GSSException:未提供有效凭据(机制级别:找不到任何 Kerberos tgt)

我对MOngoDB + Java Configuration非常陌生。我正在尝试从Java应用程序实现来自远程mongodb服务器的连接。我想使用GSSAPI机制来连接mongotemplate。以下代码已成功执行。下面的代码来自我的配置文件。

List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();
    ServerAddress address = new ServerAddress(host, port);
    serverAddresses.add(address);
    List<MongoCredential> credentials = new ArrayList<MongoCredential>();

    MongoCredential credential = MongoCredential.createGSSAPICredential(userName);

    credential.withMechanismProperty("SERVICE_NAME", gssapiServiceName);
    credential.withMechanismProperty("CANONICALIZE_HOST_NAME", true);
    credentials.add(credential);

    return new MongoClient(serverAddresses, credentials);

但是当我尝试执行下面的代码时,我得到异常

DB db = mongoTemplate.getDb();
Set<String> dbCollections1 = db.getCollectionNames();

例外:

GSSException: 未提供有效凭据(机制级别:未能找到任何 Kerberos tgt) at sun.security.jgss.krb5InitCredential.getInstance(Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193) at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427) at sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:62) at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154) at com.mongodb.DBPort$GSSAPIAuthenticator.getGSSCredential(DBPort.java:622) at com.mongodb.DBPort$GSSAPIAuthenticator.createSaslClient(DBPort.java:593) at com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:895) at com.mongodb.DBPort.authenticate(DBPort.java:432) at com.mongodb.DBPort.checkAuth(DBPort.java:443) atcom.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:289) at com.mongodb.DBTCPConnector.call(DBTCPConnector.java:269) at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:84) at com.mongodb.DB.command(DB.java:320) at com.mongodb.DB.command(DB.java:299) at com.mongodb.DB.command(DB.java:388) at com.mongodb.DBApiLayer.getCollectionNames(DBApiLayer.java:152)


答案 1

非常感谢所有回复的人,看看我的问题。

在添加一些系统属性和一个新的conf文件后,终于能够与MongoDB服务器连接了。特此附上更新后的代码 -

try {
        System.setProperty("java.security.krb5.conf","C:/mongodb/UnixKeytab/krb5.conf");
        System.setProperty("java.security.krb5.realm","EXAMPLE.COM");
        System.setProperty("java.security.krb5.kdc","example.com");
        System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
        System.setProperty("java.security.auth.login.config","C:/mongodb/UnixKeytab/gss-jaas.conf");


        List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();
        ServerAddress address = new ServerAddress(host, port);
        serverAddresses.add(address);
        List<MongoCredential> credentials = new ArrayList<MongoCredential>();
        MongoCredential credential = MongoCredential.createGSSAPICredential(username);
        credentials.add(credential);
        MongoClient mongoClient1 = new MongoClient(serverAddresses, credentials);
        DB db = mongoClient1.getDB(database);

    } catch (UnknownHostException e) {
        e.printStackTrace();
    }

我的 krb5.conf 文件如下所示 -

[libdefaults]
     default_realm = EXAMPLE.COM
     default_tkt_enctypes = des-cbc-md5 rc4-hmac
     default_tgs_enctypes = des-cbc-md5 rc4-hmac
     default_keytab_name = <keytab file path>
[realms]
EXAMPLE.COM = {
    kdc = example.com
    master_kdc = example.com
    default_domain = EXAMPLE.COM
}
INTRANET = {
    kdc = example.com
    master_kdc = example.com
    default_domain = example.com
}

我的 gss-jaas.conf 如下所示 -

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="my-account@MY_REALM"
doNotPrompt=true
keyTab="path-to-my-keytab-file"
debug=true;};

我发布的代码正在为我工作。希望这对其他人有用。


答案 2

在这篇文章中添加一些信息,因为它已经非常有用。

如果未在从 中检索到的方法中运行 ,则不会从文件中获取凭据。即,代码查看通过该方法注册的主体的当前线程的安全管理器,然后使用此主体集中的凭据。这应该是获得的,通过它反过来读取正确的和凭据,但是如果您不在方法中运行和方法,则所有这些都无关紧要。Sasl/createSaslClientSubject:doAsLoginContextkrb5.confGSSSubject:doAsSubjectjaasjaaskrb5.confsaslsaslclientSubject:doAs

您可以通过设置来绕过它,这意味着如果找不到凭据,则将搜索jaas文件中的一些默认名称,请参阅LoginConfigImpl.java#92,一个是。javax.security.auth.useSubjectCredsOnly=falsecom.sun.security.jgss.initiate

例如

com.sun.security.jgss.initiate{
   com.sun.security.auth.module.Krb5LoginModule required
   doNotPrompt=true
   useTicketCache=true
   useKeyTab=true
   keyTab="mykeytab"
   principal="service/host@REALM";
 };