Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Keytab based kerberos authentication failing while making API calls with Atlas

avatar

Hi All,

I am trying to call Apache Atlas using java code by passing my username and password as credentials as mentioned below:

Client client = Client.create(config); client.addFilter(new HTTPBasicAuthFilter(prop.getProperty("user"), prop.getProperty("password")));

service = client.resource(prop.getProperty("rest_uri"));

addService = service.path(AtlasBaseClient.LOGIN);

addService = service.path(AtlasBaseClient.ATLAS_API).path(AtlasBaseClient.ENTITIES) .queryParam(AtlasBaseClient.TYPE, "hive_process");

processOut.write(getOutputAsJSON(addService).getBytes());

The above code snippet is working fine.

But, when i tried to use keytab based authentication using principalname and keytab file , I am getting authorized but I couldn't able to read the response from atlas. I have programmed this approach in 3 steps as mentioned below :

Step 1 : set Config properties

String genericId = "peaXXXXX";

String genericId_principalName = "peaXXXX@xyz.XXX.XXX";

String keytabPath = "/home/peaXXXXX/peaXXXXX.keytab";

Configuration configuration = new Configuration();

configuration.set("fs.defaultFS", "http://XXXX.XXX.XX:21000");

configuration.set("hbase.master.kerberos.principal", genericId_principalName);

configuration.set("hadoop.security.authentication", "kerberos");

configuration.set("atlas.authentication.method.kerberos", "true");

configuration.set("atlas.http.authentication.enabled","true");

configuration.set("atlas.http.authentication.type","kerberos");

configuration.set("hadoop.security.authorization", "true");

Step 2: User authorization using keytab file and principal name

UserGroupInformation.setConfiguration(configuration);

//UserGroupInformation.loginUserFromKeytab(genericId_principalName, keytabPath);

UserGroupInformation.loginUserFromKeytab(genericId, keytabPath);

step 3: cal atlas URL by using doAs()

URL url = new URL("http://XXXX.XXXXX.XXX:21000/api/atlas/entities?type=hive_table");

HttpURLConnection connection = UserGroupInformation.getLoginUser().doAs(

new PrivilegedExceptionAction<HttpURLConnection>() {

public HttpURLConnection run() throws Exception {

AuthenticatedURL.Token token = new AuthenticatedURL.Token();

return new AuthenticatedURL().openConnection(url, token);

}

});

System.out.println("KeyTabTest.main()--> connection "+connection);

//reading the response from url cal

connection.addRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0");

connection.connect();

BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream()));

String inputLine;

while ((inputLine = in.readLine()) != null)

System.out.println(inputLine);

We are getting the below 403 forbidden error when we are trying to read the response from url cal.


Exception in thread "main" java.lang.reflect.InvocationTargetException

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)

Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://XXXXX.XXX.XXX:21000/api/atlas/entities?type=hive_table

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)

at atlas.KeyTabTest.main(KeyTabTest.java:107)

... 5 more

Kindly help me with the below questions :

1.) Can some one please help me out to overcome this 403 forbidden error.

2.) Also, I have a doubt here., we are passing url and token values to httpConnection . But where we do assigned the value for token variable ? Will it be read by default ?

3.) If the UserGroupInformation from step 2 not being passed to step 3 for atlas URL cal ., please suggest how can I pass the UGI credentials to HttpConnection.

Kindly respond. Thank You.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Srikanth Gorripati

In the above jaas.conf the principal="atlas/td2XXXXX.XXXX.XXX@ADMIN.XXXX.XXX"; should match the output of command

# klist -kt /etc/security/keytabs/atlas.service.keytab

Keytab name: FILE:/etc/security/keytabs/atlas.service.keytab 
KVNO Timestamp Principal 
---- ------------------- ------------------------------------------------------ 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 
1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM

eg atlas/xxxx.xxxx.xxxx@REALM.COM

View solution in original post

11 REPLIES 11

avatar
Master Mentor

@Srikanth Gorripati

What are the contents of your /etc/atlas/2.6.1.0-129/0/atlas_jaas.conf

Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   useTicketCache=false
   storeKey=true
   doNotPrompt=false
   keyTab="/etc/security/keytabs/atlas.service.keytab"
   principal="atlas/FQDN@REALM";
}

Revert

avatar
Expert Contributor

avatar

Hi Geoffrey,

Thanks for your quick response. Please find atlas_jaas.conf content in my environment as mentioned below:

Client {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

useTicketCache=false

storeKey=true

doNotPrompt=false

keyTab="/etc/security/keytabs/atlas.service.keytab"

principal="atlas/XXXXX.XXXX.XXX@ADMIN.XXXX.XXX";

};

Is there anything missing here ? Do I need to change any configurations ?

avatar
Master Mentor

@Srikanth Gorripati

Great can you accept and close the thread!

avatar

Thank you Nixon and Goffrey for your responses.

avatar
Master Mentor

@Srikanth Gorripati

Have you corrected the entries in the Atlas jaas.conf? Please revert if the problem persists

To grab a valid kerberos ticket you need to run this command replacing the values appropriately

# kinit  -kt /etc/security/keytabs/atlas.service.keytab atlas/xxxx.xxxx.xxxx@REALM.COM

Revert

avatar

Hi Geoffrey , it's working now .. thank you very much . request you to mask the host details as xxxxx in your previous responses for security reasons else please delete your responses ..

avatar
Master Mentor

@Srikanth Gorripati

Entries obscured. I am happy it worked, please can you accept the best answe!

avatar
Master Mentor

@Srikanth Gorripati

Done accept an answer and close the thread.