Discussion:
connect to MongoDB with Kerberos Authentication
Winnie Lin
2014-01-21 23:24:24 UTC
Permalink
Hi,
I am trying to authenticate to a MongoDB cluster using Kerberos with the
Java driver. There are only couple of lines of instruction on this topic in
the MongoDB documentation
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-java-driver/#kerberos-authentication

So looks like it is require a manual step to first do a kinit to get a
Kerberos ticket before you can run the Java client program. With out the
manual kinit step, it will prompt you for your Kerberos userName and
Password while you are running your program. Even though in the Mongodb
document it saids "With Kerberos you specify neither the password not the
database name."

Does anyone know how I can pass in the Kerberos cridencial to connect to
MongoDB in the code with out having to do the manual kinit step or to
manually type in the Kerberos userName and password when prompted?

Any help will be appreciated! Thanks!

here's is my sample code:

public class Kerberos {

public static void main(String[] args) throws Exception {
// set up new properties object
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.krb5.realm", "MONGODB.COM");
System.setProperty("java.security.krb5.kdc",
"mdb04.guard.swg.usma.ibm.com");


String server = "mdb07.guard.swg.usma.ibm.com";
String user = "winnie-Iq64pNzLL+***@public.gmane.org";
String databaseName = "test";

System.out.println("javax.security.auth.useSubjectCredsOnly: " +
System.getProperty("javax.security.auth.useSubjectCredsOnly"));
System.out.println("java.security.krb5.realm: " +
System.getProperty("java.security.krb5.realm"));
System.out.println("java.security.krb5.kdc: " +
System.getProperty("java.security.krb5.kdc"));


MongoCredential credential =
MongoCredential.createGSSAPICredential(user);

MongoClient mongoClient = new MongoClient(new
ServerAddress(server,27017), Arrays.asList(credential));

DB testDB = mongoClient.getDB(databaseName);

DBCollection c = testDB.getCollection( "gender" );

System.out.println( "hello!!!" );

System.out.println( c.findOne() );

}

}


Here's the output with the Kerberos username and password prompts:

[***@dbrh6u0x64 tmp]# /tmp/jdk1.7.0_51/bin/java -cp
./mongo-java-driver-2.11.3.jar:. Kerberos
javax.security.auth.useSubjectCredsOnly: false
java.security.krb5.realm: MONGODB.COM
java.security.krb5.kdc: mdb04.guard.swg.usma.ibm.com

hello!!!
Kerberos username [root]: winnie-Iq64pNzLL+***@public.gmane.org
Kerberos password for winnie-Iq64pNzLL+***@public.gmane.org:
{ "_id" : { "gender" : "f"} , "value" : { "count" : 6.0}}
--
--
You received this message because you are subscribed to the Google
Groups "mongodb-user" group.
To post to this group, send email to mongodb-user-/***@public.gmane.org
To unsubscribe from this group, send email to
mongodb-user+unsubscribe-/***@public.gmane.org
See also the IRC channel -- freenode.net#mongodb

---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Jeff Yemin
2014-01-22 00:04:31 UTC
Permalink
There are a couple of ways you can do this:

1. Specify a CallbackHandler to be used via the
auth.login.defaultCallbackHandler security property, as documented
here<http://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/LoginContext.html>
.
2. Use a keytab file. In order to use a keytab file, you need to create a
login configuration file, as described
here<http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html>.
Here's an example:

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true useKeyTab=true principal=uname1;
};

and then you need to reference the location of this file via a property.
There are multiple ways of doing this, as described in the tutorial
referenced above, but the simplest is to use the
java.security.auth.login.config property, e.g.

