Permalink
Browse files

Resolve authentication issues with kerberos logic

  • Loading branch information...
1 parent 8996eec commit 4d91e44808ee67e17f034bc4a7d5f6b77bbda235 @patricioe patricioe committed Oct 27, 2011
@@ -26,15 +26,17 @@
private static Logger log = LoggerFactory.getLogger(HKerberosThriftClient.class);
private Subject kerberosTicket;
+ private String servicePrincipalName;
/**
* Constructor
* @param kerberosTicket
* @param cassandraHost
*/
- public HKerberosThriftClient(Subject kerberosTicket, CassandraHost cassandraHost) {
+ public HKerberosThriftClient(Subject kerberosTicket, CassandraHost cassandraHost, String servicePrincipalName) {
super(cassandraHost);
this.kerberosTicket = kerberosTicket;
+ this.servicePrincipalName = servicePrincipalName;
}
/**
@@ -57,14 +59,6 @@ public HKerberosThriftClient open() {
}
}
- // Kerberos authentication
- Socket internalSocket = socket.getSocket();
-
- final GSSContext clientContext = KerberosHelper.authenticateClient(internalSocket, kerberosTicket);
-
- if (clientContext == null)
- throw new HectorTransportException("Kerberos context couldn't be established with client.");
-
// TODO (patricioe) What should I do with it ?
// KerberosHelper.getSourcePrinciple(clientContext));
@@ -84,6 +78,17 @@ public HKerberosThriftClient open() {
throw new HectorTransportException("Unable to open transport to " + cassandraHost.getName() +" , " +
e.getLocalizedMessage(), e);
}
+
+ // Kerberos authentication
+ Socket internalSocket = socket.getSocket();
+
+ final GSSContext clientContext = KerberosHelper.authenticateClient(internalSocket, kerberosTicket, servicePrincipalName);
+
+ if (clientContext == null) {
+ close();
+ throw new HectorTransportException("Kerberos context couldn't be established with client.");
+ }
+
return this;
}
@@ -24,6 +24,7 @@
* <li><code>sun.security.krb5.debug</code>. Set to <code>TRUE</code> for debug. Default is <code>FALSE</code>.
* <li><code>kerberos.client.reference.name</code> Kerberos client reference name specified in <code>jaas.conf</code>.
* Default: "Client".
+ * <li><code>kerberos.service.principal.name</code> Kerberos Service principal name without the domain. Default: "cassandra".
* <li><code>kerberos.client.principal.name</code> Username for when .keytab file is not specified.
* <li><code>kerberos.client.password</code> Password for then .keytab file is not specified.
* </ul>
@@ -57,6 +58,9 @@
* };
* </pre>
*
+ * <code>useKeyTab</code> and <code>keytab</code> can be omitted if <code>kerberos.client.principal.name</code>
+ * and <code>kerberos.client.password</code> are specified.
+ *
* @see HKerberosThriftClient
*
* @author patricioe (Patricio Echague - patricioe@gmail.com)
@@ -66,10 +70,11 @@
private static final Logger log = LoggerFactory.getLogger(HKerberosSecuredThriftClientFactoryImpl.class);
- public static final String JAAS_CONFIG = "./jaas.conf";
- public static final String KRB5_CONFIG = "./krb5.conf";
+ public static final String JAAS_CONFIG = "jaas.conf";
+ public static final String KRB5_CONFIG = "krb5.conf";
private final Subject kerberosTicket;
+ private String krbServicePrincipalName;
public HKerberosSecuredThriftClientFactoryImpl() {
String jaasConf = System.getProperty("java.security.auth.login.config");
@@ -78,6 +83,7 @@ public HKerberosSecuredThriftClientFactoryImpl() {
String krbClientReferenceName = System.getProperty("kerberos.client.reference.name");
String krbClientUsername = System.getProperty("kerberos.client.principal.name");
String krbClientPassword = System.getProperty("kerberos.client.password");
+ krbServicePrincipalName = System.getProperty("kerberos.service.principal.name");
if (krbDebug == null)
System.setProperty("sun.security.krb5.debug", "false");
