Support Questions

Find answers, ask questions, and share your expertise

Keytab based kerberos authentication failing while making API calls with Atlas

avatar

Hi All,

I am trying to call Apache Atlas using java code by passing my username and password as credentials as mentioned below:

Client client = Client.create(config); client.addFilter(new HTTPBasicAuthFilter(prop.getProperty("user"), prop.getProperty("password")));

service = client.resource(prop.getProperty("rest_uri"));

addService = service.path(AtlasBaseClient.LOGIN);

addService = service.path(AtlasBaseClient.ATLAS_API).path(AtlasBaseClient.ENTITIES) .queryParam(AtlasBaseClient.TYPE, "hive_process");

processOut.write(getOutputAsJSON(addService).getBytes());

The above code snippet is working fine.

But, when i tried to use keytab based authentication using principalname and keytab file , I am getting authorized but I couldn't able to read the response from atlas. I have programmed this approach in 3 steps as mentioned below :

Step 1 : set Config properties

String genericId = "peaXXXXX";

String genericId_principalName = "peaXXXX@xyz.XXX.XXX";

String keytabPath = "/home/peaXXXXX/peaXXXXX.keytab";

Configuration configuration = new Configuration();

configuration.set("fs.defaultFS", "http://XXXX.XXX.XX:21000");

configuration.set("hbase.master.kerberos.principal", genericId_principalName);

configuration.set("hadoop.security.authentication", "kerberos");

configuration.set("atlas.authentication.method.kerberos", "true");

configuration.set("atlas.http.authentication.enabled","true");

configuration.set("atlas.http.authentication.type","kerberos");

configuration.set("hadoop.security.authorization", "true");

Step 2: User authorization using keytab file and principal name

UserGroupInformation.setConfiguration(configuration);

//UserGroupInformation.loginUserFromKeytab(genericId_principalName, keytabPath);

UserGroupInformation.loginUserFromKeytab(genericId, keytabPath);

step 3: cal atlas URL by using doAs()

URL url = new URL("http://XXXX.XXXXX.XXX:21000/api/atlas/entities?type=hive_table");

HttpURLConnection connection = UserGroupInformation.getLoginUser().doAs(

new PrivilegedExceptionAction<HttpURLConnection>() {

public HttpURLConnection run() throws Exception {

AuthenticatedURL.Token token = new AuthenticatedURL.Token();

return new AuthenticatedURL().openConnection(url, token);

}

});

System.out.println("KeyTabTest.main()--> connection "+connection);

//reading the response from url cal

connection.addRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0");

connection.connect();

BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream()));

String inputLine;

while ((inputLine = in.readLine()) != null)

System.out.println(inputLine);

We are getting the below 403 forbidden error when we are trying to read the response from url cal.


Exception in thread "main" java.lang.reflect.InvocationTargetException

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)

Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://XXXXX.XXX.XXX:21000/api/atlas/entities?type=hive_table

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)

at atlas.KeyTabTest.main(KeyTabTest.java:107)

... 5 more

Kindly help me with the below questions :

1.) Can some one please help me out to overcome this 403 forbidden error.

2.) Also, I have a doubt here., we are passing url and token values to httpConnection . But where we do assigned the value for token variable ? Will it be read by default ?

3.) If the UserGroupInformation from step 2 not being passed to step 3 for atlas URL cal ., please suggest how can I pass the UGI credentials to HttpConnection.

Kindly respond. Thank You.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Srikanth Gorripati

In the above jaas.conf the principal="atlas/td2XXXXX.XXXX.XXX@ADMIN.XXXX.XXX"; should match the output of command

# klist -kt /etc/security/keytabs/atlas.service.keytab

Keytab name: FILE:/etc/security/keytabs/atlas.service.keytab 
KVNO Timestamp Principal 
---- ------------------- ------------------------------------------------------ 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM

eg atlas/xxxx.xxxx.xxxx@REALM.COM

View solution in original post

11 REPLIES 11

avatar
Master Mentor

@Srikanth Gorripati

What are the contents of your /etc/atlas/2.6.1.0-129/0/atlas_jaas.conf

Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   useTicketCache=false
   storeKey=true
   doNotPrompt=false
   keyTab="/etc/security/keytabs/atlas.service.keytab"
   principal="atlas/FQDN@REALM";
}

Revert

avatar
Expert Contributor

avatar

Hi Geoffrey,

Thanks for your quick response. Please find atlas_jaas.conf content in my environment as mentioned below:

Client {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

useTicketCache=false

storeKey=true

doNotPrompt=false

keyTab="/etc/security/keytabs/atlas.service.keytab"

principal="atlas/XXXXX.XXXX.XXX@ADMIN.XXXX.XXX";

};

Is there anything missing here ? Do I need to change any configurations ?

avatar
Master Mentor

@Srikanth Gorripati

Great can you accept and close the thread!

avatar

Thank you Nixon and Goffrey for your responses.

avatar
Master Mentor

@Srikanth Gorripati

Have you corrected the entries in the Atlas jaas.conf? Please revert if the problem persists

To grab a valid kerberos ticket you need to run this command replacing the values appropriately

# kinit  -kt /etc/security/keytabs/atlas.service.keytab atlas/xxxx.xxxx.xxxx@REALM.COM

Revert

avatar

Hi Geoffrey , it's working now .. thank you very much . request you to mask the host details as xxxxx in your previous responses for security reasons else please delete your responses ..

avatar
Master Mentor

@Srikanth Gorripati

Entries obscured. I am happy it worked, please can you accept the best answe!

avatar
Master Mentor

@Srikanth Gorripati

Done accept an answer and close the thread.