在Gemfire(Apache Geode)中设置端到端Kerberos身份验证

问题描述 投票:0回答:1

我想通过kerberos身份验证保护gemfire(v9.9)集群。

我相信我必须,

  1. 使用JAAS和密钥表将客户端和gemfire服务器认证为KDC(在我的情况下为活动目录)>
  2. 在客户端,使用byte []Subject获得会话票证(一个Subject.doAs)>
  3. 将此字节[]传递给gemfire服务器
  4. 在gemfire服务器上,检查收到的票证是否正确

    5. 我在这里https://www.programcreek.com/java-api-examples/?code=ampool/monarch/monarch-master/ADS/geode-core/src/main/java/io/ampool/security/KerberosAuthInit.java找到了一些示例代码

    我成功地能够执行LoginContect.login()并在客户端和gemfire服务器上获得Subject

我的代码:

LoginContext loginCtx = new LoginContext("Client", new TextCallbackHandler());
loginCtx.login();
Subject subject = loginCtx.getSubject();

GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName( servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE);
final GSSContext context = manager.createContext( serverName, new Oid( "1.2.840.113554.1.2.2"), null, GSSContext.DEFAULT_LIFETIME);

byte[] serviceTicket = 
        Subject.doAs(subject, new PrivilegedExceptionAction<byte[]>() {
            @Override
            public byte[] run() throws Exception {
                byte[] serviceTicket = null;
                byte[] token = new byte[0];
                // This is a one pass context initialisation.
                context.requestMutualAuth(false);
                context.requestCredDeleg(false);
                serviceTicket = context.initSecContext(token, 0, token.length);  //code fails here 
                                                                                /*java.security.PrivilegedActionException: 
                                                                                GSSException: No valid credentials provided 
                                                                                    (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
                                                                                Caused by: KrbException: Identifier doesn't match expected value (906)

                                                                                */
                return serviceTicket;
          }
        });

//send this serviceTicket to gemfire server and then do

//--------------------at the gemfire server level-------------------
String clientContext =
        Subject.doAs( serverSubject, new PrivilegedAction<String>() {
              public String run() {
                try {
                    String clientName = null;
                    // Identify the server that communications are being made to.
                    GSSManager manager = GSSManager.getInstance();
                    GSSContext context = manager.createContext((GSSCredential) null);
                    context.acceptSecContext(serviceTicket, 0, serviceTicket.length);
                    clientName = context.getSrcName().toString();
                    return clientName;
                }
                catch ( Exception e) {
                  e.printStackTrace();
                  return null;
                }
              }
            }
        );

我以前一直到这里的链接
https://github.com/ekoontz/jaas_and_kerberoshttps://cwiki.apache.org/confluence/display/GEODE/Geode+Security+Framework

我的问题:

  • 我的方法正确吗?
  • 我如何获得字节[]会话票
  • 在gemfire服务器级别验证票证是否正确

    • 我想通过kerberos身份验证来保护gemfire(v9.9)集群。我相信我必须使用JAAS和密钥表将客户端和gemfire服务器认证为KDC(在我的情况下为活动目录)...

java kerberos gemfire java-security geode
1个回答
0
投票

在Gemfire 9.9中,您应该开始使用集成安全框架。您使用的“ https://cwiki.apache.org/confluence/display/GEODE/Geode+Security+Framework”链接是不推荐使用的“ Authenticator”界面。这里有一些指向Gemfire中新的集成安全性的指针:

https://cwiki.apache.org/confluence/display/GEODE/Geode+Integrated+Securityhttps://cwiki.apache.org/confluence/display/GEODE/Using+Custom+SecurityManager

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.