Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

JAAS: Connecting to different Kerberised Hadoop services with different principals?

JAAS: Connecting to different Kerberised Hadoop services with different principals?

Explorer

In the middleware (RestAPI using Spring Boot) we are developing,we need to connect to several Kerberised services (Oozie,Solr,Hive Server..etc) using their Java clients (Oozie Java client,SolrJ Client, kerberos enabled JDBCC..etc )

I managed to connect to Solr and Hive Server separately (by having separate jass.conf, keytabs). But now we need to connect to these different services within the same JVM process.Different REST endpoints can access all these services in parallel.

1) Is this possible to connect to different kerberized services with different principals (same realm)

2) Is this supported by JAAS?

My jaas.conf for connecting to Solr looks like this SolrJClient

{
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="./ambari-infra-solr.service.keytab"
      storeKey=true
      useTicketCache=true
      debug=true
      doNotPrompt=true
      principal="infra-solr/server-yy-hdp-stg001.stg.xxx.zzz.local@C6KHDPSTG.LOCAL";
    };
1 REPLY 1
Highlighted

Re: JAAS: Connecting to different Kerberised Hadoop services with different principals?

@Ashika Umagiliya

Your client should use a single user principal to connect to each service. I am not sure why you would need to use different identities to connect to different services. the service should then have authorization rules to allow your user identity to perform operations. This assumes that you are accessing each service as a user of the service and not some administrator.

That said, I have never built a client to communicate with these services, so I am not sure what the requirements are for connecting to them. However, the fact that you are able to use a service's Kerberos identity as a client application seems to be insecure.

Don't have an account?
Coming from Hortonworks? Activate your account here