Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kerberos proof of concept #148

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Kerberos proof of concept #148

wants to merge 1 commit into from

Conversation

josiahg
Copy link

@josiahg josiahg commented Sep 1, 2020

While this code works, this is not yet a fully baked solution. Creating a PR for discussion on the approach and how Kerberos support should best be integrated into gohbase.

Kerberos support has been requested several times on this project - #71 #95 #141 - I needed it as well, so I took a shot at it.

First, what IS here:

  • Basic Kerberos authentication support for GSSAPI applications on a user account that has already been granted a ticket through kinit.
  • A faithful representation of the SASL handshake flow used by HBase, pulled from the Java RPC Client code.

What's NOT here:

  • Support for MD5-DIGEST Kerberos authentication
  • Support for on-going encrypted transport
  • Support for passing custom Keytabs, krb5.conf or other configuration files
  • Tests 😀

What's here, but maybe shouldn't be:

  • Relies on beltran/gosasl - this in turn relies on C libraries to handle the SASL bits. I would prefer to use jcmturner/gokrb5 as this is a pure Go implementation. However, it is missing some of the SASL bits and I will need to reimplement those.
  • Due to the above dependency, you must have some libraries install and run/build with -tags kerberos to make things work

Open questions (not by any means an exhaustive list):

  • Will the gohbase project accept a Kerberos solution that is not pure go? IE: if the above dependency chain with gosasl cannot be avoided
  • What are the minimum additional features beyond what is currently in this PR that must be included for this to be merged?
  • What is the correct mechanism for adding this to the workflow? Currently I've made "SIMPLE" auth the default, and added a config option for setting auth to "KERBEROS"

Would love any feedback or thoughts from the team or community!

Finally, to test it -

Assumptions:

  • This is done on a machine that can kinit to the KDC with a user with HBase permissions)
  • You have followed the install instructions for gosasl:

To add Kerberos support gosasl requires header files to build against the GSSAPI C library. They can be installed with:

Ubuntu: sudo apt-get install libkrb5-dev
MacOS: brew install homebrew/dupes/heimdal --without-x11
Debian: yum install -y krb5-devel

First, pull in the fork's branch so your app can use it:

go get github.com/tsuna/gohbase
cd $GOPATH/src/github.com/tsuna/gohbase
git remote add fork https://github.com/josiahg/gohbase
git fetch fork
git checkout kerb

Everything else is the same as a standard gohbase application, with the addition of the auth option and ensuring the effective user is set to the Kerberos principle you will authenticate as:

...
auth := gohbase.Auth("KERBEROS")
user := gohbase.EffectiveUser("[email protected]")
options := []gohbase.Option{auth, user}
client := gohbase.NewClient(url, options...)
...

Ensure you you have kinit as the EffectiveUser set above before running your application.

Finally, due to the dependencies in gosasl you must currently run with -tags kerberos:

go run -tags kerberos main.go

or

go build -tags kerberos

@microeastcowboy
Copy link

microeastcowboy commented Jan 18, 2021

when zk with kerberos security enabled,it will fail.
do we have any plan support for zk sasl auth ?

@zhuliquan
Copy link

@tsuna We've already verified this code in a real online environment that it's real and valid, and hopefully merge this code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants