kerberos

how to use hadoop and kafka keytab in same spark submit command?

拈花ヽ惹草 提交于 2020-03-21 07:15:26
问题 We have secure hadoop server and We are running spark streaming job to consume from secure kafka topic. For authentication, I am passing hadoop keytab and its principal to spark-submit command along Kafka keytab but the job is failing . If we remove --keytab and --principal from the command and try authenticating hadoop keytab using KINIT before running spark command - its working perfectly fine. spark2-submit --keytab Hadoop.keytab -- principal abc@adlov.org --file kafka.keytab My

在Ambari上添加Kerberos

拥有回忆 提交于 2020-03-18 13:31:26
一、准备阶段 1.下载jce并解压 jce下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html [root@manager ~]# ls jce_policy-8.zip [root@manager ~]# unzip -o -j -q jce_policy-8.zip -d /usr/local/jdk/jre/lib/security/ 2.安装krb5 [root@manager ~]# yum install -y krb5-libs krb5-workstation 3.修改配置文件 [root@manager ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm =

LDAP/SASL/GSSAPI/Kerberos编程API(3)--LDAP/SASL

独自空忆成欢 提交于 2020-03-18 13:27:59
一.安装开发库 客户机:vmcln(192.168.1.20) root@vmcln:/# apt-get install libkrb5-dev libldap2-dev libsasl2-dev 二.SASL/GSSAPI(不含krb5库) 1.源代码 //源文件名:testsasl.c #include <sasl/sasl.h> #include <ldap.h> #include <stdio.h> #include <stdlib.h> //回调函数 static int _ldap_sasl_interact( ) { return LDAP_SUCCESS; //#1 } int main() { LDAP *ld; int rc; unsigned long version = LDAP_VERSION3; if (( rc = ldap_initialize(&ld,"ldap://192.168.1.11/")) != LDAP_SUCCESS) //LDAP服务器地址 { return(1); } rc = ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,(void*)&version); //绑定 if ((rc=ldap_sasl_interactive_bind_s(ld,NULL, "GSSAPI",/

LDAP/SASL/GSSAPI/Kerberos编程API(2)--krb5客户端

僤鯓⒐⒋嵵緔 提交于 2020-03-18 12:44:58
krb5 API有两个可用的库:MIT和Heimdal,两个库的API不一样,一方客户端的API连接上另一方服务端基本上是没问题的. API中的kadmin两个库则是完全不兼容,可从MIT和Heimdal两个的kadmin应用工具看出,连接对方的kadmin服务端是不成功的. kadmin目的是为远程操控Kerberos服务器,一般我们开发Kerberos应用很少以此为目标,都是直接使用它们各自的kadmin应用工具,所以kadmin不兼容也没多大问题. 我们的目标是Kerberos认证功能,所以使用MIT或是Heimdal都没问题. MIT是主流,本文以此为例 一.实验环境 平台 : debian 11 我已事先安装好一台Kerberos服务器(KDC),领域为CTP.NET,并创建了krblinlin@CTP.NET用户主体. 二.客户机安装开发库 root@debian:/# apt-get install libkrb5-dev 三.最简单krb5认证--不生成票据 1.源代码 //源文件名:krbonlylogin.c #include <stdio.h> #include <krb5.h> int main(void) { krb5_context context = NULL; krb5_error_code krberr; krb5_principal

How do I set up .NET WindowsAuthentication - the name always shows up as “IIS APPPOOL\Classic .NET AppPool” when I want it to use the actual user

烈酒焚心 提交于 2020-03-13 13:12:45
问题 I'm using the following code to authenticate via Kerberos. IntPtr logonToken = WindowsIdentity.GetCurrent().Token; string authenticationType = "WindowsAuthentication"; WindowsIdentity windowsIdentity = new WindowsIdentity(logonToken, authenticationType); //windowsIdentity.Name == equals "IIS APPPOOL\Classic .NET AppPool" when I want it to be the user This only happens when I try and run my .NET application the Web Server. If I run the code locally on my machine for debugging, it shows my

“The token supplied to the function is invalid” error when validating SPNEGO Response Token with SSPI

寵の児 提交于 2020-03-05 01:27:33
问题 We are reconfiguring a SPNEGO / Kerberos SSO application to use AES128 / AES256 instead of the the weak encryption ciphers DES and RC4. Some days ago I posted a preparatory question: Now we have a concrete error. The token supplied to the function is invalid. The components: The Kerberos “back-end” is Windows Active Directory The Application Server uses pure Java GSSAPI and runs on Windows Server. The client runs on Windows 10, and is written in Java. It has 2 SPNEGO / SSO implementations:

“The token supplied to the function is invalid” error when validating SPNEGO Response Token with SSPI

╄→гoц情女王★ 提交于 2020-03-05 01:26:09
问题 We are reconfiguring a SPNEGO / Kerberos SSO application to use AES128 / AES256 instead of the the weak encryption ciphers DES and RC4. Some days ago I posted a preparatory question: Now we have a concrete error. The token supplied to the function is invalid. The components: The Kerberos “back-end” is Windows Active Directory The Application Server uses pure Java GSSAPI and runs on Windows Server. The client runs on Windows 10, and is written in Java. It has 2 SPNEGO / SSO implementations:

Kerberos认证流程

有些话、适合烂在心里 提交于 2020-03-01 11:51:00
第一步,账号A和KDC互相认证。 1、账号A利用哈希函数将密码转化成一把密钥,这里称它为 Key-Client 。 2、利用Key-Client将当前的时间戳加密,生成一个字符串。表示为 “{时间戳} Key-Client” 。 3、将上一步生成的字符串“{时间戳} Key-Client”、账号A的信息以及一段随机字符串发给KDC。这样就组成了Kerberos的身份认证请求AS-REQ,可以使用下面的公式来表示: AS-REQ=“{时间戳} Key-Client”+“账号A的信息”+“随机字符串”。 4、KDC收到AS-REQ之后,读取到A的信息,就可以调出A的密码,再使用同样的哈希函数将其转化为Key-Client。有了Key-Client就可以解开“{时间戳} Key-Client”了。如果能够成功解开,就说明这个请求是由账号A生成的,毕竟其它账号不可能有Key-Client进行加密。 Kerberos之所以使用时间戳进行加密,原因就在于如果黑客在网络上截获了字符串“{时间戳} Key-Client”,那么就有可能伪装成账户A来欺骗认证。这种方式就称为重放攻击。采用这种攻击方式需要一定的时间,所以KDC把解密得到的时间戳和当前的时间作对比,如果二者的差异过大,那么就可以认为遭受到了重放攻击。假如采用与时间无关的字符进行加密,那么是无法避开重放攻击的

Zookeeper、Hdfs配置kerberos认证

一世执手 提交于 2020-02-29 15:47:04
一、Zookeeper配置kerberos认证 1、环境说明 根据之前的组件安排如下: 172.16.57.74 bd-ops-test-74 kdc zookeeper-client 172.16.57.75 bd-ops-test-75 zookeeper 172.16.57.76 bd-ops-test-76 zookeeper 172.16.57.77 bd-ops-test-77 zookeeper 2、配置 ZooKeeper Server 2.1生成keytab 在 74 节点,即 KDC server 节点上执行下面命令: kadmin.local -q "addprinc -randkey zookeeper/bd-ops-test-75@BIGDATA.COM " kadmin.local -q "addprinc -randkey zookeeper/bd-ops-test-76@BIGDATA.COM " kadmin.local -q "addprinc -randkey zookeeper/bd-ops-test-77@BIGDATA.COM " kadmin.local -q "xst -k zookeeper.keytab zookeeper/bd-ops-test-75@BIGDATA.COM " kadmin.local -q "xst -k

Keycloak + Kerberos authentication: Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

允我心安 提交于 2020-02-29 06:42:12
问题 I have the following spring web application on JBoss EAP 7.2.2 - Machine CentOs Keycloak 3.3.4 on CentOs Active directory We run on OpenJDK 8 Users login from Windows machines using their Active directory accounts. Keycloak is configured with a kerberos use federation. On CentOs machines a kerberos client is installed using yum install krb5-user krb5-doc yum install krb5-pkinit krb5-workstation yum install krb5-libs krb5-devel yum install krb5-server krb5-workstation pam_krb5 In keycloak user
订阅 kerberos