直接上完整的示例(注意事项见后面):
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.ktab.KeyTab;
import java.io.*;
/* // krb5.conf 内容
* [libdefaults]
* default_realm = ${REALM}
* dns_lookup_realm = false
* dns_lookup_kdc = true
* allow_weak_crypto = true
*
* [realms]
* ${REALM} = {
* default_domain = ${DNSDOMAIN}
* }
*
* [domain_realm]
* ${HOSTNAME} = ${REALM}
*/
public class LoginUtil {
static final String KDC = "xxx"; // kdc 地址
public static UserGroupInformation login(String keytabPath, String kdc, String krb5Conf) throws IOException {
String tmpKeytabPath = createTmpKeytabPath(keytabPath);
PrincipalName oneName = KeyTab.getInstance(tmpKeytabPath).getOneName();
// krb5.conf 的地址,低版本jdk不需要,高版本的jdk由于安全机制的变更,需要加这个东西
// 并且需要加这一行 allow_weak_crypto = true
if (StringUtils.isNotBlank(krb5Conf)) {
System.setProperty("java.security.krb5.conf", krb5Conf);
}
System.setProperty("java.security.krb5.realm", oneName.getRealmAsString());
System.setProperty("java.security.krb5.kdc", kdc);
System.setProperty("HADOOP_PROXY_USER", oneName.getNameString());
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
conf.set("debug", "true");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(oneName.getName(), tmpKeytabPath);
return UserGroupInformation.getLoginUser();
}
private static String createTmpKeytabPath(String keytabPath) throws IOException {
PrincipalName oneName = KeyTab.getInstance(keytabPath).getOneName();
String tmpDir = System.getProperty("java.io.tmpdir");
String keytabTmpPath = tmpDir + File.separator + oneName.getNameString();
File file = new File(keytabTmpPath);
if (file.exists()) {
file.delete();
}
file.deleteOnExit();
try (FileInputStream inStream = new FileInputStream(keytabPath);
FileOutputStream outStream = new FileOutputStream(file)) {
IOUtils.copy(inStream, outStream);
}
return keytabTmpPath;
}
public static UserGroupInformation login(String keytabPath) throws IOException {
return login(keytabPath, KDC, "/etc/krb5.conf");
}
public static void main(String[] args) throws Exception {
LoginUtil.loginAs("recsys_infra");
}
public static UserGroupInformation loginAs(String user) throws IOException {
String keytabPath = String.format("/rcp/hadoop/keytab/%s.keytab", user.toLowerCase());
return login(keytabPath);
}
}
题主遇到的问题:
连接Kerberos所有的信息都对,keytab也是合法的,但依旧连不上;报错 javax.security.auth.login.LoginException: Unable to obtain password from user;诡异的是同样的代码,同事的电脑上可以,我的电脑不行;最后定位到是Jdk的问题,低版本jdk的安全策略,跟高版本有差别;比如同事用的1.8.0_291,题主用的1.8.0_401;
解决办法
使用高版本指定krb5.conf路经 System.setProperty("java.security.krb5.conf", krb5Conf); 并在文件中设置 allow_weak_crypto = true;上面完整的例子中已经加了这个(最初题主没有加,踩了这个坑)
Jdk根源在于 sun.security.krb5.internal.crypto.Etype.getBuiltInDefaults 方法的最后一行
public static int[] getBuiltInDefaults() {
int var0 = 0;
try {
var0 = Cipher.getMaxAllowedKeyLength("AES");
} catch (Exception var2) {
}
int[] var1;
if (var0 < 256) {
var1 = BUILTIN_ETYPES_NOAES256;
} else {
var1 = BUILTIN_ETYPES;
}
//
//低版本: return !allowWeakCrypto ? Arrays.copyOfRange(var1, 0, var1.length - 2) : var1;
// 高版本如下,区别在于一个减2,一个减4;所以使用低版本jdk不用配置 allow_weak_crypto = true 也可以连接成功,高版本不行
return !allowWeakCrypto ? Arrays.copyOfRange(var1, 0, var1.length - 4) : var1;
}
参考资料:
20240516-104207.jpg
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
