Articles in this section

See more

Setup Kerberos authentication for Datameer REST API (SPNEGO)

Konsta Danyliuk
  • Updated
Follow

Goal

Leverage Kerberos authentication for REST API calls in Datameer.

 

Set up instructions

  • Create a service principal for Datameer Jetty.
    • This principal's name should be in <Name>/<Datameer host>.<Realm> format.
    • Principal's keytab should be owned by the Datameer service user with 700 permission level. It is a good idea to store it in the Datameer installation folder.
  • Configure Datameer to use SPNEGO.

/<Datameer installation folder>/conf/default.properties file.

# Configuration for Kerberos SPNEGO Authentication
# enable kerberos / spnego authentication, default is off
datameer.kerberos.authentication=true
# enable debug logging for kerberos, default is off 
datameer.kerberos.debug=false
# service principal for datameer service, this can be something like 'HTTP/hostname@realm.com'
datameer.kerberos.principal=<Service principal for Datameer Jetty>
# keytab of the service principal
datameer.kerberos.keytab.path=<Absolute path to the keytab>
# kerberos configuration file which should be used for datameers kerberos configuration, default is '/etc/krb5.conf'
datameer.kerberos.krb5.location=/etc/krb5.conf
# optional: if users authenticate with their domain in kerberos, but datameer only knows their usernames
# example: you login to kerberos with 'user@realm.com', but to datameer the user is known as 'user'. 
# then you need to set the domain to 'realm.com' (without @)
datameer.kerberos.domain=<REALM>

/<Datameer installation folder>/etc/spnego.conf file.

com.sun.security.jgss.initiate {
 com.sun.security.auth.module.Krb5LoginModule required
 principal="<Service principal for Datameer Jetty>" 
 keyTab="<Absolute path to the keytab>" 
 useKeyTab=true
 storeKey=true 
 debug=true 
 isInitiator=false;
};

com.sun.security.jgss.accept {
 com.sun.security.auth.module.Krb5LoginModule required
 principal="<Service principal for Datameer Jetty>" 
 useKeyTab=true
 keyTab="<Absolute path to the keytab>" 
 storeKey=true 
 debug=true 
 isInitiator=false;
};

/<Datameer installation folder>/etc/spnego.properties file.

targetName = <Service principal's name>/<Service principal's host>

/<Datameer installation folder>/start.ini file (add below lines).

##SPNEGO
-Djava.security.auth.login.config=etc/spnego.conf
-Djavax.security.auth.useSubjectCredsOnly=false
  • Restart Datameer.
  • Login into cli under existing Datameer user and get the Kerberos ticket.
  • Try to execute a REST API call.

The curl command syntax is the following. Note that the property --service-name has been introduced in the curl version 7.43, thereby you need to upgrade if the version is older than this. Please refer to Curl man page for more details.

curl --negotiate -u : -X <Operation> 'http://<Datamer hostname like it mentioned at the service principal>:<port>/<rest API>' --service-name <name part of the service principal>

 

Example

  • Service principal - datameer_spnego/192.168.0.95.local.lab@EC2.INTERNAL.
  • Keytab location.
[root@192.168.0.95 datameer]# ls -la /opt/datameer/
...
-rwx------. 1 datameer datameer 374 Nov 19 14:04 datameer_spnego.keytab
  • default.properties file.
...
# Configuration for Kerberos SPNEGO Authentication
# enable kerberos / spnego authentication, default is off
datameer.kerberos.authentication=true
# enable debug logging for kerberos, default is off 
datameer.kerberos.debug=false
# service principal for datameer service, this can be something like 'HTTP/hostname@realm.com'
datameer.kerberos.principal=datameer_spnego/192.168.0.95.local.lab@EC2.INTERNAL
# keytab of the service principal
datameer.kerberos.keytab.path=/opt/datameer/datameer_spnego.keytab
# kerberos configuration file which should be used for datameers kerberos configuration, default is '/etc/krb5.conf'
datameer.kerberos.krb5.location=/etc/krb5.conf
# optional: if users authenticate with their domain in kerberos, but datameer only knows their usernames
# example: you login to kerberos with 'user@realm.com', but to datameer the user is known as 'user'. 
# then you need to set the domain to 'realm.com' (without @)
datameer.kerberos.domain=EC2.INTERNAL
  • spnego.conf file.
com.sun.security.jgss.initiate {
 com.sun.security.auth.module.Krb5LoginModule required
 principal="datameer_spnego/192.168.0.95.local.lab@EC2.INTERNAL" 
 keyTab="/opt/datameer/datameer_spnego.keytab" 
 useKeyTab=true
 storeKey=true 
 debug=true 
 isInitiator=false;
};
 
