Kerberos authentication with HTTP/SPNEGO

Environment:

• Java 8
• Kerberos
• HTTP/SPNEGO

Issue:

• Java error states Kerberos ticket not found
• HTTP/SPNEGO authentication with Kerberos required.

Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:360)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:204)
... 63 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:162)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:336)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:310)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:310)
... 64 more

Resolution:

• Create a block in the JAAS configuration file with the entry name com.sun.security.jgss.krb5.initiate

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/spnego_client.keytab"
principal="spnego_client/node-01.cluster@EXAMPLE.COM";
}

• JAAS configuration file location will vary depending on the setup of Data Collector
• JAAS configuration file will be the same file used to configure LDAP and Kafka security
• Examples of where the JAAS configuration file could be:
  • Specified via Java options: -Djava.security.auth.login.config=<JAAS config path>/client_jaas.conf
  • $SDC_CONF/ldap-login.conf
  • Cloudera Manager: Data Collector Advanced Configuration Snippet (Safety Valve) for generated-ldap-login-append.conf

References

• https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html
• https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html
• https://streamsets.com/documentation/datacollector/latest/help/datacollector/UserGuide/Configuration/Authentication.html
• https://streamsets.com/documentation/datacollector/latest/help/datacollector/UserGuide/Pipeline_Configuration/KafkaSecurity.html