直接上完整的示例(注意事項見后面):
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.ktab.KeyTab;
import java.io.*;
/* // krb5.conf 內容
* [libdefaults]
* default_realm = ${REALM}
* dns_lookup_realm = false
* dns_lookup_kdc = true
* allow_weak_crypto = true
*
* [realms]
* ${REALM} = {
* default_domain = ${DNSDOMAIN}
* }
*
* [domain_realm]
* ${HOSTNAME} = ${REALM}
*/
public class LoginUtil {
static final String KDC = "xxx"; // kdc 地址
public static UserGroupInformation login(String keytabPath, String kdc, String krb5Conf) throws IOException {
String tmpKeytabPath = createTmpKeytabPath(keytabPath);
PrincipalName oneName = KeyTab.getInstance(tmpKeytabPath).getOneName();
// krb5.conf 的地址锦针,低版本jdk不需要,高版本的jdk由于安全機制的變更溶其,需要加這個東西
// 并且需要加這一行 allow_weak_crypto = true
if (StringUtils.isNotBlank(krb5Conf)) {
System.setProperty("java.security.krb5.conf", krb5Conf);
}
System.setProperty("java.security.krb5.realm", oneName.getRealmAsString());
System.setProperty("java.security.krb5.kdc", kdc);
System.setProperty("HADOOP_PROXY_USER", oneName.getNameString());
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
conf.set("debug", "true");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(oneName.getName(), tmpKeytabPath);
return UserGroupInformation.getLoginUser();
}
private static String createTmpKeytabPath(String keytabPath) throws IOException {
PrincipalName oneName = KeyTab.getInstance(keytabPath).getOneName();
String tmpDir = System.getProperty("java.io.tmpdir");
String keytabTmpPath = tmpDir + File.separator + oneName.getNameString();
File file = new File(keytabTmpPath);
if (file.exists()) {
file.delete();
}
file.deleteOnExit();
try (FileInputStream inStream = new FileInputStream(keytabPath);
FileOutputStream outStream = new FileOutputStream(file)) {
IOUtils.copy(inStream, outStream);
}
return keytabTmpPath;
}
public static UserGroupInformation login(String keytabPath) throws IOException {
return login(keytabPath, KDC, "/etc/krb5.conf");
}
public static void main(String[] args) throws Exception {
LoginUtil.loginAs("recsys_infra");
}
public static UserGroupInformation loginAs(String user) throws IOException {
String keytabPath = String.format("/rcp/hadoop/keytab/%s.keytab", user.toLowerCase());
return login(keytabPath);
}
}
題主遇到的問題:
連接Kerberos所有的信息都對蚌成,keytab也是合法的,但依舊連不上锚扎;報錯 javax.security.auth.login.LoginException: Unable to obtain password from user;詭異的是同樣的代碼馁启,同事的電腦上可以驾孔,我的電腦不行;最后定位到是Jdk的問題惯疙,低版本jdk的安全策略翠勉,跟高版本有差別;比如同事用的1.8.0_291霉颠,題主用的1.8.0_401对碌;
解決辦法
使用高版本指定krb5.conf路經 System.setProperty("java.security.krb5.conf", krb5Conf); 并在文件中設置 allow_weak_crypto = true;上面完整的例子中已經加了這個(最初題主沒有加蒿偎,踩了這個坑)
Jdk根源在于 sun.security.krb5.internal.crypto.Etype.getBuiltInDefaults 方法的最后一行
public static int[] getBuiltInDefaults() {
int var0 = 0;
try {
var0 = Cipher.getMaxAllowedKeyLength("AES");
} catch (Exception var2) {
}
int[] var1;
if (var0 < 256) {
var1 = BUILTIN_ETYPES_NOAES256;
} else {
var1 = BUILTIN_ETYPES;
}
//
//低版本: return !allowWeakCrypto ? Arrays.copyOfRange(var1, 0, var1.length - 2) : var1;
// 高版本如下朽们,區(qū)別在于一個減2,一個減4诉位;所以使用低版本jdk不用配置 allow_weak_crypto = true 也可以連接成功骑脱,高版本不行
return !allowWeakCrypto ? Arrays.copyOfRange(var1, 0, var1.length - 4) : var1;
}
參考資料:
20240516-104207.jpg
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