-Djava.security.auth.login.config=file:///path/to/login.config

This particular configuration will look for a keytab file first in whatever
is specified in the krb5.conf file, if that exists, or else the home
directory of the user that owns the Java process, but you can override that
default with the keyTab option in the login.config. All the available
options are described
here<http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html>
.
Post by Winnie Lin
Hi,
I am trying to authenticate to a MongoDB cluster using Kerberos with the
Java driver. There are only couple of lines of instruction on this topic in
the MongoDB documentation
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-java-driver/#kerberos-authentication
So looks like it is require a manual step to first do a kinit to get a
Kerberos ticket before you can run the Java client program. With out the
manual kinit step, it will prompt you for your Kerberos userName and
Password while you are running your program. Even though in the Mongodb
document it saids "With Kerberos you specify neither the password not the
database name."
Does anyone know how I can pass in the Kerberos cridencial to connect to
MongoDB in the code with out having to do the manual kinit step or to
manually type in the Kerberos userName and password when prompted?
Any help will be appreciated! Thanks!
public class Kerberos {
public static void main(String[] args) throws Exception {
// set up new properties object
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.krb5.realm", "MONGODB.COM");
System.setProperty("java.security.krb5.kdc", "mdb04.guard.swg.usma.ibm.com
");
String server = "mdb07.guard.swg.usma.ibm.com";
String databaseName = "test";
System.out.println("javax.security.auth.useSubjectCredsOnly: " +
System.getProperty("javax.security.auth.useSubjectCredsOnly"));
System.out.println("java.security.krb5.realm: " +
System.getProperty("java.security.krb5.realm"));
System.out.println("java.security.krb5.kdc: " +
System.getProperty("java.security.krb5.kdc"));
MongoCredential credential =
MongoCredential.createGSSAPICredential(user);
MongoClient mongoClient = new MongoClient(new
ServerAddress(server,27017), Arrays.asList(credential));
DB testDB = mongoClient.getDB(databaseName);
DBCollection c = testDB.getCollection( "gender" );
System.out.println( "hello!!!" );
System.out.println( c.findOne() );
}
}
./mongo-java-driver-2.11.3.jar:. Kerberos
javax.security.auth.useSubjectCredsOnly: false
java.security.krb5.realm: MONGODB.COM
java.security.krb5.kdc: mdb04.guard.swg.usma.ibm.com
hello!!!
{ "_id" : { "gender" : "f"} , "value" : { "count" : 6.0}}
--
--
You received this message because you are subscribed to the Google
Groups "mongodb-user" group.
To unsubscribe from this group, send email to
See also the IRC channel -- freenode.net#mongodb
---
You received this message because you are subscribed to the Google Groups
"mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/groups/opt_out.
--
--
You received this message because you are subscribed to the Google
Groups "mongodb-user" group.
To post to this group, send email to mongodb-user-/***@public.gmane.org
To unsubscribe from this group, send email to
mongodb-user+unsubscribe-/***@public.gmane.org
See also the IRC channel -- freenode.net#mongodb

---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Winnie Lin
2014-01-22 09:05:21 UTC
Permalink
Solution #1 works!! Thanks a lot Jeff!
Post by Jeff Yemin
1. Specify a CallbackHandler to be used via the
auth.login.defaultCallbackHandler security property, as documented here<http://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/LoginContext.html>
.
2. Use a keytab file. In order to use a keytab file, you need to create
a login configuration file, as described here<http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html>.
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true useKeyTab=true principal=uname1;
};
and then you need to reference the location of this file via a property.
There are multiple ways of doing this, as described in the tutorial
referenced above, but the simplest is to use the
java.security.auth.login.config property, e.g.
-Djava.security.auth.login.config=file:///path/to/login.config
This particular configuration will look for a keytab file first in
whatever is specified in the krb5.conf file, if that exists, or else the
home directory of the user that owns the Java process, but you can override
that default with the keyTab option in the login.config. All the available
options are described here<http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html>
.
Post by Winnie Lin
Hi,
I am trying to authenticate to a MongoDB cluster using Kerberos with the
Java driver. There are only couple of lines of instruction on this topic in
the MongoDB documentation
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-java-driver/#kerberos-authentication
So looks like it is require a manual step to first do a kinit to get a
Kerberos ticket before you can run the Java client program. With out the
manual kinit step, it will prompt you for your Kerberos userName and
Password while you are running your program. Even though in the Mongodb
document it saids "With Kerberos you specify neither the password not the
database name."
Does anyone know how I can pass in the Kerberos cridencial to connect to
MongoDB in the code with out having to do the manual kinit step or to
manually type in the Kerberos userName and password when prompted?
Any help will be appreciated! Thanks!
public class Kerberos {
public static void main(String[] args) throws Exception {
// set up new properties object
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.krb5.realm", "MONGODB.COM");
System.setProperty("java.security.krb5.kdc", "
mdb04.guard.swg.usma.ibm.com");
String server = "mdb07.guard.swg.usma.ibm.com";
String databaseName = "test";
System.out.println("javax.security.auth.useSubjectCredsOnly: " +
System.getProperty("javax.security.auth.useSubjectCredsOnly"));
System.out.println("java.security.krb5.realm: " +
System.getProperty("java.security.krb5.realm"));
System.out.println("java.security.krb5.kdc: " +
System.getProperty("java.security.krb5.kdc"));
MongoCredential credential =
MongoCredential.createGSSAPICredential(user);
MongoClient mongoClient = new MongoClient(new
ServerAddress(server,27017), Arrays.asList(credential));
DB testDB = mongoClient.getDB(databaseName);
DBCollection c = testDB.getCollection( "gender" );
System.out.println( "hello!!!" );
System.out.println( c.findOne() );
}
}
./mongo-java-driver-2.11.3.jar:. Kerberos
javax.security.auth.useSubjectCredsOnly: false
java.security.krb5.realm: MONGODB.COM
java.security.krb5.kdc: mdb04.guard.swg.usma.ibm.com
hello!!!
{ "_id" : { "gender" : "f"} , "value" : { "count" : 6.0}}
--
--
You received this message because you are subscribed to the Google
Groups "mongodb-user" group.
To unsubscribe from this group, send email to
See also the IRC channel -- freenode.net#mongodb
---
You received this message because you are subscribed to the Google Groups
"mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/groups/opt_out.
--
--
You received this message because you are subscribed to the Google
Groups "mongodb-user" group.
To post to this group, send email to mongodb-user-/***@public.gmane.org
To unsubscribe from this group, send email to
mongodb-user+unsubscribe-/***@public.gmane.org
See also the IRC channel -- freenode.net#mongodb

