Rock
Reputation: 500
Datastax Java Driver with kerberos security
Am trying to access kerberos enabled DSE cluster from eclipse.
Sample connection code is
public void connect(String node) {
cluster = Cluster.builder().addContactPoint(node)
.withAuthProvider(new DseAuthProvider()).build();
Metadata metadata = cluster.getMetadata();
Iterator<KeyspaceMetadata> in = metadata.getKeyspaces().iterator();
while (in.hasNext()) {
// System.out.println("Keyspaces");
System.out.println(in.next().getName());
}
My dseclient file looks like this
DseClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/to/file.keytab"
principal="[email protected]";
};
Am getting the below exception when I run the code
Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: Cannot locate default realm
at com.datastax.driver.core.sasl.KerberosAuthenticator.loginSubject(KerberosAuthenticator.java:113)
at com.datastax.driver.core.sasl.KerberosAuthenticator.<init>(KerberosAuthenticator.java:94)
at com.datastax.driver.core.sasl.DseAuthProvider.newAuthenticator(DseAuthProvider.java:52)
at com.datastax.driver.core.Connection.initializeTransport(Connection.java:164)
at com.datastax.driver.core.Connection.<init>(Connection.java:132)
at com.datastax.driver.core.Connection.<init>(Connection.java:59)
at com.datastax.driver.core.Connection$Factory.open(Connection.java:442)
at com.datastax.driver.core.ControlConnection.tryConnect(ControlConnection.java:205)
at com.datastax.driver.core.ControlConnection.reconnectInternal(ControlConnection.java:168)
at com.datastax.driver.core.ControlConnection.connect(ControlConnection.java:81)
at com.datastax.driver.core.Cluster$Manager.init(Cluster.java:662)
at com.datastax.driver.core.Cluster$Manager.access$100(Cluster.java:604)
at com.datastax.driver.core.Cluster.<init>(Cluster.java:69)
at com.datastax.driver.core.Cluster.buildFrom(Cluster.java:96)
at com.datastax.driver.core.Cluster$Builder.build(Cluster.java:585)
at AuthenticatedClient.connect(AuthenticatedClient.java:19)
at AuthenticatedClient.main(AuthenticatedClient.java:59)
Caused by: javax.security.auth.login.LoginException: Cannot locate default realm
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at com.datastax.driver.core.sasl.KerberosAuthenticator.loginSubject(KerberosAuthenticator.java:109)
... 16 more
Caused by: KrbException: Cannot locate default realm
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
at sun.security.krb5.KrbAsReq.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
... 30 more
Caused by: KrbException: Cannot locate default realm
at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
... 35 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
... 36 more
Am using DSE 3.2.3 and java driver 1.0.4
Upvotes: 2
Views: 2692
Answers (1)
beobal
Reputation: 274
Most likely, this points to a missing or misconfigured Kerberos setup on the client. On linux, the relevant file is /etc/krb5.conf and you may want to check the
[libdefaults] and [realms] sections. For the JAAS config you're using, I'd expect to see something like this in your krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.COM
.
.
.
[realms]
MYDOMAIN.COM = {
kdc = <address of your kdc>
admin_server = <address of the domain admin server>
}
You'll also want to ensure that DNS name resolution is properly setup. From the client machine, make sure both forward and backward resolution are working correctly e.g.:
nslookup <hostname> && nslookup <host ip>
I would also validate that you can connect to the cluster using cqlsh, following the instructions here: http://www.datastax.com/docs/datastax_enterprise3.2/security/cqlsh_setup#security-run-cqlsh
If you're running OSX on the client machine, this bug might also be relevant to you : http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7184815
Upvotes: 1
Related Questions
- Connecting Datastax outside Kubernetes to a Cassandra cluster in Kubernetes
- Using Datastax Cassandra Driver from Scala
- Datastax Driver Mapping API
- datastax cassandra java driver PlainTextAuthProvider example
- Cannot connect java client to cassandra with password authentication enabled
- Cassandra java driver connection error
- DataStax Java driver 2.0.0-beta2 with Cassandra 1.2.1: unsupported protocol version
- Connecting to cassandra cluster with kerberos using java driver
- Datastax Java driver can't authenticate against Cassandra PasswordAuthenticator when logging into a cluster
- Cassandra Java Driver With Kerberos Security