- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Keytab based kerberos authentication failing while making API calls with Atlas
- Labels:
-
Apache Atlas
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am trying to call Apache Atlas using java code by passing my username and password as credentials as mentioned below:
Client client = Client.create(config); client.addFilter(new HTTPBasicAuthFilter(prop.getProperty("user"), prop.getProperty("password")));
service = client.resource(prop.getProperty("rest_uri"));
addService = service.path(AtlasBaseClient.LOGIN);
addService = service.path(AtlasBaseClient.ATLAS_API).path(AtlasBaseClient.ENTITIES) .queryParam(AtlasBaseClient.TYPE, "hive_process");
processOut.write(getOutputAsJSON(addService).getBytes());
The above code snippet is working fine.
But, when i tried to use keytab based authentication using principalname and keytab file , I am getting authorized but I couldn't able to read the response from atlas. I have programmed this approach in 3 steps as mentioned below :
Step 1 : set Config properties
String genericId = "peaXXXXX";
String genericId_principalName = "peaXXXX@xyz.XXX.XXX";
String keytabPath = "/home/peaXXXXX/peaXXXXX.keytab";
Configuration configuration = new Configuration();
configuration.set("fs.defaultFS", "http://XXXX.XXX.XX:21000");
configuration.set("hbase.master.kerberos.principal", genericId_principalName);
configuration.set("hadoop.security.authentication", "kerberos");
configuration.set("atlas.authentication.method.kerberos", "true");
configuration.set("atlas.http.authentication.enabled","true");
configuration.set("atlas.http.authentication.type","kerberos");
configuration.set("hadoop.security.authorization", "true");
Step 2: User authorization using keytab file and principal name
UserGroupInformation.setConfiguration(configuration);
//UserGroupInformation.loginUserFromKeytab(genericId_principalName, keytabPath);
UserGroupInformation.loginUserFromKeytab(genericId, keytabPath);
step 3: cal atlas URL by using doAs()
URL url = new URL("http://XXXX.XXXXX.XXX:21000/api/atlas/entities?type=hive_table");
HttpURLConnection connection = UserGroupInformation.getLoginUser().doAs(
new PrivilegedExceptionAction<HttpURLConnection>() {
public HttpURLConnection run() throws Exception {
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
return new AuthenticatedURL().openConnection(url, token);
}
});
System.out.println("KeyTabTest.main()--> connection "+connection);
//reading the response from url cal
connection.addRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0");
connection.connect();
BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
We are getting the below 403 forbidden error when we are trying to read the response from url cal.
Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://XXXXX.XXX.XXX:21000/api/atlas/entities?type=hive_table
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at atlas.KeyTabTest.main(KeyTabTest.java:107)
... 5 more
Kindly help me with the below questions :
1.) Can some one please help me out to overcome this 403 forbidden error.
2.) Also, I have a doubt here., we are passing url and token values to httpConnection . But where we do assigned the value for token variable ? Will it be read by default ?
3.) If the UserGroupInformation from step 2 not being passed to step 3 for atlas URL cal ., please suggest how can I pass the UGI credentials to HttpConnection.
Kindly respond. Thank You.
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the above jaas.conf the principal="atlas/td2XXXXX.XXXX.XXX@ADMIN.XXXX.XXX"; should match the output of command
# klist -kt /etc/security/keytabs/atlas.service.keytab
Keytab name: FILE:/etc/security/keytabs/atlas.service.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM 1 08/24/2017 15:42:23 atlas/xxxx.xxxx.xxxx@REALM.COM
eg atlas/xxxx.xxxx.xxxx@REALM.COM
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are the contents of your /etc/atlas/2.6.1.0-129/0/atlas_jaas.conf
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true useTicketCache=false storeKey=true doNotPrompt=false keyTab="/etc/security/keytabs/atlas.service.keytab" principal="atlas/FQDN@REALM"; }
Revert
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you check this implementation, it worked for me on kerberos mode.
https://github.com/nixonrodrigues/java-samples/commit/f3a75090ef3196874b051d78fe2dff35d69bd9d9
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Geoffrey,
Thanks for your quick response. Please find atlas_jaas.conf content in my environment as mentioned below:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
storeKey=true
doNotPrompt=false
keyTab="/etc/security/keytabs/atlas.service.keytab"
principal="atlas/XXXXX.XXXX.XXX@ADMIN.XXXX.XXX";
};
Is there anything missing here ? Do I need to change any configurations ?
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great can you accept and close the thread!
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Nixon and Goffrey for your responses.
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you corrected the entries in the Atlas jaas.conf? Please revert if the problem persists
To grab a valid kerberos ticket you need to run this command replacing the values appropriately
# kinit -kt /etc/security/keytabs/atlas.service.keytab atlas/xxxx.xxxx.xxxx@REALM.COM
Revert
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Geoffrey , it's working now .. thank you very much . request you to mask the host details as xxxxx in your previous responses for security reasons else please delete your responses ..
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Entries obscured. I am happy it worked, please can you accept the best answe!
Created 09-11-2017 06:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done accept an answer and close the thread.