隶属于文章系列:大数据安全实战 https://www.jianshu.com/p/76627fd8399c
场景:
根据服务请求,自动生成keytab文件
功能:
1、生成principle
2、生成keytab文件
2、接口返回principle 和 keytab
阅读并从ambari的源码中抽出来的Kerberos相关的代码
思路:
找到相关单元测试,验证功能。
-
把测试代码抽取出来,自己建新项目并调通。调通的过程中需要添加各种依赖和新的代码文件,抽出的代码的包结构跟原来项目的包结构最好一致。
ambari的创建Kerberos的keytab文件的入口代码:
package kbds.auth.keytab;
import org.apache.ambari.server.security.credential.PrincipalKeyCredential;
import org.apache.ambari.server.serveraction.kerberos
.KerberosOperationException;
import org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler;
import org.apache.directory.server.kerberos.shared.keytab.Keytab;
import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
import java.io.File;
import java.io.IOException;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
public class AuthMain {
public static void main(String[] args) throws KerberosOperationException, IOException {
KerberosOperationHandler handler = createHandler();
File file = new File("D:\\am.keytab");
final String principal1 = "[email protected]";
final String principal2 = "[email protected]";
Set seenEntries = new HashSet();
handler.createKeytabFile(principal1, "some password", 0, file);
handler.createKeytabFile(principal2, "some password", 0, file);
// Attempt to add duplicate entries
handler.createKeytabFile(principal2, "some password", 0, file);
Keytab keytab = Keytab.read(file);
// Assert.assertNotNull(keytab);
List entries = keytab.getEntries();
// Assert.assertNotNull(entries);
// Assert.assertFalse(entries.isEmpty());
for (KeytabEntry entry : entries) {
String seenEntry = String.format("%s|%s", entry.getPrincipalName(), entry.getKey().getKeyType().toString());
//Assert.assertFalse(seenEntries.contains(seenEntry));
seenEntries.add(seenEntry);
}
}
public static KerberosOperationHandler createHandler() throws KerberosOperationException {
KerberosOperationHandler handler = new KerberosOperationHandler() {
@Override
public void open(PrincipalKeyCredential administratorCredentials, String defaultRealm, Map kerberosConfiguration) throws KerberosOperationException {
setAdministratorCredential(administratorCredentials);
setDefaultRealm(defaultRealm);
setExecutableSearchPaths("/usr/bin, /usr/kerberos/bin, /usr/sbin");
}
@Override
public void close() throws KerberosOperationException {
}
@Override
public boolean principalExists(String principal) throws KerberosOperationException {
return false;
}
@Override
public Integer createPrincipal(String principal, String password, boolean service) throws KerberosOperationException {
return 0;
}
@Override
public Integer setPrincipalPassword(String principal, String password) throws KerberosOperationException {
return 0;
}
@Override
public boolean removePrincipal(String principal) throws KerberosOperationException {
return false;
}
};
handler.open(new PrincipalKeyCredential("me/admin", "me"), "TT.COM", null);
return handler;
}
}
- 新项目的pom文件
4.0.0
kbds
auth-keytab
1.0
com.google.code.gson
gson
2.2.2
org.slf4j
slf4j-api
1.7.6
org.slf4j
slf4j-log4j12
1.7.5
junit
junit
4.11
test
org.easymock
easymock
test
3.4
org.apache.directory.server
apacheds-kerberos-codec
2.0.0-M19
org.springframework.security.kerberos
spring-security-kerberos-core
1.0.1.RELEASE
org.springframework.security.kerberos
spring-security-kerberos-web
1.0.1.RELEASE
org.springframework.security.kerberos
spring-security-kerberos-client
1.0.1.RELEASE
com.google.code.findbugs
jsr305
1.3.9
com.google.inject
guice
3.0
com.google.inject.extensions
guice-persist
3.0
commons-io
commons-io
2.3
验证生成的keytab文件
- 上传ketytab文件
- 显示文件内容
klist -ket [email protected]
Keytab name: FILE:[email protected]
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 04/17/18 17:08:30 [email protected] (des-cbc-md5)
0 04/17/18 17:08:30 [email protected] (des3-cbc-sha1)
0 04/17/18 17:08:30 [email protected] (aes128-cts-hmac-sha1-96)
0 04/17/18 17:08:30 [email protected] (arcfour-hmac)
- 第一次尝试获取凭证
# 销毁当前已有凭证
kdestroy
kinit -kt [email protected] xf
kinit: Client not found in Kerberos database while getting initial credentials
报错:在kdc上没有创建当前principal
- 在kdc创建principal
kadmin.local: addprinc xf
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
- 再尝试获取凭证
kinit -kt [email protected] xf
- 验证
klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: [email protected]
Valid starting Expires Service principal
04/17/18 17:13:35 04/18/18 17:13:35 krbtgt/[email protected]
renew until 04/24/18 17:13:35, Etype (skey, tkt): aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
发现创建keytab是可以跟kdc分离的.直接在kdc之外生成的keytab文件,也能通过kdc的验证。