Hi John, Login from keytab is mostly expected for services. For end users, yes they use passwords. In Kerberos (and Hadoop), it's expected for end users to execute kinit like tool and generate ticket caches, then some methods like login from ticket cache in UGI will do the left work and help in your case.
Or do you have to use the password directly in your program? If so, you may add the method by yourself: 1) let your program prompt to user for password; 2) if your program has gathered the password in other means, then use some support like below: In Krb5LoginModule: * useFirstPass if, true, this LoginModule retrieves the * username and password from the module's shared state, * using "javax.security.auth.login.name" and * "javax.security.auth.login.password" as the respective * keys. The retrieved values are used for authentication. * If authentication fails, no attempt for a retry * is made, and the failure is reported back to the * calling application. Hope this helps. Regards, Kai From: John Lilley [mailto:[email protected]] Sent: Monday, August 17, 2015 11:28 PM To: '[email protected]' Subject: UserGroupInformation and login with password Greetings, Our software uses UserGroupInformation to authenticate with Kerberos-secure clusters. We've found that there are obvious methods for logging in via keytab: loginUserFromKeytab() reloginFromKeytab() However, there are not obvious analogous methods for password-based login. We've created the equivalent to loginUserFromPassword() using reflection to access private members, but have not yet created the equivalent reloginFromPassword(). It doesn't seem right to be using reflection here, but we cannot find the public API for principal/password login and relogin. It seems like this should be something simple. We do need to support password, because many of our customers do not allow keytabs. Thanks John Lilley
