Java – Kerberos for thrift?

Java

I have a simple java application based on thrift This is very simple, just using thrift's "Hello world" message transmission in Java I was told that I needed to add Kerberos support for my messages I did some Google searches and was surprised that thrift doesn't have some form of Kerberos support (or if so, I can't find it) I thought about writing my own wrapper using GSSAPI, but I can't open / unpack my thrift message because it will destroy the thrift message format

Has anyone ever kerberized thrift Or know what to do?

Thank you in advance

Solution

**Therefore, I think there is a method that can be implemented through SASL / GSS API What puzzles me is why I don't see any good examples on the Internet However, I released an example I created in the hope that it can help others... Or someone can correct the illusion that I am doing something useful here

TServerSocket serverTransport = new TServerSocket(7911);  // new server on port 7911
HelloWorldService.Processor<Iface> processor = new HelloWorldService.Processer<Iface>(new ThriftServerImpl());  // This is my thrift implementation for my server
Map<String,String> saslProperties = new HashMap<String,String>();  // need a map for properties
saslProperties.put(Sasl.QOP,"true");
saslProperties.put(Sasl.QOP,"auth-conf");  // authorization and confidentiality

TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory();     // Creating the server deFinition
saslTransportFactory.addServerDeFinition(
            "GSSAPI",//  tell SASL to use GSSAPI,which supports Kerberos
            "myserviceprincipal",//  base kerberos principal name - myprincipal/my.server.com@MY.REALM 
            "my.server.com",//  kerberos principal server - myprincipal/my.server.com@MY.REALM
            saslProps,//  Properties set,above
            new SaslRpcServer.SaslGssCallbackHandler()));  //  I don't kNow what this really does... but I stole it from Hadoop and it works.. so there.

Tserver server = new TThreadPoolServer(newTThreadPoolSErver.Args(serverTransport).transportFactory(saslTrasnportFactory).processor(processor));

server.serve();   // Thrift server start

Client code example

TTransport transport = new TSocket("my.server.com",7911);   // client to connect to server and port
saslProperties.put(Sasl.QOP,"auth-conf");  // authorization and confidentiality

TTransport saslTransport = new TSaslTransport(
            "GSSAPI",which supports Kerberos
            null,//  authorizationid - null
            "myserviceprincipal",//  base kerberos principal name - myprincipal/my.client.com@MY.REALM 
            "my.server.com",above
            null,//  callback handler - null
            transport);     //  underlying transport

TProtocol protocol = new TBinaryProtocol(saslTransport);    // set up our new Thrift protocol

HelloWorldService.Client client = new HelloWorldService.Client(protocol);   // Setup our thrift client
saslTransport.open();

String response = client.hello("Hi There");   // send message

System.out.println("response = " + response);

transport.close();

Others agree: * I set several Java properties on the client and server. – java. security. krb5. realm = MY. Realm / / domain name – Java security. krb5. kdc = my. kdc. COM / / KDC server – javax security. auth. Usesubjectcredsonly = false / / allow JAAS to obtain TGT. – java. security. auth. login. config = /etc/myapp/conf/jaas. Conf – required JAAS file – sun security. krb5. Debug = true / / help diagnose problems* JAAS specified above The conf file needs to have two entries (there may be only one...) for each server I don't remember where I collected this information But this is my file:

com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/myapp/conf/myapp.keytab"
    useTicketCache=true
    principal="myuserprincipal"
    debug=true;
};

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/myapp/conf/myapp.keytab"
    useTicketCache=false
    principal="myserviceprincipal/my.server.com"
    debug=true;
};

(back to considerations...) * despite SASL QoP is "auth conf" First transmission (?) The message is not encrypted Maybe it's just a handshake, or something The rest of the messages seem to be encrypted, but the first message will output an ugly message to the console "no encryption is performed by peers" If you don't get that message, it will be good because it will lead to sadness (guarantee or no guarantee)

Anyway, I hope this can help some people... Or inspire some improvements that will help me It's hard to believe that it took me 2-3 days to do this, and only a small amount of code came out, but when I started, I knew neither Kerberos nor thrift

Thank you for reading

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>