I have kerberos token with me and I want to attach it to a my HttpClient request in java. I know this is how we attach basic credentials. I want to attach kerberos token instead:
client.getState().setCredentials( new AuthScope(AuthScope.ANY),
new UsernamePasswordCredentials("username", "password") );
The entire GSS-API code is currently under completely rewrite. Meanwhile (not tested), you can pass your GSSCredential with a KerberosCredentials object.
Related
I am trying using Kubernetes Java client for few use cases.
https://github.com/kubernetes-client/java
Our Kubernetes cluster is been implemented with OpenId authentication.
Unfortunately, the Java client doesn't support OpenId auth.
Java code:
final ApiClient client = io.kubernetes.client.util.Config.defaultClient();
Configuration.setDefaultApiClient(client);
CoreV1Api api = new CoreV1Api();
V1PodList list = api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null);
for (V1Pod item : list.getItems()) {
System.out.println(item.getMetadata().getName());
}
Error:
13:25:22.549 [main] ERROR io.kubernetes.client.util.KubeConfig - Unknown auth provider: oidc
Exception in thread "main" io.kubernetes.client.ApiException: Forbidden
at io.kubernetes.client.ApiClient.handleResponse(ApiClient.java:882)
at io.kubernetes.client.ApiClient.execute(ApiClient.java:798)
at io.kubernetes.client.apis.CoreV1Api.listPodForAllNamespacesWithHttpInfo(CoreV1Api.java:18462)
at io.kubernetes.client.apis.CoreV1Api.listPodForAllNamespaces(CoreV1Api.java:18440)
Is there any plan to support OpenId auth with the Java client. Or, is there any other way?
Apparently not, but by far the larger question is: what would you expect to happen with an oidc auth-provider in a Java setting? Just use the id-token? Be able to use the refresh-token and throw an exception if unable to reacquire an id-token? Some callback system for you to manage that lifecycle on your own?
Trying to do oidc from a library is fraught with peril, since it is almost certain that there is no "user" to interact with.
Is there any plan to support OpenId auth with the Java client
Only the project maintainers could answer that, and it is unlikely they know to prioritize that kind of work when there is no issue describing what you would expect to happen. Feel free to create one.
Or, is there any other way?
In the meantime, you still have Config.fromToken() where you can go fishing in your .kube/config and pull out the existing id-token then deal with any subsequent ApiException which requires using the refresh-token, because you will know more about what tradeoffs your client is willing to make.
Note that ok-http which underlies the api clients supports oauth. Our local cluster uses oidc and I've been able to talk to it as follows.
ApiClient client = new ClientBuilder()
.setBasePath("https://api.kube.example.com/")
.setAuthentication(new AccessTokenAuthentication(token))
.build();
We have a custom command that logs you in to the system which is where I'm getting the token from.
I haven't tried this yet but it might be possible to implement a io.kubernetes.client.util.authenticators.Authenticator for oidc which you would then register in KubeConfig#registerAuthenticator(Authenticator). If this does what I hope it does, you'd get the same functionality as kubectl command line which seems to know how to obtain a refresh token but can't do the up-front authentication.
I went through this tutorial on KONG
https://getkong.org/plugins/jwt/
I have an understanding of JWT and authorization concepts. I have prototyped JWT with Spring Boot where I could put my own key value like this {"authorizations":"role_admin, role_user"}.
It is easy to do that in Spring Boot but I am not able to find information on how to do this with KONG. Anyone has any info about it?
Kong community edition can handle only the authentication process, (give or deny access to a customer).
Authorization process (what a given customer can do in your application) is handled by your application or by https://getkong.org/plugins/ee-oauth2-introspection/ oauth2 introspection plugin which is enterprise edition only
you can write your own authorization server based on X-Consumer-Username request header if user passed authentication or original token header proxied by kong
hope helps
The kong jwt plugin does not support sending custom payload parameters to the upstream api. It does however seem like you can use this plugin (I have not tested it):
https://github.com/wshirey/kong-plugin-jwt-claims-headers
Update:
If you set Kong to forward all headers you'll get the raw Authorization header with the jwt token. So you could base64 decode the jwt token and pull out the claims/payload parameters you need manually in your service.
