有没有人曾经Kerberized Thrift?..或者知道怎么做?
提前致谢.
解决方法
示例服务器代码:
TServerSocket serverTransport = new TServerSocket(7911); // new server on port 7911
HelloWorldService.Processor<Iface> processor = new HelloWorldService.Processer<Iface>(new ThriftServerImpl()); // This is my thrift implementation for my server
Map<String,String> saslProperties = new HashMap<String,String>(); // need a map for properties
saslProperties.put(Sasl.QOP,"true");
saslProperties.put(Sasl.QOP,"auth-conf"); // authorization and confidentiality
TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory(); // Creating the server definition
saslTransportFactory.addServerDefinition(
"GSSAPI",// tell SASL to use GSSAPI,which supports Kerberos
"myserviceprincipal",// base kerberos principal name - myprincipal/my.server.com@MY.REALM
"my.server.com",// kerberos principal server - myprincipal/my.server.com@MY.REALM
saslProps,// Properties set,above
new SaslRpcServer.SaslGssCallbackHandler())); // I don't know what this really does... but I stole it from Hadoop and it works.. so there.
Tserver server = new TThreadPoolServer(newTThreadPoolSErver.Args(serverTransport).transportFactory(saslTrasnportFactory).processor(processor));
server.serve(); // Thrift server start
客户端代码示例
TTransport transport = new TSocket("my.server.com",7911); // client to connect to server and port
saslProperties.put(Sasl.QOP,"auth-conf"); // authorization and confidentiality
TTransport saslTransport = new TSaslTransport(
"GSSAPI",which supports Kerberos
null,// authorizationid - null
"myserviceprincipal",// base kerberos principal name - myprincipal/my.client.com@MY.REALM
"my.server.com",above
null,// callback handler - null
transport); // underlying transport
TProtocol protocol = new TBinaryProtocol(saslTransport); // set up our new Thrift protocol
HelloWorldService.Client client = new HelloWorldService.Client(protocol); // Setup our thrift client
saslTransport.open();
String response = client.hello("Hi There"); // send message
System.out.println("response = " + response);
transport.close();
其他同意:
*我在客户端和服务器上设置了几个java属性.
– java.security.krb5.realm = MY.REALM //领域名称
– java.security.krb5.kdc = my.kdc.com // kdc服务器
– javax.security.auth.useSubjectCredsOnly = false //允许JAAS获取TGT.
– java.security.auth.login.config = /etc/myapp/conf/jaas.conf – 必需的jaas文件
– sun.security.krb5.debug = true //帮助诊断问题.
*上面指定的jaas.conf文件需要有两个条目(每个服务器可能只有一个……).我不记得从哪里收集了这些信息..但这是我的文件:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/myapp/conf/myapp.keytab"
useTicketCache=true
principal="myuserprincipal"
debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/myapp/conf/myapp.keytab"
useTicketCache=false
principal="myserviceprincipal/my.server.com"
debug=true;
};
(回到考虑因素……)
*尽管Sasl.QOP为“auth-conf”..传输的第一条(?)消息未加密.也许这只是握手,或者其他什么.其余的消息似乎是加密的,但是第一个消息会向控制台输出一条丑陋的消息“没有加密是由同行执行的”.如果没有得到那条信息会很好,因为它会导致悲伤(保证或不保证).
无论如何,我希望这可以帮助某些人……或者可以激发一些对我有帮助的改进. :)很难相信我花了2-3天这样做,只有少量的代码出来了,但是当我开始时我既不知道Kerberos也不知道Thrift.
谢谢阅读.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
