1

We are developing a web application that interacts with hadoop components such as HDFS, HBase and Impala. The cluster is kerberized, we are authenticating with JAAS config. We are configuring JAAS in VM arguments as below

-Djava.security.auth.login.config=/user/gss-jaas.conf
-Djava.security.krb5.conf=/user/krb5.ini
-Djavax.security.auth.useSubjectCredsOnly=false

Our JAAS config is as below

com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy.keytab"
  principal="dummy@SOME.REALM"
  debug=false;
};

It works fine when connecting to hbase and Hdfs. But while connecting with Impala, we are facing problems. We can connect with Impala when we change com.sun.security.jgss.initiate to Client But we don't want to change or switch between Jaas configs.

Is there any way we can use the same JAAS config file for all service? We don't want to use System.setProperties to do this. and also when switching between JAAS configs we are getting exceptions. So using the same config file would be better.

Any help?

Mathivanan
  • 371
  • 2
  • 16

2 Answers2

4

You don't have to switch. Just use both!

Did you wonder why there are two mandatory ; -- one after the last parameter, and one after the brace? That's because you can have multiple mechanisms defined inside the section (tried from 1st to last), and multiple sections (with different names) in the same config file.

Look into the Kafka documentation for example, how they set the JAAS configuration for both the broker and the client apps in the same file: http://docs.confluent.io/current/kafka/sasl.html

And in case you are curious about the multiple mechanisms, look into the Java documentation (but be careful, that stuff is a nightmare to tweak and debug...) https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Samson Scharfrichter
  • 8,884
  • 1
  • 17
  • 36
  • By the way, `com.sun.security.jgss.initiate` is still supported but it's deprecated, you should use explicitly `com.sun.security.jgss.krb5.initiate` instead – Samson Scharfrichter Aug 19 '17 at 22:12
  • And if you are curious about the way JAAS loads your configuration (or if you need to debug your configuration, because syntax errors and FileNotFound are not reported by default): `-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext` – Samson Scharfrichter Aug 19 '17 at 22:21
0

Just to give example of Samson Scharfrichter,

I had same issue with mongodb connections.

We can do this for your usecase,

com.sun.security.jgss.initiate {
  // first connection details
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy.keytab"
  principal="dummy@SOME.REALM"
  debug=false;

  // second connection details
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy2.keytab"
  principal="dummy2@SOME.REALM"
  debug=false;
};

If you wanna mix multiple different services,

// First component details HBASE / IMPALA / MongoDb with two diff kerberos connection details
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy.keytab"
  principal="dummy@SOME.REALM"
  debug=false;

  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy2.keytab"
  principal="dummy2@SOME.REALM"
  debug=false;
};

// Kafka with two diff kerberos connection details
SimpleClient {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy.keytab"
  principal="dummy@SOME.REALM"
  debug=false;

  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy2.keytab"
  principal="dummy2@SOME.REALM"
  debug=false;
};
JBaba
  • 590
  • 10
  • 30