We are developing a web application that interacts with hadoop components such as HDFS, HBase and Impala. The cluster is kerberized, we are authenticating with JAAS config. We are configuring JAAS in VM arguments as below
-Djava.security.auth.login.config=/user/gss-jaas.conf
-Djava.security.krb5.conf=/user/krb5.ini
-Djavax.security.auth.useSubjectCredsOnly=false
Our JAAS config is as below
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
doNotPrompt=true
useKeyTab=true
keyTab="file:C:/blah/blah/dummy.keytab"
principal="[email protected]"
debug=false;
};
It works fine when connecting to hbase and Hdfs. But while connecting with Impala, we are facing problems.
We can connect with Impala when we change com.sun.security.jgss.initiate to Client
But we don't want to change or switch between Jaas configs.
Is there any way we can use the same JAAS config file for all service? We don't want to use System.setProperties to do this. and also when switching between JAAS configs we are getting exceptions. So using the same config file would be better.
Any help?
You don't have to switch. Just use both!
Did you wonder why there are two mandatory ; -- one after the last parameter, and one after the brace? That's because you can have multiple mechanisms defined inside the section (tried from 1st to last), and multiple sections (with different names) in the same config file.
Look into the Kafka documentation for example, how they set the JAAS configuration for both the broker and the client apps in the same file: http://docs.confluent.io/current/kafka/sasl.html
And in case you are curious about the multiple mechanisms, look into the Java documentation (but be careful, that stuff is a nightmare to tweak and debug...) https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html