go-zookeeper / zk

Native ZooKeeper client for Go
BSD 3-Clause "New" or "Revised" License
512 stars 130 forks source link

support krb5 #77

Open zhuliquan opened 2 years ago

zhuliquan commented 2 years ago

Usage:

package main

import (
    "fmt"
    "time"

    "github.com/go-zookeeper/zk"
)

func main() {

    zkConn, _, err := zk.Connect([]string{"localhost"}, time.Second*10, zk.WithSASLConfig(
        &zk.SASLConfig{
            SASLType: zk.KERBEROS,
            KerberosConfig: &zk.KerberosConfig{
                KeytabPath:  "./test.keytab",
                KrbCfgPath:  "./test.config",
                Realm:       "test.com",
                Username:    "test",
                ServiceName: "zookeeper",
            },
        },
    ))
    if err != nil {
        panic(err)
    }
    if res, _, err := zkConn.Get("/test/test_krb5"); err != nil {
        fmt.Println("get %v from zookeeper", res)
    } else {
        panic(err)
    }
}
kirbyzhou commented 2 years ago

It seems do not work for me.

  1. The handshake of SASL seems failed.
  2. No error returns by zk.Get when auth failure.

kirbyzhou@Kirby-WorkBook gozktest % go test

2022/03/15 16:06:17 connected to 10.120.238.27:2181
2022/03/15 16:06:17 authenticated: id=75472220670704181, timeout=10000
2022/03/15 16:06:17 failed to init session context while performing kerberos authentication, err: wrong Token ID. Expected 0504, was 6030
2022/03/15 16:06:17 failed to authorize with kerberos, err: wrong Token ID. Expected 0504, was 6030, zookeeper server: kb01.sa:2181
2022/03/15 16:06:17 error in resending auth creds: wrong Token ID. Expected 0504, was 6030
2022/03/15 16:06:17 recv loop terminated: failed to read from connection: read tcp 172.20.9.129:56321->10.120.238.27:2181: use of closed network connection
get [] from zookeeper
PASS
ok      gitlab.sensorsdata.cn/kirbyzhou/gozktest    0.555s

kirbyzhou@Kirby-WorkBook gozktest % cat basic_test.go

package example

import (
    "fmt"
    "time"
    "testing"
    "github.com/go-zookeeper/zk"
)

func TestBasic(t *testing.T) {
    host := "kb01.sa"
    zkConn, _, err := zk.Connect([]string{host}, time.Second*10, zk.WithSASLConfig(
        &zk.SASLConfig{
            SASLType: zk.KERBEROS,
            KerberosConfig: &zk.KerberosConfig{
                KeytabPath:  "./debugresetreset35323.keytab",
                KrbCfgPath:  "/etc/krb5.conf",
                Realm:       "SA",
                Username:    "debugresetreset35323",
                ServiceName: "zookeeper",
            },
        },
    ))
    if err != nil {
        panic(err)
    }
    if res, _, err := zkConn.Get("/debugresetreset35323_sa"); err != nil {
        fmt.Printf("get %+v from zookeeper\n", res)
    } else {
        panic(err)
    }
}
standard java client works

% cat conf/jaas.conf

Client {
   com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       storeKey=false
       keyTab="file:/Users/kirbyzhou/Develop/go-zookeeper/zookeeper/conf/debugresetreset35323.keytab"
       principal="debugresetreset35323@SA"
       useTicketCache=false
       debug=true;
};

% bin/zkCli.sh -server kb01.sa ls /debugresetreset35323_sa

....
2022-03-15 16:10:45,502 [myid:kb01.sa:2181] - INFO  [main-SendThread(kb01.sa:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism.
2022-03-15 16:10:45,511 [myid:kb01.sa:2181] - INFO  [main-SendThread(kb01.sa:2181):ClientCnxn$SendThread@1112] - Opening socket connection to server kb01.sa/10.120.238.27:2181. Will attempt to SASL-authenticate using Login Context section 'Client'
2022-03-15 16:10:45,528 [myid:kb01.sa:2181] - INFO  [main-SendThread(kb01.sa:2181):ClientCnxn$SendThread@959] - Socket connection established, initiating session, client: /172.20.9.129:56923, server: kb01.sa/10.120.238.27:2181
2022-03-15 16:10:45,576 [myid:kb01.sa:2181] - INFO  [main-SendThread(kb01.sa:2181):ClientCnxn$SendThread@1394] - Session establishment complete on server kb01.sa/10.120.238.27:2181, sessionid = 0x10c2195b77cc380, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null

WATCHER::

WatchedEvent state:SaslAuthenticated type:None path:null
[advertising, applications, backpack, cluster_hosts, deploy_topo, discovery, external, global_conf, monitor, resource, scheduler, sea_area, sensors_node_type, sensors_role_group, service_topology, sp]
kirbyzhou commented 2 years ago

Sorry, it is a bug of gokrb5, which doesnot support old WrapToken formant used with RC4.

https://github.com/jcmturner/gokrb5/issues/460