Windows上使用JDK1.6.45的MongoDB 3.0.0 / 2/3 Java驱动程序Kerberos身份验证
[英]MongoDB 3.0.0/2/3 Java Driver Kerberos Authentication on Windows using JDK1.6.45
问题描述
My Mongo server should be set up correctly since I can query against it using GSSAPI mechanism with client. 
我的Mongo服务器应正确设置,因为我可以通过客户端使用GSSAPI机制对其进行查询。
According to the documentation, Java Driver's Kerberos Authentication can be as simple as credentialList.add(MongoCredential.createGSSAPICredential("people/myhost.com@EXAMPLE.COM")); 根据文档,Java驱动程序的Kerberos身份验证可以像credentialList.add(MongoCredential.createGSSAPICredential("people/myhost.com@EXAMPLE.COM"));一样简单credentialList.add(MongoCredential.createGSSAPICredential("people/myhost.com@EXAMPLE.COM"));
The principal I used 我用的校长
- I tested with Mongo's enterprise version of client and it works: authenticated against Mongo server with Kerberos and can find() against it. 我使用Mongo的企业版客户端进行了测试,并且可以正常工作:使用Kerberos针对Mongo服务器进行身份验证,并可以针对它进行find()。 (database test, principal "people/myhost.com@EXAMPLE.COM") (数据库测试,主体为“ people/myhost.com@EXAMPLE.COM”)
- kinit performed and the new ticket is showed in the klist, ticket cached stored under KRB5CCNAME=D:\\Kerberos\\tickets.txt (environment variable set) 执行kinit并在klist中显示新票证,该票证缓存在KRB5CCNAME = D:\\ Kerberos \\ tickets.txt下(已设置环境变量)
To make sure krb5.ini/conf is read, I manually set the system property java.security.krb5.conf=C:/Windows/krb5.conf 为了确保读取krb5.ini / conf,我手动设置系统属性java.security.krb5.conf = C:/Windows/krb5.conf
Before I set the property javax.security.auth.useSubjectCredsOnly , GSSAPIAuthenticator.createSaslClient() catched exception of GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) . 在设置属性javax.security.auth.useSubjectCredsOnly之前, GSSAPIAuthenticator.createSaslClient()异常GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) 。
After I set the property javax.security.auth.useSubjectCredsOnly=false , InternalStreamConnection.open() catched throwable: java.lang.SecurityException: Unable to locate a login configuration 设置属性javax.security.auth.useSubjectCredsOnly=false ,捕获了InternalStreamConnection.open()抛出: java.lang.SecurityException: Unable to locate a login configuration
I am really confused here. 我真的很困惑。 I thought it is using the ticket cache which is specified under KRB5CCNAME. 我以为它使用的是KRB5CCNAME下指定的票证缓存。 If I use jaas configuration, what name should I assign it to be? 如果我使用jaas配置,应将其分配给哪个名称?
Name {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="D:\\Kerberos\\people.keytab"
useTicketCache=false;
};
I set it with a random name and it started complaining GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null)) . 我给它设置了一个随机名称,它开始抱怨GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null)) 。
Can you guys help me on this? 你们可以帮我吗? What else I can try here or are there more useful and detailed logs that I can enable in this case? 在这种情况下,我还能尝试什么呢?还是可以使用更有用和详细的日志?
1 个解决方案
解决方案1
1 2015-08-17 15:11:50
Security error messages are cryptic, by design :-/ 安全错误消息是设计隐秘的:-/
But there is a nice " security trace flag " property to help you debug GSSAPI config issues: 但是有一个不错的“ 安全跟踪标志 ”属性可以帮助您调试GSSAPI配置问题:
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.