2 Replies Latest reply on May 25, 2018 12:10 PM by harlemblues

    Datasource Configured with Kerberos

    khoying

      I am having a very difficult time getting a Datasource configured to use Kerberos for authentication.  I am sure I am doing something simple wrong, as I am new to this type of configuration.  Any help would be GREATLY appreciated!!

       

      My Datasource Configuration looks like:

      <datasource jndi-name="java:/tpvHive5" pool-name="tpvHive5" enabled="true" use-java-context="true">
                          <connection-url>jdbc:impala://server:25003/;AuthMech=1;KerbRealm=CORP.COMPANY.COM;KrbHostFQDN=server;KrbServiceName=impala</connection-url>
                          <driver>hive5</driver>
                          <security>
                              <security-domain>tpv-hive</security-domain>
                          </security>
                          <validation>
                              <check-valid-connection-sql>show databases</check-valid-connection-sql>
                              <background-validation>true</background-validation>
                              <background-validation-millis>5000</background-validation-millis>
                          </validation>
                      </datasource>
      

       

      My Security Domain Configuration looks like:

      <security-domain name="tpv-hive" cache-type="default">
                          <authentication>
                              <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" module="org.jboss.security.negotiation">
                                  <module-option name="storeKey" value="true"/>
                                  <module-option name="userKeyTab" value="true"/>
                                  <module-option name="principal" value="user@CORP.COMPANY.COM"/>
                                  <module-option name="keyTab" value="/Servers/jboss-eap-6.1/modules/org/apache/hive5/main/user.keytab"/>
                                  <module-option name="doNotPrompt" value="true"/>
                                  <module-option name="debug" value="true"/>
                                  <module-option name="useTicketCache" value="true"/>  
                                  <module-option name="ticketCache" value="/tmp/krb"/> 
                                  <module-option name="refreshKrb5Config" value="true"/>
                                  <module-option name="isInitiator" value="true"/> 
                                  <module-option name="delegationCredential" value="USE"/>  
                                  <module-option name="addGSSCredential" value="true"/>  
                              </login-module>
                          </authentication>
                      </security-domain>
      

       

      I am getting the following error:

      ERROR [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (HttpManagementService-threads - 2) IJ000614: Exception during createSubject() PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
          at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
      

       

      When I debug and set a breakpoint on the next exception, I notice that the principal is null and I suspect that is why the error is occurring.  It is line 84.  Here is the source code: http://grepcode.com/file/repo1.maven.org/maven2/org.picketbox/jbosssx/4.0.17.Final/org/jboss/security/plugins/JBossSecuritySubjectFactory.java?av=f

       

      I suspect that I am doing something silly here that is probably obvious to someone more versed in this.

       

      Thank you!

        • 1. Re: Datasource Configured with Kerberos
          ke88yun

          By setting "useTicketCache" to false, I am able to pass this failure point.


          However, I encounter the following new failure.

          =============================

          2014-12-08 14:00:46,468 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (MSC service thread 1-3) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: No matching credentials in Subject!

                  at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:1015)

                  at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:211)

                  at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:761)

                  at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:343)

                  at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:397)

                  at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:365)

                  at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:329)

                  at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:368)

                  at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:464)

                  at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:129)

                  at org.hibernate.ejb.connection.InjectedDataSourceConnectionProvider.getConnection(InjectedDataSourceConnectionProvider.java:67) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.engine.jdbc.internal.JdbcServicesImpl$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcServicesImpl.java:253) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.engine.jdbc.internal.JdbcServicesImpl.configure(JdbcServicesImpl.java:119) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.service.internal.StandardServiceRegistryImpl.configureService(StandardServiceRegistryImpl.java:75) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:159) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:131) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:71) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.cfg.Configuration.buildSettingsInternal(Configuration.java:2270) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2266) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1735) [hibernate-core-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.ejb.EntityManagerFactoryImpl.<init>(EntityManagerFactoryImpl.java:84) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:904) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:889) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]

                  at org.hibernate.ejb.HibernatePersistence.createContainerEntityManagerFactory(HibernatePersistence.java:73) [hibernate-entitymanager-4.0.1.Final.jar:4.0.1.Final]

                  at org.jboss.as.jpa.service.PersistenceUnitServiceImpl.createContainerEntityManagerFactory(PersistenceUnitServiceImpl.java:162) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

                  at org.jboss.as.jpa.service.PersistenceUnitServiceImpl.start(PersistenceUnitServiceImpl.java:85) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]

                  at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)

                  at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)

                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]

                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]

                  at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

          =============================

          • 2. Re: Datasource Configured with Kerberos
            harlemblues

            Hi,

             

            Were you able to solve the "No matching credentials in Subject!" error? I am facing the same issue.