Support Questions

gjin733 · ‎09-04-2017

I use spring to connect to a cluster secured with kerberos. My code

private KerberosRestTemplate restTemplate = new KerberosRestTemplate("evkuzmin.keytab",<br>                                                                      "EvKuzmin@REALM");

URI uri = new URI("http" + "://" + host + ":" + port + "/webhdfs/v1" + path + "?op=OPEN");
String json = restTemplate.getForObject(uri, String.class);
return json;

Here I read read the file and return a string.

I generated keytab file and checked in CLI. It works.

I checked the app itself, it also works. In fact, when I simply run the app, I don't need kerberos keytab, because I have a ticket that is automatically used for autorization.

The problem start when I try to run the app in docker. If I don't use keytab, it doesn't see the ticket and I get

<code>AuthenticationException:Unauthorized

But when I use it, it can't obtain the password. What am I doing wrong?

Edit

How I start spring

docker run -d --name audpro --network=aud_pro_net -p 8080:8080 --link audpro_mongo:audpro_mongo beeline/report

How I tried to start kerberos

docker run -d --network=aud_pro_net -v /kerb:/etc/ -v /dev/urandom:/dev/random --name kerberos -e BOOTSTRAP=0 sequenceiq/kerberos

Shelton · ‎09-04-2017

@Gjin 733

You need to get a way to copy the krb5.conf thats the center piece

View solution in original post

Shelton · ‎09-04-2017

@Gjin 733

Have a look at this quick start part of Docker kerberos Usage

Tell me if that worked?

gjin733 · ‎09-04-2017

@Geoffrey Shelton Okot

I followed the instructions, but had to change a few things. The net=host didbn't work. Changed to network=aud_pro_net. When I tried moving krb5.conf file directly like so /etc/krb5.conf:/etc/krb5.conf, I got the error that it's not a directory, so I changed it too. The rest was left as is. In the end I initialized the keytab wihtout problem. But the error persisted. Unable to obtain password. I added everything to the post.

Shelton · ‎09-04-2017

@Gjin 733

You need to get a way to copy the krb5.conf thats the center piece

gjin733 · ‎09-04-2017

@Geoffrey Shelton Okot

Why do I need krb5 if I already have keytab? I already pass the principal on java. what else is there?

gjin733 · ‎09-05-2017

Okey. I did it. There were a few problems, but this is how the final variant looks.

My docker. krb5.conf and keytab are in the same folder as my docker file. When I build the project they are added to the container and in the entrypoint I use

-Djava.security.krb5.conf

to provide krb5 location. There are also a few options for debugging + I connect mongo.

FROM java:8
ADD report.jar report.jar
ADD krb5.conf /etc/krb5.conf
ADD evkuzmin.keytab /etc/evkuzmin.keytab
RUN sh -c 'touch report.jar'
ENTRYPOINT ["java","-Dspring.data.mongodb.uri=mongodb://audpro_mongo/report","-Djavax.net.debug=all","-Dsun.security.spnego.debug=true","-Dsun.security.krb5.debug=true","-Djava.security.krb5.conf=/etc/krb5.conf","-jar","/report.jar"]

Then I use KerberosRestTemplate to connect to webhdfs

public String getReportJSON()throwsURISyntaxException{
    KerberosRestTemplate restTemplate =newKerberosRestTemplate("/etc/evkuzmin.keytab","EvKuzmin@DOMAIN");
    URI uri =new URI("http"+"://"+ host +":"+ port +"/webhdfs/v1"+ path +"?op=OPEN");
    String json = restTemplate.getForObject(uri,String.class);return json;
    return json;
}

If you want to run the app without docker, just build it and add the keytab to the same direction as the jar. Then change /etc/evkuzmin.keytab so it points to the new location.

Shelton · ‎09-05-2017

@Gjin 733

Good to know and happy ...... everything is working fine. I am not very conversant with Docker but Kerberos and your error were pointing to the krb5.conf.

If you feel my response helped you resolve the issue then you can accept it to reward me. I should build some kafka docker on my cluster and test ..

Cloudera Community

Support Questions

docker sping kerberos LoginException: Unable to obtain password from user