【问题标题】:Datastax Java Driver with kerberos security具有 kerberos 安全性的 Datastax Java 驱动程序
【发布时间】:2014-02-20 16:35:34
【问题描述】:

我正在尝试从 Eclipse 访问启用了 kerberos 的 DSE 集群。

示例连接代码是

public void connect(String node) {
  cluster = Cluster.builder().addContactPoint(node)
    .withAuthProvider(new DseAuthProvider()).build();
  Metadata metadata = cluster.getMetadata();
  Iterator<KeyspaceMetadata> in = metadata.getKeyspaces().iterator();
  while (in.hasNext()) {
   // System.out.println("Keyspaces");
   System.out.println(in.next().getName());
  }

我的 dseclient 文件如下所示

  DseClient {
        com.sun.security.auth.module.Krb5LoginModule required
          useKeyTab=true
          keyTab="/path/to/file.keytab"
          principal="user@MYDOMAIN.COM";
    };

运行代码时出现以下异常

Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: Cannot locate default realm
 at com.datastax.driver.core.sasl.KerberosAuthenticator.loginSubject(KerberosAuthenticator.java:113)
 at com.datastax.driver.core.sasl.KerberosAuthenticator.<init>(KerberosAuthenticator.java:94)
 at com.datastax.driver.core.sasl.DseAuthProvider.newAuthenticator(DseAuthProvider.java:52)
 at com.datastax.driver.core.Connection.initializeTransport(Connection.java:164)
 at com.datastax.driver.core.Connection.<init>(Connection.java:132)
 at com.datastax.driver.core.Connection.<init>(Connection.java:59)
 at com.datastax.driver.core.Connection$Factory.open(Connection.java:442)
 at com.datastax.driver.core.ControlConnection.tryConnect(ControlConnection.java:205)
 at com.datastax.driver.core.ControlConnection.reconnectInternal(ControlConnection.java:168)
 at com.datastax.driver.core.ControlConnection.connect(ControlConnection.java:81)
 at com.datastax.driver.core.Cluster$Manager.init(Cluster.java:662)
 at com.datastax.driver.core.Cluster$Manager.access$100(Cluster.java:604)
 at com.datastax.driver.core.Cluster.<init>(Cluster.java:69)
 at com.datastax.driver.core.Cluster.buildFrom(Cluster.java:96)
 at com.datastax.driver.core.Cluster$Builder.build(Cluster.java:585)
 at AuthenticatedClient.connect(AuthenticatedClient.java:19)
 at AuthenticatedClient.main(AuthenticatedClient.java:59)
Caused by: javax.security.auth.login.LoginException: Cannot locate default realm
 at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
 at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at javax.security.auth.login.LoginContext.invoke(Unknown Source)
 at javax.security.auth.login.LoginContext.access$000(Unknown Source)
 at javax.security.auth.login.LoginContext$4.run(Unknown Source)
 at javax.security.auth.login.LoginContext$4.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
 at javax.security.auth.login.LoginContext.login(Unknown Source)
 at com.datastax.driver.core.sasl.KerberosAuthenticator.loginSubject(KerberosAuthenticator.java:109)
 ... 16 more
Caused by: KrbException: Cannot locate default realm
 at sun.security.krb5.PrincipalName.<init>(Unknown Source)
 at sun.security.krb5.KrbAsReq.<init>(Unknown Source)
 at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source)
 at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
 at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
 ... 30 more
Caused by: KrbException: Cannot locate default realm
 at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
 ... 35 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
 at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
 ... 36 more

我正在使用 DSE 3.2.3 和 java 驱动程序 1.0.4

【问题讨论】:

    标签: cassandra datastax-enterprise datastax-java-driver datastax


    【解决方案1】:

    这很可能表明客户端上缺少或配置错误的 Kerberos 设置。在 linux 上,相关文件是/etc/krb5.conf,您可能需要检查 [libdefaults][realms] 部分。对于您正在使用的 JAAS 配置,我希望在您的 krb5.conf 中看到类似的内容:

    [libdefaults]
    default_realm = MYDOMAIN.COM
    .
    .
    .
    [realms]
    MYDOMAIN.COM = {
        kdc = <address of your kdc>
        admin_server = <address of the domain admin server>
    }
    

    您还需要确保正确设置 DNS 名称解析。在客户端机器上,确保前向和后向分辨率都正常工作,例如:

    nslookup <hostname> && nslookup <host ip>
    

    我还将验证您是否可以使用 cqlsh 连接到集群,按照此处的说明进行操作:http://www.datastax.com/docs/datastax_enterprise3.2/security/cqlsh_setup#security-run-cqlsh

    如果您在客户端机器上运行 OSX,这个错误也可能与您有关:http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7184815

    【讨论】:

    • 我可以登录到 cqlsh 并运行查询。 Krb5 看起来与上面显示的相同。我正在从我的 Windows 机器(Eclipse)运行我的 java 程序。我是否也需要在我的 Windows 机器上安装 kerberos?
    • 是的,客户端机器需要为其操作系统安装 kerberos 库。我发布的 krb5.conf sn-p 实际上来自客户端计算机(在大多数情况下,它与服务器上的相同)。
    猜你喜欢
    • 2013-10-22
    • 2016-06-18
    • 2016-11-29
    • 2016-11-29
    • 1970-01-01
    • 2018-02-15
    • 1970-01-01
    • 1970-01-01
    • 2017-07-13
    相关资源
    最近更新 更多