[keycloak-user] Kerberos Credential Delegation : Using GSSCredential to call other kerberos-secured services

Fri Jun 2 11:27:24 EDT 2017

Thanks Marek for the reply.

I am currently delving into Hive Server 2 to find ways to access it and will surely share my findings here.

-Nirmal

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Friday, June 2, 2017 8:27 PM
To: Nirmal Kumar <nirmal.kumar at impetus.co.in>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Kerberos Credential Delegation : Using GSSCredential to call other kerberos-secured services

Hi,

I am sorry, but this is out-of-scope of Keycloak. Keycloak role ends in the moment, when you are successfully authenticated in your app and you have GSS Credential. The exact way how to use that credential further to access other service is specific to that service. So you would need to ask Hive Server 2 (or maybe just JDBC protocol or HDFS) documentation for details.

As you can see, the example itself uses delegated authentication to Apache Directory server, which supports authentication through the GSSAPI Sasl mechanism. But that's specific to the Apache Directory itself.

Btv. still if you find the way, it will be good if you can reply here and share. Might be useful for the reference in future for other users with same issue.

Marek

On 02/06/17 07:48, Nirmal Kumar wrote:
> Hello Keycloak,
>
> I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end.
>
> I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
>
> FLOW:
> -------
> Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app.
>
> GSSCredential deserializedGssCredential =
> org.keycloak.common.util.KerberosSerializationUtils.deserializeCredent
> ial(serializedGssCredential); // Create GSSContext to call other
> kerberos-secured services GSSContext context =
> gssManager.createContext(serviceName,
> krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
>
> As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
>
> Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS?
>
> Many Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________

NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.