According to documentataion for WebHDFS REST API
https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Delegation_Token_Operations
It is mentioned when security is on there is 2 mechanism
Authentication using Kerberos SPNEGO when security is on
Authentication using Hadoop delegation token when security is on
If i choose to use second option i.e Authentication using Hadoop delegation token when security is on
Does it mean it can run without Kerberos configuration in hadoop setup?
Do i have to setup Kerberos in my hadoop configuration in this case ?
To put things in context: typically, you use SPNEGO when you start your HTTP session, then cache your credentials somehow to avoid the complex rounds of 3-way communication between client, server, and Kerberos KDC.
AFAIK, all the Hadoop UIs and REST APIs use a signed cookie after the initial SPNEGO, and it's completely transparent for you -- with the exception of WebHDFS.
Now, with WebHDFS, you have to manage your "credentials cache" explicitly:
start your session with a GET ?op=GETDELEGATIONTOKEN -- you don't present any credentials, therefore it will trigger a SPNEGO authentication, then generate a Hadoop delegation token server-side
retrieve that delegation token from the JSON result
use that token to present your session credentials explicitly in the following GET / POST / PUT, by appending &delegation=XXXXXX to all URLs
Bottom line: yes, you have to set up your Kerberos configuration on client side. The delegation token only allows you to minimize the authentication overhead.
I have implemented Oauth2 using sparkl2 app. I am using spring-security as described in the sparkl2 app using java config. I can successfully get auth token using curl and i can invoke web service using curl.
My question is
How I can access my REST service within the same browser after login into my application? I am not sure what I am missing here?
Let me elaborate my question in more details. The way browser keep session after login and we can access any protected resource in the application, what is the best way to implement so that I can test my REST api from browser
spring security keeps it in session. Session id is stored in browser cookie, so its passed with each request to your service. Then spring security should take it and check if specific session(with user logged in) is allowed to hit this particular url.
I would start with configuring secure paths in your java config:
http.authorizeRequests().antMatchers().hasAnyRole(...)
or some other method instead antMatchers.
you probably have to log in user into spring security on some oauth callback, something like:
Authentication auth = new UsernamePasswordAuthenticationToken(user, null, authorities);
SecurityContextHolder.getContext().setAuthentication(auth);
I am developing an application that requires to authenticate with proxy using negotiate. User may not have Kerberos client installed. I am trying to achieve this using MIT Kerberos Library in order to avoid platform dependecy. I have successfully got TKT using krb5_get_init_creds_password and verified it krb5_verify_init_creds. Now I want ot create SPNEGO token to be sent in HTTP header using this TKT. Can anyone tell me any API or method to create SPNEGO token?
You can use gss_init_sec_context for the purpose.
Some background:-
SPNEGO is an abstraction on top of kerberos for HTTP based communication(which does not use the security context for encryption though)
for this pupose do the following:-
Now that you have krb5_get_init_creds_password and have got the krb5 mech credential create an in memory credential cache using krb5_cc_new_unique and then initialize it.
Now use krb5_cc_store_cred to store it into that cache
Use gss_krb5_import_cred to get a GSSAPI token
Now you have all the necessary preauth info. All you need to do is to use gss_init_sec_context for create an input token.
Now here is a good part, latest MIT Kerberos libraries support SPNEGO natively. There is an OID structure called gss_OID that you need to create. For SPNEGO that is:-
static gss_OID_desc _gss_mech_spnego = { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
and then pass this as an argument to gss_init_sec_context.
If you are using an older MIT Kerberos library then I suggest you use fbopenssl for this purpose. You can check out curl source code to check out how it is done.