplied JAAS configuration: '" + clientConfig.getJaasConfKey() + "' because of a RuntimeException: " + runtimeException);

                }

                throw new LoginException("No JAAS configuration section named '" + clientConfig.getProperty("zookeeper.sasl.clientconfig", "Client") + "' was found in specified JAAS configuration file: '" + clientConfig.getJaasConfKey() + "'.");

            }

        }

    }

可以看处,默认读取的时Client模块下的配置,也会从zookeeper.sasl.clientconfig种读取。其登陆代码如下:

private SaslClient createSaslClient(String servicePrincipal, String loginContext) throws LoginException {

        try {

            if (!this.initializedLogin) {

                synchronized(this) {

                    if (this.login == null) {

                        if (LOG.isDebugEnabled()) {

                            LOG.debug("JAAS loginContext is: " + loginContext);

                        }

                        this.login = new Login(loginContext, new ZooKeeperSaslClient.ClientCallbackHandler((String)null), this.clientConfig);

                        this.login.startThreadIfNeeded();

                        this.initializedLogin = true;

                    }

                }

            }

            Subject subject = this.login.getSubject();

            SaslClient saslClient;

            if (subject.getPrincipals().isEmpty()) {

                LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");

                String[] mechs = new String[]{"DIGEST-MD5"};

                String username = (String)((String)subject.getPublicCredentials().toArray()[0]);

                String password = (String)((String)subject.getPrivateCredentials().toArray()[0]);

                saslClient = Sasl.createSaslClient(mechs, username, "zookeeper", "zk-sasl-md5", (Map)null, new ZooKeeperSaslClient.ClientCallbackHandler(password));

                return saslClient;

            } else {

                boolean usingNativeJgss = this.clientConfig.getBoolean("sun.security.jgss.native");

                if (usingNativeJgss) {

                    try {

                        GSSManager manager = GSSManager.getInstance();

                        Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");

                        GSSCredential cred = manager.createCredential((GSSName)null, 0, krb5Mechanism, 1);

                        subject.getPrivateCredentials().add(cred);

                    } catch (GSSException var16) {

                        LOG.warn("Cannot add private credential to subject; authentication at the server may fail", var16);

                    }

                }

                Object[] principals = subject.getPrincipals().toArray();

                Principal clientPrincipal = (Principal)principals[0];

                KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName());

                String serverRealm = this.clientConfig.getProperty("zookeeper.server.realm", clientKerberosName.getRealm());

                KerberosName serviceKerberosName = new KerberosName(servicePrincipal + "@" + serverRealm);

                final String serviceName = serviceKerberosName.getServiceName();

                final String serviceHostname = serviceKerberosName.getHostName();

                final String clientPrincipalName = clientKerberosName.toString();

                try {

                    saslClient = (SaslClient)Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() {

                        public SaslClient run() throws SaslException {

                            ZooKeeperSaslClient.LOG.info("Client will use GSSAPI as SASL mechanism.");

                            String[] mechs = new String[]{"GSSAPI"};

                            ZooKeeperSaslClient.LOG.debug("creating sasl client: client=" + clientPrincipalName + ";service=" + serviceName + ";serviceHostname=" + serviceHostname);

                            SaslClient saslClient = Sasl.createSaslClient(mechs, clientPrincipalName, serviceName, serviceHostname, (Map)null, new ZooKeeperSaslClient.ClientCallbackHandler((String)null));

                            return saslClient;

                        }

                    });

                    return saslClient;

                } catch (Exception var15) {

                    LOG.error("Exception while trying to create SASL client", var15);

                    var15.printStackTrace();

                    return null;

                }

            }

        } catch (LoginException var18) {

            throw var18;

        } catch (Exception var19) {

            LOG.error("Exception while trying to create SASL client: " + var19);

            return null;

        }

    }

This is jaas.conf:

Client {

      com.sun.security.auth.module.Krb5LoginModule required

      useKeyTab=true

      doNotPrompt=true

      useTicketCache=true

      principal="test"

      keyTab="/home/keytab/user.keytab";

   };

Then set Java Options like :

--Djava.security.auth.login.config=/data/disk1/conf/jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false

其他情况下,会使用com.sun.security.jgss.krb5.initiate来登陆,所以jaas.conf的配置如下:

com.sun.security.jgss.krb5.initiate {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/data/disk1/conf/test.keytab"

  principal="test"

  doNotPrompt=true;

};

使用JAAS文件登陆kerberos(zookeeper)的更多相关文章

  1. 关于hadoop登陆kerberos时设置环境变量问题的思考

    中心思想,设置kerberos环境变量时,发现JDK源码当中的一个问题,故描述如下. 在平时的使用中,如果hadoop集群配置kerberos认证的话,使用java访问hdfs或者hive时,需要先进 ...

  2. Kafka启用SASL_PLAINTEXT动态配置JAAS文件的几种方式

    Kafka是广泛使用消息服务,很多情况下关于认证部分我都是默认的配置,也就是不需要用户名/密码,也不配置证书.在内网或者在项目组内部可以,但是设计的跨部门时一般处于安全考虑都需要加上认证,防止kafk ...

