1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

  2. Anuncie Aqui ! Entre em contato fdantas@4each.com.br

WildFly 10x Configure Datasource Impala Db with kerberos keytab

Discussão em 'StackOverflow' iniciado por Stack, Fevereiro 19, 2021.

  1. Stack

    Stack Membro Participativo

    I have a problem setting up integrated authentication with Kerberos to connect Impala Db with datasource on Jboss wildfly 10. Here my datasource configuration:

    <subsystem xmlns="urn:jboss:domain:datasources:4.0">
    <datasources>
    <datasource jta="false" jndi-name="java:jboss/datasources/impalaDS" pool-name="impalaDS">
    <connection-url>
    jdbc:impala://hostname:21050/;AuthMech=1;KrbRealm=principal;KrbHostFQDN=hostname;KrbServiceName=impala
    </connection-url>
    <driver>impala</driver>
    <pool>
    <min-pool-size>1</min-pool-size>
    <max-pool-size>10</max-pool-size>
    </pool>
    <security>
    <security-domain>kerbconf</security-domain>
    </security>
    <validation>
    <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
    <validate-on-match>false</validate-on-match>
    <background-validation>true</background-validation>
    <background-validation-millis>120000</background-validation-millis>
    </validation>
    <timeout>
    <blocking-timeout-millis>300000</blocking-timeout-millis>
    </timeout>
    </datasource>

    <drivers>
    <driver name="impala" module="com.cloudera.impala">
    <driver-class>com.cloudera.impala.jdbc41.Driver</driver-class>
    </driver>
    </drivers>


    My security domain kerbconf is:

    <security-domain name="kerbconf" cache-type="default">
    <authentication>
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" module="org.jboss.security.negotiation">
    <module-option name="storeKey" value="true"/>
    <module-option name="useKeyTab" value="true"/>
    <module-option name="keyTab" value="C:/Server/wildfly-10.0.0.Final/standalone/deployments/kerberos_conf/sptool/myPrincipal.keytab"/>
    <module-option name="principal" value="principal@principal"/>
    <module-option name="useTicketCache" value="true"/>
    <module-option name="debug" value="true"/>
    </login-module>
    </authentication>
    </security-domain>


    Starting server with previous configuration I have this error:

    18:44:22,639 INFO [stdout] (MSC service thread 1-6) Principal is principal@principal.com

    18:44:22,639 INFO [stdout] (MSC service thread 1-6) null credentials from Ticket Cache

    18:44:22,813 INFO [stdout] (MSC service thread 1-6) [Krb5LoginModule] authentication failed
    18:44:22,813 INFO [stdout] (MSC service thread 1-6) ICMP Port Unreachable

    18:44:22,824 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-6) Exception during createSubject()PBOX00016: Access denied: authentication failed: java.lang.SecurityException: PBOX00016: Access denied: authentication failed
    at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
    at org.jboss.jca.core.security.picketbox.PicketBoxSubjectFactory.createSubject(PicketBoxSubjectFactory.java:66)
    at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1451)
    at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1446)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1445)
    at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:766)
    at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:312)
    at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:364)
    at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:145)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

    18:44:22,826 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-6) WFLYJCA0001: Bound data source [java:jboss/datasources/impalaDS]


    I have a successfully connection by Java code:

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public synchronized
    static void loginUserFromKeytab(String user,
    String path
    ) throws IOException {
    if (!isSecurityEnabled())
    return;

    keytabFile = path;
    keytabPrincipal = user;
    Subject subject = new Subject();
    LoginContext login;
    long start = 0;
    try {
    login = newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
    subject, new HadoopConfiguration());
    start = Time.now();
    login.login();
    metrics.loginSuccess.add(Time.now() - start);
    loginUser = new UserGroupInformation(subject);
    loginUser.setLogin(login);
    loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
    } catch (LoginException le) {
    if (start > 0) {
    metrics.loginFailure.add(Time.now() - start);
    }
    throw new IOException("Login failure for " + user + " from keytab " +
    path+ ": " + le, le);
    }
    LOG.info("Login successful for user " + keytabPrincipal
    + " using keytab file " + keytabFile);
    }


    How can configure the same Java authentication with jboss wildfly?

    Continue reading...

Compartilhe esta Página