com.sun.security.jgss.accept {
 com.sun.security.auth.module.Krb5LoginModule required
 principal="datameer_spnego/192.168.0.95.local.lab@EC2.INTERNAL" 
 useKeyTab=true
 keyTab="/opt/datameer/datameer_spnego.keytab" 
 storeKey=true 
 debug=true 
 isInitiator=false;
};
  • spnego.properties file.
targetName = datameer_spnego/192.168.0.95.local.lab
  • start.ini file
...
##SPNEGO

-Djava.security.auth.login.config=etc/spnego.conf
-Djavax.security.auth.useSubjectCredsOnly=false

Login under Datameer admin user qa and get the ticket.

[qa@192.168.0.95 datameer]$ id
uid=1101(qa) gid=1101(qa)
[qa@192.168.0.95 datameer]$ 
[qa@192.168.0.95 datameer]$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1101)
[qa@192.168.0.95 datameer]$ 
[qa@192.168.0.95 datameer]$ kinit -k -t /home/qa/qa.keytab qa@EC2.INTERNAL
[qa@192.168.0.95 datameer]$ 
[qa@192.168.0.95 datameer]$ klist
Ticket cache: FILE:/tmp/krb5cc_1101
Default principal: qa@EC2.INTERNAL

Valid starting Expires Service principal
11/20/2019 09:38:53 11/20/2019 19:38:53 krbtgt/EC2.INTERNAL@EC2.INTERNAL
 renew until 11/21/2019 09:38:53
[qa@192.168.0.95 datameer]$

 Execute REST API calls.

[qa@192.168.0.95 datameer]$ curl --negotiate -u : -X GET 'http://192.168.0.95.local.lab:8080/license/product-id' --service-name datameer_spnego

abcdefxxxx-xxxx-430b-xxxx-123xxxxxxx
[qa@192.168.0.95 conf]$ curl --negotiate -u : -X GET 'http://192.168.0.95.local.lab:8080/rest/data/workbook/3' --service-name datameer_spnego
{
 "path": "/Data/TestWorkbook.wbk",
 "datas": [
 {
 "id": 3,
 "timestamp": "Nov 19, 2019 02:52:53 PM",
 "sheets": [
 {
 "name": "Source",
 "record-count": 100000
 }
 ]
 }
 ]
}
[qa@192.168.0.95 datameer]$ curl --negotiate -u : -X POST 'http://192.168.0.95.local.lab:8080/api/job-execution/28/trigger' --service-name datameer_spnego
{
 "status": "success",
 "job-execution-id": 9,
 "job-execution-user": "qa",
 "job-execution-trigger": "RESTAPI"

One could list tickets for the user qa now and ensure that it got the ticket for the Daatmeer Jetty service - datameer_spnego.

[qa@192.168.0.95 datameer]$ klist
Ticket cache: FILE:/tmp/krb5cc_1101
Default principal: qa@EC2.INTERNAL

Valid starting Expires Service principal
11/20/2019 09:38:53 11/20/2019 19:38:53 krbtgt/EC2.INTERNAL@EC2.INTERNAL
 renew until 11/21/2019 09:38:53
11/20/2019 09:40:03 11/20/2019 19:38:53 datameer_spnego/192.168.0.95.local.lab@EC2.INTERNAL
 renew until 11/21/2019 09:38:53

 

Related articles

Comments

0 comments

Please sign in to leave a comment.