HTTPClient 从 keytab 登录以访问 hadoop jobhistory 服务
Posted
技术标签:
【中文标题】HTTPClient 从 keytab 登录以访问 hadoop jobhistory 服务【英文标题】:HTTPClient login from keytab to access hadoop jobhistory service 【发布时间】:2015-09-20 19:51:46 【问题描述】:我正在编写一个 java 程序来访问 hadoop jobhistory 服务以检索一些信息。
我正在使用 HTTPClient 进行 HttpGet 调用。我需要从 keytab 文件(我的 ~/.ssh/ 文件夹中有该文件)登录,而不是输入用户名和密码。
我的问题是:如何从 HTTPClient 中的 keytab 登录?
这是我设置 HTTPClient 的方式
System.setProperty("java.security.krb5.conf", "krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.krb5.realm", prop.getProperty("krb5.realm"));
System.setProperty("java.security.krb5.kdc", prop.getProperty("krb5.kdc"));
PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager();
cm.setMaxTotal(200);
cm.setDefaultMaxPerRoute(100);
//TODO login from keytab ?
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("DUMMY", null));
Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory())
.build();
httpClient = HttpClients.custom().setDefaultCredentialsProvider(credsProvider)
.setDefaultAuthSchemeRegistry(authRegistry)
.setConnectionManager(cm)
.build();
HttpResponse response = httpClient.execute(request);
有趣的是,这段代码可以在我的 IntelliJ 中成功运行。但是在我从命令行构建并运行它之后,它会显示信息来询问我的用户名和密码。
我是身份验证的新手,希望有人能提供帮助。非常感谢。
【问题讨论】:
看看***.com/questions/21375372/… -- 在这种情况下不涉及 HTTP,但用于获取 Kerberos 票证的 GSSAPI 配置是相同的。并且该跟踪标志可以证明是有帮助的:***.com/questions/31824149/… 【参考方案1】: HttpClientBuilder builder = HttpClientBuilder.create();
Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create()
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build();
builder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(new AuthScope(null, -1, null), new Credentials()
@Override
public Principal getUserPrincipal()
return null;
@Override
public String getPassword()
return null;
);
builder.setDefaultCredentialsProvider(credentialsProvider);
final HttpClient httpClient = builder.build();
final Subject subj = new Subject();
Krb5LoginModule krb5 = new Krb5LoginModule();
Map<String, String> options = new HashMap<>();
options.put("doNotPrompt", "true");
options.put("storeKey", "true");
options.put("useKeyTab", "true");
options.put("useTicketCache", "true");
options.put("keyTab", keytabFilePath); //Path to keytab file
options.put("principal", principal); //Principal name
options.put("debug", "true");
krb5.initialize(subj, null, null, options);
krb5.login();
krb5.commit();
HttpResponse response = Subject.doAs(subj, new PrivilegedExceptionAction<HttpResponse>()
@Override
public HttpResponse run() throws Exception
return httpClient.execute(request);
);
【讨论】:
添加一些细节可能对其他人有好处。 你是什么意思? 只是一堆代码,为你的代码添加一些原因/cmets。以上是关于HTTPClient 从 keytab 登录以访问 hadoop jobhistory 服务的主要内容,如果未能解决你的问题,请参考以下文章
从 HttpClient 实例访问 HttpClientHandler?