Docker Kerberos WebHDFS AuthenticationException: Unauthorized
Asked Answered
K

1

6

I have a Spring application that reads a file from HDFS using WebHDFS. When I test it in IDEA, it works. But after I build the project and deploy the Docker image on a virtual machine locally or on a server connected to HDFS, I get:

AuthenticationException: Unauthorized

On my local machine I have to regularly initialize the token with

kinit

for autentication. If I don't, I get the same error. I tested the app without Docker on a server, it also works. I think the Docker image does not see the token. But I don't know what to do about it.

Kerberos is used for security.

Any advice?

Kanchenjunga answered 30/8, 2017 at 11:57 Comment(0)
K
3

Okey. I did it. There were a few problems, but this is how the final variant looks.

My docker. krb5.conf and keytab are in the same folder as my docker file. When I build the project they are added to the container and in the entrypoint I use

-Djava.security.krb5.conf

to provide krb5 location. There are also a few options for debugging + I connect mongo.

FROM java:8
ADD report.jar report.jar
ADD krb5.conf /etc/krb5.conf
ADD evkuzmin.keytab /etc/evkuzmin.keytab
RUN sh -c 'touch report.jar'
ENTRYPOINT ["java","-Dspring.data.mongodb.uri=mongodb://audpro_mongo/report","-Djavax.net.debug=all","-Dsun.security.spnego.debug=true","-Dsun.security.krb5.debug=true","-Djava.security.krb5.conf=/etc/krb5.conf","-jar","/report.jar"]

Then I use KerberosRestTemplate to connect to webhdfs

public String getReportJSON() throws URISyntaxException {
    KerberosRestTemplate restTemplate = new 
         KerberosRestTemplate("/etc/evkuzmin.keytab", "EvKuzmin@DOMAIN");
    URI uri = new URI("http" + "://" + host + ":" + port + "/webhdfs/v1" + path + "?op=OPEN");
    String json = restTemplate.getForObject(uri, String.class);
    return json;
  }

If you want to run the app without docker, just build it and add the keytab to the same direction as the jar. Then change /etc/evkuzmin.keytab so it points to the new location.

Kanchenjunga answered 5/9, 2017 at 13:17 Comment(1)
Adding keys which are supposed to remain secrets into the build of an image should be avoided. The runtime platform (e.g. Kubernetes) should inject them in a secure way (i.e. volumes).Juryrig

© 2022 - 2024 — McMap. All rights reserved.