Big data security management -- user authentication and authorization 1

1. Introduction to JaaS

The Java Security Framework initially focused on protecting users from running potentially untrustworthy code by authorizing mobile code based on where the code came from (URL) and who created the code (certificate). Java 2 SDK 1.3 introduced JAAS (Java Authentication and Authorization Service), adding user-based access control capabilities, that is, authorizing based on who is running the code.

The above is Baidu Encyclopedia's explanation of JaaS. If we regard KDC as a database, then JaaS is somewhat similar to JDBC. JDBC connects to the database, there are a series of codes similar to templates, if we need to connect to the MySQL database, we can apply these codes. JaaS is the same, it also has a series of template codes, we can directly apply it to complete the user authentication of Kerberos (JaaS is not only used in Kerberos), let's take a look at the use of JaaS

2. Use of JaaS

JDK has provided a complete JAAS solution, let's look at a complete JAAS login code and configuration.

2.1 JaaS login sample

The following code is the code for the client to perform Kerberos authentication. There are only two lines

public class JaasTest {
    public static void main(String[] args) {    
        try {
            LoginContext lc = new LoginContext("JaaSSampleTest", new TextCallbackHandler());
            lc.login();
            Subject sub = lc.getSubject();
        } catch (LoginException le) {
            System.err.println("Authentication failed:");
            System.exit(-1);
        }
        System.out.println("Authentication succeeded!");
    }
}

The configuration file jaas_test.conf is:

JaaSSampleTest {
 com.sun.security.auth.module.Krb5LoginModule required;
};

The running virtual machine parameters are:
-Djava.security.auth.login.config=f:\kerberos\jaas.conf -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=freeipa56. The running results of example.com
are as follows:

2.2 JaaS configuration file

In the above example, when we perform kerberos authentication, we use the user name and password. But in our actual use, we will find that many times, instead of using this interactive method, we use the keytab file method. This is related to the configuration parameters of our jaas.conf. The following client.conf configuration file is adopted by HMaster, which contains some information we commonly use.

[root@ysbdh03 0]# cat /usr/hdp/current/hbase-master/conf/hbase_master_jaas.conf

Client {   # 这一值"Client"是在代码中设定的，就是new LoginContext（）中的第一个参数
com.sun.security.auth.module.Krb5LoginModule required # 一般都是使用默认的Krb5LoginModule
useKeyTab=true  # 认证的时候，是否采用keytab文件
storeKey=true   
debug=true  #是否打印debug日志
useTicketCache=false #是否采用kinit后直cache值
keyTab="/etc/security/keytabs/hbase.service.keytab" # keytab的位置
principal="hbase/[email protected]";   # keytab对应的princal的值
};

It should be noted that these parameters are set by Krb5LoginModule. It also provides some other parameters. But those are the ones that feel more useful.