Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>**So, I guess there is a way to do this via the SASL/GSS APIs. It confuses me as to why I don't see any great examples of this on the internet anywhere. However, I post an example of what I have created in the hopes that it will be a help to others... or that someone can correct my delusion of doing something useful here.<br><br> Sample Server code:</p> <pre><code>TServerSocket serverTransport = new TServerSocket(7911); // new server on port 7911 HelloWorldService.Processor&lt;Iface&gt; processor = new HelloWorldService.Processer&lt;Iface&gt;(new ThriftServerImpl()); // This is my thrift implementation for my server Map&lt;String, String&gt; saslProperties = new HashMap&lt;String, String&gt;(); // need a map for properties saslProperties.put(Sasl.QOP, "true"); saslProperties.put(Sasl.QOP, "auth-conf"); // authorization and confidentiality TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory(); // Creating the server definition saslTransportFactory.addServerDefinition( "GSSAPI", // tell SASL to use GSSAPI, which supports Kerberos "myserviceprincipal", // base kerberos principal name - myprincipal/my.server.com@MY.REALM "my.server.com", // kerberos principal server - myprincipal/my.server.com@MY.REALM saslProps, // Properties set, above new SaslRpcServer.SaslGssCallbackHandler())); // I don't know what this really does... but I stole it from Hadoop and it works.. so there. Tserver server = new TThreadPoolServer(newTThreadPoolSErver.Args(serverTransport).transportFactory(saslTrasnportFactory).processor(processor)); server.serve(); // Thrift server start </code></pre> <p>Sample Client Code<br><br></p> <pre><code>TTransport transport = new TSocket("my.server.com", 7911); // client to connect to server and port saslProperties.put(Sasl.QOP, "true"); saslProperties.put(Sasl.QOP, "auth-conf"); // authorization and confidentiality TTransport saslTransport = new TSaslTransport( "GSSAPI", // tell SASL to use GSSAPI, which supports Kerberos null, // authorizationid - null "myserviceprincipal", // base kerberos principal name - myprincipal/my.client.com@MY.REALM "my.server.com", // kerberos principal server - myprincipal/my.server.com@MY.REALM saslProps, // Properties set, above null, // callback handler - null transport); // underlying transport TProtocol protocol = new TBinaryProtocol(saslTransport); // set up our new Thrift protocol HelloWorldService.Client client = new HelloWorldService.Client(protocol); // Setup our thrift client saslTransport.open(); String response = client.hello("Hi There"); // send message System.out.println("response = " + response); transport.close(); </code></pre> <p>Other condsiderations:<br><br> * I set several java properties on both the client and the server.<br> - java.security.krb5.realm = MY.REALM // realm name<br> - java.security.krb5.kdc = my.kdc.com // kdc server<br> - javax.security.auth.useSubjectCredsOnly = false // Allow JAAS to get the TGT.<br> - java.security.auth.login.config = /etc/myapp/conf/jaas.conf - required jaas file<br> - sun.security.krb5.debug = true // helped with diagnosing problems.<br> * The jaas.conf file specified, above, needs to have two entries (maybe only one per server...). I cannot remember where I gleaned this information from.. but here is my file:</p> <pre><code>com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/myapp/conf/myapp.keytab" useTicketCache=true principal="myuserprincipal" debug=true; }; com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/myapp/conf/myapp.keytab" useTicketCache=false principal="myserviceprincipal/my.server.com" debug=true; }; </code></pre> <p>(back to considerations....)<br> * Despite having a Sasl.QOP of "auth-conf".. the first(?) message that gets transmitted is not encrypted. Maybe this is just a handshake, or something. The remaining messages appear to be encrypted, but this first one prints an ugly message to the console of "No encryption was performed by peer". It would be nice to not get that message, as it will cause grief down the road (warranted or not).<br><br></p> <p>Anyway, I hope this helps someone... or alternatively can provoke some improvements that will help me. :) Hard to believe I spend 2-3 days doing this, and only a small amount of code came out of it , but I knew neither Kerberos or Thrift very well when I started.</p> <p>Thanks for reading.</p>
    singulars
    1. This table or related slice is empty.
    1. POKerberos for Thrift?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USWanderer
    1. USWanderer
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POKerberos for Thrift?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload