-1

I want to secure a gemfire(v9.9) cluster with kerberos authentication.

I believe i have to,

  1. authenticate the client and gemfire server to KDC( active directory in my case), using JAAS and a keytab
  2. at the client get the session ticket( a byte []) from the Subject, using Subject.doAs
  3. pass this byte[] to the gemfire server
  4. on the gemfire server check if the ticket received is correct

i found some sample code here https://www.programcreek.com/java-api-examples/?code=ampool/monarch/monarch-master/ADS/geode-core/src/main/java/io/ampool/security/KerberosAuthInit.java

i am sucessfully able to do LoginContect.login() and get the Subject at client and gemfire server

My code:

LoginContext loginCtx = new LoginContext("Client", new TextCallbackHandler());
loginCtx.login();
Subject subject = loginCtx.getSubject();

GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName( servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE);
final GSSContext context = manager.createContext( serverName, new Oid( "1.2.840.113554.1.2.2"), null, GSSContext.DEFAULT_LIFETIME);

byte[] serviceTicket = 
        Subject.doAs(subject, new PrivilegedExceptionAction<byte[]>() {
            @Override
            public byte[] run() throws Exception {
                byte[] serviceTicket = null;
                byte[] token = new byte[0];
                // This is a one pass context initialisation.
                context.requestMutualAuth(false);
                context.requestCredDeleg(false);
                serviceTicket = context.initSecContext(token, 0, token.length);  //code fails here 
                                                                                /*java.security.PrivilegedActionException: 
                                                                                GSSException: No valid credentials provided 
                                                                                    (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
                                                                                Caused by: KrbException: Identifier doesn't match expected value (906)

                                                                                */
                return serviceTicket;
          }
        });

//send this serviceTicket to gemfire server and then do

//--------------------at the gemfire server level-------------------
String clientContext =
        Subject.doAs( serverSubject, new PrivilegedAction<String>() {
              public String run() {
                try {
                    String clientName = null;
                    // Identify the server that communications are being made to.
                    GSSManager manager = GSSManager.getInstance();
                    GSSContext context = manager.createContext((GSSCredential) null);
                    context.acceptSecContext(serviceTicket, 0, serviceTicket.length);
                    clientName = context.getSrcName().toString();
                    return clientName;
                }
                catch ( Exception e) {
                  e.printStackTrace();
                  return null;
                }
              }
            }
        );

Links i used to reach till here

https://github.com/ekoontz/jaas_and_kerberos https://cwiki.apache.org/confluence/display/GEODE/Geode+Security+Framework

My questions:

  • Is my approach correct ?
  • How do i get the byte[] session ticket
  • at the gemfire server level verify that the ticket is correct
Exteam
  • 96
  • 7
Saurabh
  • 95
  • 2
  • 8

1 Answers1

0

in Gemfire 9.9, you should start using the integrated security framework. The link you used "https://cwiki.apache.org/confluence/display/GEODE/Geode+Security+Framework" is the deprecated "Authenticator" interface. Here are few pointers to the new integrated security in Gemfire:

https://cwiki.apache.org/confluence/display/GEODE/Geode+Integrated+Security https://cwiki.apache.org/confluence/display/GEODE/Using+Custom+SecurityManager

Basically, AuthInitialize interface allows the client code to send the credentials (whatever form they are) to the server, and SecurityManager on the server side will authenticate that credentials provided by the client.

jliao
  • 121
  • 1
  • 7
  • How do i use kerberos as auth mechanism, any guide or links for how to implement a SecurityManager which check a kerberos ticket. – Saurabh Feb 02 '20 at 16:48
  • that's outside the realm of Geode. Suggest you look into kerberos documentation for that. – jliao Feb 03 '20 at 17:04