  3. ssh通过pem文件登陆服务器

    一些为了安全操作,推荐使用私钥进行登录服务器,拿jenkins来说,默认的验证方式就是私钥 实现方式 先在本机通过ssh-keygen直接生成公私钥 如下在当前文件夹下生成my.pem(私钥)和my. ...

  4. paramiko 基于密钥文件登陆

    首先密钥登陆远程的原理 client 端 将公钥放在远程机器authorized_keys: 使用 ssh-copy-id  app@ip 接着在client机器生成密钥 使用ssh-keygen - ...

  5. 权限过大 ssh协议通过pem文件登陆

    root@oneweek:~# ssh -i uat.pem root@110.5.15.6@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ...

  6. Zookeeper集群安装(开启kerberos)

    安装规划 zookeeper集群模式,安装到如下三台机器 10.43.159.237 zdh-237 10.43.159.238 zdh-238 10.43.159.239 zdh-239 Kerbe ...

  7. centos7配置kerberos服务,并使用JAAS登录

    准备两个虚拟机:192.168.1.101.192.168.1.102,101作为kerberos的server端,102作为kerberos的client端.开启88端口. 1.安装kerberos ...

  8. ZooKeeper日志与快照文件简单分析

    有用过Zookeeper的都知道zoo.cfg配置文件中有dataDir配置项用于存储数据,不过可能有些人不太清楚这个目录具体存储的是那些数据,默认情况下这个目录是用于存储Log(事务日志)与Snap ...

  9. 为CDH 5.7集群添加Kerberos身份验证及Sentry权限控制

    转载请注明出处:http://www.cnblogs.com/xiaodf/ 4. 为CDH 5集群添加Kerberos身份验证 4.1 安装sentry1.点击“操作”,“添加服务”:2.选择sen ...

  10. kafka集群安全化之启用kerberos与acl

    一.背景 在我们部署完kafka之后,虽然我们已经可以“肆意”的用kafka了,但是在一个大公司的实际生产环境中,kafka集群往往十分庞大,每个使用者都应该只关心自己所负责的Topic,并且对其他人 ...

随机推荐

  1. #pragma的常用方法

    概述 我们在写代码时,总会遇到头文件多次包含的情况,刚开始时我们使用宏定义进行控制,之后发现有#pragma once这样简单的东西,当时是很兴奋,以为#pragma就这一种用法.唉~,现在想想当时还 ...

  2. 记录一次centost docker 容器 占满磁盘100% 的处理

    备忘 1.查看系统磁盘使用情况 df -h 2.查看docker镜像及容器空间占比 docker system df 3.查找大文件 find / -type f -size +100M -print ...

  3. C++ Lambda 快速上手

    Lambda 听起来非常的牛逼,很容易就会联想到函数式编程或者 Lambda 演算这样的东西.但是在 C++里,没那么复杂,就把它当匿名函数用就好了 HelloWorld 对于降序排序,我们可以这样写 ...

  4. Dubbo 泛化调用在vivo统一配置系统的应用

    作者:vivo 互联网服务器团队- Wang Fei.LinYupan Dubbo泛化调用特性可以在不依赖服务接口API包的场景中发起远程调用, 这种特性特别适合框架集成和网关类应用开发. 本文结合在 ...

  5. Web3初步实践总结

    大家好~Web3是2021年才开始的浪潮,我非常赞同Web3的去中心化的理念,并且最近从Web2全面转向Web3了. 现在与大家分享我的实践的经验,希望对大家有所帮助,谢谢! 目录 为什么要转向Web ...

  6. git或gitee 提交代码到远程仓库

    本文为博主原创,未经允许不得转载: 1. 选中远程仓库,并fork 指定的项目到自己的私仓: fork 之后,打开我的仓库便能看到刚刚fork 的项目. 2. clone 项目代码到自己电脑的本地仓库 ...

  7. Vue之将前端的筛选结果导出为csv文件

    有导入就有导出哈!这里继导入之后记录一下导出的实现过程. 1.按钮部分: <el-button class="filter-item" style="margin- ...

  8. Vue2 - 配置跨域

    在根目录下创建 vue.config.js 文件 . 即可 vue.config.js : // vue.config.js 配置说明 //官方vue.config.js 参考文档 https://c ...

  9. SpringMVC06——数据绑定——2021-05-09

    数据绑定介绍 在执行程序时,SpringMVC会根据客户端请求参数的不同, 将请求信息中的信息以一定的方式转换并绑定到控制器类的方法参数中. 在数据绑定过程中,SpringMVC框架会通过数据绑定组件 ...

  10. Mygin 实现简单Http

    本篇是完全参考gin的功能,自己手动实现一个类似的功能,帮助自己理解和学习gin框架 目的 简单介绍net/http库以及http.Handler接口 实现简单的功能 标准库启动Web服务 impor ...