connect to MongoDB with Kerberos Authentication

707 views
Skip to first unread message

Winnie Lin

unread,
Jan 21, 2014, 6:24:24 PM1/21/14
to mongod...@googlegroups.com
Hi,
I am trying to authenticate to a MongoDB cluster using Kerberos with the Java driver. There are only couple of lines of instruction on this topic in the MongoDB documentation http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-java-driver/#kerberos-authentication

So looks like it is require a manual step to first do a kinit to get a Kerberos ticket before you can run the Java client program. With out the manual kinit step, it will prompt you for your Kerberos userName and Password while you are running your program. Even though in the Mongodb document it saids "With Kerberos you specify neither the password not the database name." 

Does anyone know how I can pass in the Kerberos cridencial to connect to MongoDB in the code with out having to do the manual kinit step or to manually type in the Kerberos userName and password when prompted?

Any help will be appreciated! Thanks!

here's is my sample code:

public class Kerberos {

public static void main(String[] args) throws Exception {
// set up new properties object
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.krb5.realm", "MONGODB.COM");
System.setProperty("java.security.krb5.kdc", "mdb04.guard.swg.usma.ibm.com");

 
        String server = "mdb07.guard.swg.usma.ibm.com";
        String user = "win...@MONGODB.COM";
        String databaseName = "test";

        System.out.println("javax.security.auth.useSubjectCredsOnly: " + System.getProperty("javax.security.auth.useSubjectCredsOnly"));
        System.out.println("java.security.krb5.realm: " + System.getProperty("java.security.krb5.realm"));
        System.out.println("java.security.krb5.kdc: " + System.getProperty("java.security.krb5.kdc"));

       
        MongoCredential credential = MongoCredential.createGSSAPICredential(user);

        MongoClient mongoClient = new MongoClient(new ServerAddress(server,27017), Arrays.asList(credential));
        
        DB testDB = mongoClient.getDB(databaseName);
    
        DBCollection c = testDB.getCollection( "gender" );
        
        System.out.println( "hello!!!" );

        System.out.println( c.findOne() );

}

}


Here's the output with the Kerberos username and password prompts:

[root@dbrh6u0x64 tmp]# /tmp/jdk1.7.0_51/bin/java -cp ./mongo-java-driver-2.11.3.jar:. Kerberos
javax.security.auth.useSubjectCredsOnly: false
java.security.krb5.realm: MONGODB.COM
java.security.krb5.kdc: mdb04.guard.swg.usma.ibm.com

hello!!!
Kerberos username [root]: win...@MONGODB.COM
Kerberos password for win...@MONGODB.COM:
{ "_id" : { "gender" : "f"} , "value" : { "count" : 6.0}}

Jeff Yemin

unread,
Jan 21, 2014, 7:04:31 PM1/21/14
to mongod...@googlegroups.com
There are a couple of ways you can do this:

1. Specify a CallbackHandler to be used via the auth.login.defaultCallbackHandler security property, as documented here.
2. Use a keytab file.  In order to use a keytab file, you need to create a login configuration file, as described here. Here's an example:
com.sun.security.jgss.krb5.initiate {
   com.sun.security.auth.module.Krb5LoginModule required
           doNotPrompt=true useKeyTab=true principal=uname1;
};

and then you need to reference the location of this file via a property. There are multiple ways of doing this, as described in the tutorial referenced above, but the simplest is to use the java.security.auth.login.config property, e.g.

-Djava.security.auth.login.config=file:///path/to/login.config

This particular configuration will look for a keytab file first in whatever is specified in the krb5.conf file, if that exists, or else the home directory of the user that owns the Java process, but you can override that default with the keyTab option in the login.config. All the available options are described here.



--
--
You received this message because you are subscribed to the Google
Groups "mongodb-user" group.
To post to this group, send email to mongod...@googlegroups.com
To unsubscribe from this group, send email to
mongodb-user...@googlegroups.com
See also the IRC channel -- freenode.net#mongodb
 
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Winnie Lin

unread,
Jan 22, 2014, 4:05:21 AM1/22/14
to mongod...@googlegroups.com
Solution #1 works!! Thanks a lot Jeff! 

Sharan Kumar

unread,
Jul 1, 2015, 9:48:14 AM7/1/15
to mongod...@googlegroups.com
@Winnie Lin

I am facing issues trying both the solutions. Please suggest how you have implemented Solution #1.

Thanks.
Reply all
Reply to author
Forward
0 new messages