---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Sharan Kumar
2015-07-01 13:48:14 UTC
Permalink
@Winnie Lin

I am facing issues trying both the solutions. Please suggest how you have
implemented Solution #1.

Thanks.
Post by Winnie Lin
Solution #1 works!! Thanks a lot Jeff!
Post by Jeff Yemin
1. Specify a CallbackHandler to be used via the
auth.login.defaultCallbackHandler security property, as documented here
<http://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/LoginContext.html>
.
2. Use a keytab file. In order to use a keytab file, you need to create
a login configuration file, as described here
<http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html>.
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true useKeyTab=true principal=uname1;
};
and then you need to reference the location of this file via a property.
There are multiple ways of doing this, as described in the tutorial
referenced above, but the simplest is to use the
java.security.auth.login.config property, e.g.
-Djava.security.auth.login.config=file:///path/to/login.config
This particular configuration will look for a keytab file first in
whatever is specified in the krb5.conf file, if that exists, or else the
home directory of the user that owns the Java process, but you can override
that default with the keyTab option in the login.config. All the available
options are described here
<http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html>
.
Post by Winnie Lin
Hi,
I am trying to authenticate to a MongoDB cluster using Kerberos with the
Java driver. There are only couple of lines of instruction on this topic in
the MongoDB documentation
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-java-driver/#kerberos-authentication
So looks like it is require a manual step to first do a kinit to get a
Kerberos ticket before you can run the Java client program. With out the
manual kinit step, it will prompt you for your Kerberos userName and
Password while you are running your program. Even though in the Mongodb
document it saids "With Kerberos you specify neither the password not the
database name."
Does anyone know how I can pass in the Kerberos cridencial to connect to
MongoDB in the code with out having to do the manual kinit step or to
manually type in the Kerberos userName and password when prompted?
Any help will be appreciated! Thanks!
public class Kerberos {
public static void main(String[] args) throws Exception {
// set up new properties object
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.krb5.realm", "MONGODB.COM");
System.setProperty("java.security.krb5.kdc", "
mdb04.guard.swg.usma.ibm.com");
String server = "mdb07.guard.swg.usma.ibm.com";
String databaseName = "test";
System.out.println("javax.security.auth.useSubjectCredsOnly: "
+ System.getProperty("javax.security.auth.useSubjectCredsOnly"));
System.out.println("java.security.krb5.realm: " +
System.getProperty("java.security.krb5.realm"));
System.out.println("java.security.krb5.kdc: " +
System.getProperty("java.security.krb5.kdc"));
MongoCredential credential =
MongoCredential.createGSSAPICredential(user);
MongoClient mongoClient = new MongoClient(new
ServerAddress(server,27017), Arrays.asList(credential));
DB testDB = mongoClient.getDB(databaseName);
DBCollection c = testDB.getCollection( "gender" );
System.out.println( "hello!!!" );
System.out.println( c.findOne() );
}
}
./mongo-java-driver-2.11.3.jar:. Kerberos
javax.security.auth.useSubjectCredsOnly: false
java.security.krb5.realm: MONGODB.COM
java.security.krb5.kdc: mdb04.guard.swg.usma.ibm.com
hello!!!
{ "_id" : { "gender" : "f"} , "value" : { "count" : 6.0}}
--
--
You received this message because you are subscribed to the Google
Groups "mongodb-user" group.
To unsubscribe from this group, send email to
See also the IRC channel -- freenode.net#mongodb
---
You received this message because you are subscribed to the Google
Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: http://www.mongodb.org/about/support/.
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at http://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/59c0c55e-4cab-4fa4-824e-6598dd9e04a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...