@@ -90,6 +96,9 @@ public HKerberosSecuredThriftClientFactoryImpl() {
if (krbClientReferenceName == null)
krbClientReferenceName = "Client";
+
+ if (krbServicePrincipalName == null)
+ krbServicePrincipalName = "cassandra";
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
@@ -98,7 +107,8 @@ public HKerberosSecuredThriftClientFactoryImpl() {
log.info(" sun.security.krb5.debug = {}", System.getProperty("sun.security.krb5.debug"));
log.info(" java.security.auth.login.config = {}", System.getProperty("java.security.auth.login.config"));
log.info(" java.security.krb5.conf = {}", System.getProperty("java.security.krb5.conf"));
- log.info(" kerberos.client.reference.name = {}", System.getProperty("kerberos.client.reference.name"));
+ log.info(" kerberos.client.reference.name = {}", System.getProperty("kerberos.client.reference.name", krbClientReferenceName));
+ log.info(" kerberos.service.principal.name = {}", System.getProperty("kerberos.service.principal.name", krbServicePrincipalName));
log.info(" kerberos.client.principal.name = {}", System.getProperty("kerberos.client.principal.name"));
log.info(" kerberos.client.password = {}", System.getProperty("kerberos.client.password"));
log.info(" javax.security.auth.useSubjectCredsOnly = true");
@@ -124,7 +134,7 @@ public HClient createClient(CassandraHost ch) {
if (log.isDebugEnabled()) {
log.debug("Creation of new client");
}
- return new HKerberosThriftClient(kerberosTicket, ch);
+ return new HKerberosThriftClient(kerberosTicket, ch, krbServicePrincipalName);
}
}
@@ -17,6 +17,7 @@
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -64,18 +65,23 @@ public static Subject loginService(String serviceName, String username, String p
* The socket used for communication
* @param subject
* The Kerberos service subject
+ * @param servicePrincipalName
+ * Service principal name
*
* @return context if authorized or null
*/
- public static GSSContext authenticateClient(final Socket socket, Subject subject) {
+ public static GSSContext authenticateClient(final Socket socket, Subject subject, final String servicePrincipalName) {
return Subject.doAs(subject, new PrivilegedAction<GSSContext>() {
public GSSContext run() {
try {
GSSManager manager = GSSManager.getInstance();
- GSSContext context = manager.createContext((GSSCredential) null);
+ GSSName peerName = manager.createName(servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE);
+ GSSContext context = manager.createContext(peerName, null, null, GSSContext.DEFAULT_LIFETIME);
- while (!context.isEstablished())
- context.acceptSecContext(socket.getInputStream(), socket.getOutputStream());
+ // Loop while the context is still not established
+ while (!context.isEstablished()) {
+ context.initSecContext(socket.getInputStream(), socket.getOutputStream());
+ }
return context;
} catch (Exception e) {
@@ -1,18 +1,17 @@
Client {
com.sun.security.auth.module.Krb5LoginModule required
- useKeyTab=true
- keyTab="./hector-kerberos.keytab"
+ useKeyTab=false
useTicketCache=true
renewTGT=true
storeKey=true
- principal="<user_name>@your_realm";
+ principal="pato@SOMEDOMAIN.COM";
};
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
storeKey=true
useTicketCache=false
- principal="service_principal@your_realm";
+ principal="cassandra/HOST@SOMEDOMAIN.COM";
};
@@ -1,9 +1,14 @@
[libdefaults]
- default_realm = DATASTAX.COM
- default_checksum = rsa-md5
+ default_realm = SOMEDOMAIN.COM
+ default_checksum = rsa-md5
[realms]
- DATASTAX.COM = {
- kdc = 50.18.24.96
- }
+ SOMEDOMAIN.COM = {
+ kdc = somadomain.com
+ admin_server = somedomain.com
+ }
+
+[domain_realm]
+ somedomain.com = SOMEDOMAIN.COM
+}

0 comments on commit 4d91e44

Please sign in to comment.