9:56 a.m.
Hi,
I am sorry, but this is out-of-scope of Keycloak. Keycloak role ends in
the moment, when you are successfully authenticated in your app and you
have GSS Credential. The exact way how to use that credential further to
access other service is specific to that service. So you would need to
ask Hive Server 2 (or maybe just JDBC protocol or HDFS) documentation
for details.
As you can see, the example itself uses delegated authentication to
Apache Directory server, which supports authentication through the
GSSAPI Sasl mechanism. But that's specific to the Apache Directory itself.
Btv. still if you find the way, it will be good if you can reply here
and share. Might be useful for the reference in future for other users
with same issue.
Marek
On 02/06/17 07:48, Nirmal Kumar wrote:
Hello Keycloak,
I referred to the Keycloak Example - Kerberos Credential Delegation
https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it
end to end.
I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
FLOW:
-------
Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate
and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache
of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated
via Kerberos and landed up in my web app.
GSSCredential deserializedGssCredential =
org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
// Create GSSContext to call other kerberos-secured services
GSSContext context = gssManager.createContext(serviceName,
krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call
other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
Is there some reference or examples that I can refer and use the GSSCredential object to
access Kerberized services like Hive Server 2 via JDBC and HDFS?
Many Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user