当系统用户!=主要用户时,通过JAAS上下文的Kerberos身份验证失败

时间:2017-01-17 07:59:04

标签: java authentication kerberos jaas principal

我需要使用用户test对Kerberos领域进行身份验证。我想通过相应的jaas.conf配置文件创建安全的JAAS上下文来实现这一目的:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  principal="test@MYREALM.DE"
  useKeyTab=true
  keyTab="/home/ubuntu/kerberos_test/test.keytab"
  storeKey=true;
};

krb5.ini文件包含有关Realm和Kerberos服务器的信息:

[libdefaults]
  default_realm = MYREALM.DE

[realms]
  MYREALM.DE = {
    admin_server = my.server.de
    kdc = my.server.de
  }

这里是我的应用程序的Java代码,它针对Kerberos领域进行身份验证并在我的HDFS的/中打印目录:

public class KerberosAuthentication {
  public static void main(String[] args) {
    try {
        String webHdfsUrl = "webhdfs://my.server:50070";
        Configuration conf = new Configuration();
        conf.set("fs.defaultFS", webHdfsUrl);
        conf.set("hadoop.security.authentication", "kerberos");

        FileSystem fs = FileSystem.get(conf);
        FileStatus[] fsStatus = fs.listStatus(new Path("/"));

        for(FileStatus status : fsStatus) {
            System.out.println(status.getPath().toString());
        }
    } catch (Exception e) {
        e.printStackTrace();
    }
  }
}

当我使用以下参数运行代码时(在Eclipse中或作为java -cp ...jar):

-Djava.security.krb5.conf=/home/ubuntu/kerberos_test/krb5.ini 
-Djava.security.auth.login.config=/home/ubuntu/kerberos_test/jaas.conf 
-Djavax.security.auth.useSubjectCredsOnly=true

我得到以下结果:

  • 系统用户名==主要用户名(test):一切正常,我得到了我的HDFS根目录的输出
  • 系统用户名(例如ubuntu)!=主要用户名(test),我收到以下异常:

异常输出:

java.io.IOException: Usernames not matched: name=ubuntu != expected=test
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:106)
    at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:95)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.toIOException(WebHdfsFileSystem.java:399)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$600(WebHdfsFileSystem.java:98)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.shouldRetry(WebHdfsFileSystem.java:686)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:652)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:472)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:502)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1698)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.run(WebHdfsFileSystem.java:498)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.listStatus(WebHdfsFileSystem.java:1330)
    at kerberos.KerberosAuthentication.main(KerberosAuthentication.java:31)
Caused by: org.apache.hadoop.ipc.RemoteException(java.io.IOException): Usernames not matched: name=ubuntu != expected=test
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:374)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:98)
    at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:623)
    ... 8 more

如果我的系统用户是另一个用户,如何使用test进行身份验证?是否有可能在jaas.conf或Java代码中添加一些设置?

0 个答案:

没有答案
相关问题
最新问题