The 10gen/MongoDB provided Java Driver only support Kerberos authentication via kinit. To have the Tomcat instances authenticate with different principals you will not only need to run different instances but those instances will have to be running under different system accounts. This is due to kinit savint the credentials/tickets in a file in the system's temporary directory. This is why you can kinit in one terminal and then login to servers from a different terminal. The credentials are global for the account and realistically you can only have 1 principal being used for the account at one time. This is one of many reasons we find kinit to be unsatisfactory to running services.
I work on the Asynchronous Java Driver and it supports 3 mechanisms for providing credentials for Kerberos authentication:
- Username and password.
- Key Tab files.
- kinit.
Either the username or key tab file should work for your use case. The details of the kerberos support are available here. From that page, authentication can be as simple as:
MongoClientConfiguration config = new MongoClientConfiguration("mongodb://locahost:27017/");
char[] password = new char[] { 's', 'u', 'p', 'e', 'r',
's', 'e', 'c', 'r', 'e', 't' };
config.addCredential(Credential.builder()
.userName("<user>@<REALM>")
.password(password)
.kerberos());
Arrays.fill( password, ' ' );
A few of notes:
- Getting Java to use kerberos is not hard but it is finicky. Make sure you have read the Java Kerberos Configuration guide and understand what needs to be done on the system and to the JVM to get it to work. There are several ways to getting a working setup. Which one you choose it dependent on your needs and system configuration.
- You will need the driver's extensions jar to use kerberos authentication. Again, contact me via the link at the bottom of the kerberos help to get a copy.
- We have not actually tested the driver using multiple credentials within a single JVM. It should work but without testing it you never know what you may run into. We will be happy work with you to get it working if you do run into any issues.
HTH, Rob.