Connecting to cassandra cluster with kerberos using java driver

https://stackoverflow.com/questions/21693445

09-10-2022
|

Question

I followed the instructions from the following datastax post - Accessing secure DSE clusters

This is my code snippet -

public static void main(String[] args) {
KerberosAuthenticatedClient client = new KerberosAuthenticatedClient();     
System.setProperty("java.security.krb5.conf","C:/Users/ADMIN/Desktop/krb5.config");
System.setProperty("java.security.auth.login.config","C:/Users/ADMIN/Desktop/DseClient.config");    
cluster = Cluster.builder().addContactPoint(node).withAuthProvider(new DseAuthProvider()).build();
session = cluster.connect();

This is my DseClient File -

DseClient {
    com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
   doNotPrompt=true
     keyTab="C:/Users/ADMIN/Desktop/dse.keytab"
     principal="rock@MY.COM";
};

And This is my krb5.conf -

[libdefaults]
default_realm = MY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
MY.COM = {
kdc = x.x.x.x
admin_server = x.x.x.x
}

[domain_realm]
.my.com = MY.COM
my.com = MY.COM

I have installed kerberos on my client machine and also on the servers too. But when I run I get the following error :-

Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: Unable to obtain password from user

at com.datastax.driver.core.sasl.KerberosAuthenticator.loginSubject(KerberosAuthenticator.java:113)
at com.datastax.driver.core.sasl.KerberosAuthenticator.<init>(KerberosAuthenticator.java:94)
at com.datastax.driver.core.sasl.DseAuthProvider.newAuthenticator(DseAuthProvider.java:52)
at com.datastax.driver.core.Connection.initializeTransport(Connection.java:163)
at com.datastax.driver.core.Connection.<init>(Connection.java:131)
at com.datastax.driver.core.Connection.<init>(Connection.java:59)
at com.datastax.driver.core.Connection$Factory.open(Connection.java:444)
at com.datastax.driver.core.ControlConnection.tryConnect(ControlConnection.java:205)
at com.datastax.driver.core.ControlConnection.reconnectInternal(ControlConnection.java:168)
at com.datastax.driver.core.ControlConnection.connect(ControlConnection.java:81)
at com.datastax.driver.core.Cluster$Manager.init(Cluster.java:812)
at com.datastax.driver.core.Cluster$Manager.access$100(Cluster.java:739)
at com.datastax.driver.core.Cluster.<init>(Cluster.java:82)
at com.datastax.driver.core.Cluster.<init>(Cluster.java:67)
at com.datastax.driver.core.Cluster$Builder.build(Cluster.java:708)
at KerberosAuthenticatedClient.connect(KerberosAuthenticatedClient.java:19)
at KerberosAuthenticatedClient.main(KerberosAuthenticatedClient.java:45)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at com.datastax.driver.core.sasl.KerberosAuthenticator.loginSubject(KerberosAuthenticator.java:109)
... 16 more

Solution

The error in the stacktrace is complaining that it is unable to find any credentials for the OS user executing the request. This is usually cause by one of three conditions:

not setting the location of the JAAS config correctly (which causes us to fall back to the default of using the TGT cache & often leading to 2.)
an empty local ticket cache (when not using a keytab)
credentials for the specified principal missing from the keytab

The first thing I'd check is that you have set the java.security.auth.login.config system property to the location of your JAAS config file (the DseClient file) correctly? If you have and are still seeing the error, you can check the contents of the keytab with klist -e -t -k /path/to/keytab

Another useful tip for debugging is to set -Dsun.security.krb5.debug=true which will dump lots of detailed info to stdout.

OTHER TIPS

I changed the service principle to dse/hostname@REALM from cassandra/hostname@REALM and it worked. I am not sure why the java program which I ran from my windows machine was taking the service principle as dse/hostname instead of cassandra/hostname

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow