12:48 a.m.
Hello Keycloak,
I referred to the Keycloak Example - Kerberos Credential Delegation
https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it
end to end.
I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
FLOW:
-------
Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate
and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache
of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated
via Kerberos and landed up in my web app.
GSSCredential deserializedGssCredential =
org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
// Create GSSContext to call other kerberos-secured services
GSSContext context = gssManager.createContext(serviceName,
krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call
other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
Is there some reference or examples that I can refer and use the GSSCredential object to
access Kerberized services like Hive Server 2 via JDBC and HDFS?
Many Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
9:56 a.m.
Hi,
I am sorry, but this is out-of-scope of Keycloak. Keycloak role ends in
the moment, when you are successfully authenticated in your app and you
have GSS Credential. The exact way how to use that credential further to
access other service is specific to that service. So you would need to
ask Hive Server 2 (or maybe just JDBC protocol or HDFS) documentation
for details.
As you can see, the example itself uses delegated authentication to
Apache Directory server, which supports authentication through the
GSSAPI Sasl mechanism. But that's specific to the Apache Directory itself.
Btv. still if you find the way, it will be good if you can reply here
and share. Might be useful for the reference in future for other users
with same issue.
Marek
On 02/06/17 07:48, Nirmal Kumar wrote:
Hello Keycloak,
I referred to the Keycloak Example - Kerberos Credential Delegation
https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it
end to end.
I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
FLOW:
-------
Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate
and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache
of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated
via Kerberos and landed up in my web app.
GSSCredential deserializedGssCredential =
org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
// Create GSSContext to call other kerberos-secured services
GSSContext context = gssManager.createContext(serviceName,
krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call
other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
Is there some reference or examples that I can refer and use the GSSCredential object to
access Kerberized services like Hive Server 2 via JDBC and HDFS?
Many Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:27 a.m.
Thanks Marek for the reply.
I am currently delving into Hive Server 2 to find ways to access it and will surely share
my findings here.
-Nirmal
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Friday, June 2, 2017 8:27 PM
To: Nirmal Kumar <nirmal.kumar(a)impetus.co.in>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Kerberos Credential Delegation : Using GSSCredential to call
other kerberos-secured services
Hi,
I am sorry, but this is out-of-scope of Keycloak. Keycloak role ends in the moment, when
you are successfully authenticated in your app and you have GSS Credential. The exact way
how to use that credential further to access other service is specific to that service. So
you would need to ask Hive Server 2 (or maybe just JDBC protocol or HDFS) documentation
for details.
As you can see, the example itself uses delegated authentication to Apache Directory
server, which supports authentication through the GSSAPI Sasl mechanism. But that's
specific to the Apache Directory itself.
Btv. still if you find the way, it will be good if you can reply here and share. Might be
useful for the reference in future for other users with same issue.
Marek
On 02/06/17 07:48, Nirmal Kumar wrote:
Hello Keycloak,
I referred to the Keycloak Example - Kerberos Credential Delegation
https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it
end to end.
I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
FLOW:
-------
Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate
and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache
of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated
via Kerberos and landed up in my web app.
GSSCredential deserializedGssCredential =
org.keycloak.common.util.KerberosSerializationUtils.deserializeCredent
ial(serializedGssCredential); // Create GSSContext to call other
kerberos-secured services GSSContext context =
gssManager.createContext(serviceName,
krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call
other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
Is there some reference or examples that I can refer and use the GSSCredential object to
access Kerberized services like Hive Server 2 via JDBC and HDFS?
Many Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
3261
days inactive
3261
days old
2 comments
2 participants
participants (2)
-
Marek Posolda -
Nirmal Kumar