菜单

Kerberos认证过程debug日志

#Kerberos
发布于 2024-05-09 / 62 阅读 / 0 评论 /
sun.security.krb5.debug控制kerberos认证的debug日志

1.kerberos认证debug日志开启

kerberos认证过程比较复杂,而且代码实现过程中存在各种日志信息不明确的情况,这时我们就需要在开发过程中通常需要开启debug日志,来获取更详细的日志信息。

sun.security.krb5.debug控制kerberos认证的debug日志,该参数在sun.security.krb5.internal.Krb5中声明静态常量,被其他类引用。

public static final boolean DEBUG = GetBooleanAction
            .privilegedGetProperty("sun.security.krb5.debug");

使用方法如下:

-Dsun.security.krb5.debug=true

sun.security.krb5.internal.Krb5类中还定义了Kerberos认证过程遇到的各种错误信息,例如下图所示:

共定义了70多种错误类型。

2.典型的debug日志

如下所示:

Found ticket for hadoop/tttt-10-4-4-18@TTTT-C2O588YD to go to krbtgt/TTTT-C2O588YD@TTTT-C2O588YD expiring on Thu May 09 08:23:01 CST 2024
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for hadoop/tttt-10-4-4-18@TTTT-C2O588YD to go to krbtgt/TTTT-C2O588YD@TTTT-C2O588YD expiring on Thu May 09 08:23:01 CST 2024
Service ticket not found in the subject
>>> Credentials serviceCredsSingle: same realm
default etypes for default_tgs_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbKdcReq send: kdc=2402:4c01:4c01:4c01:4c01:4c01:4c01:e3a0 TCP:8888, timeout=3000, number of retries =3, #bytes=825
>>> KDCCommunication: kdc=2402:4c01:4c01:4c01:4c01:4c01:4c01:e3a0 TCP:8888, timeout=3000,Attempt =1, #bytes=825
>>>DEBUG: TCPClient reading 883 bytes
>>> KrbKdcReq send: #bytes read=883
>>> KdcAccessibility: remove [2402:4c01:4c01:4c01:4c01:4c01:4c01:e3a0]:8888
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> TGS credentials serviceCredsSingle:
>>> DEBUG: ----Credentials----
        client: hadoop/tttt-10-4-4-18@TTTT-C2O588YD
        server: hadoop/tttt-10-4-4-37@TTTT-C2O588YD
        ticket: sname: hadoop/tttt-10-4-4-37@TTTT-C2O588YD
        startTime: 1715170982000
        endTime: 1715214181000
        ----Credentials end----
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 391165593
Krb5Context setting peerSeqNumber to: 391165593
Created InitSecContextToken:
0000: 01 00 6E 82 03 28 30 82   03 24 A0 03 02 01 05 A1  ..n..(0..$......
0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 02  ................
0020: 29 61 82 02 25 30 82 02   21 A0 03 02 01 05 A1 0F  )a..%0..!.......
0030: 1B 0D 54 54 54 54 2D 43   32 4F 35 38 38 59 44 A2  ..TTTT-C2O588YD.
0040: 23 30 21 A0 03 02 01 00   A1 1A 30 18 1B 06 68 61  #0!.......0...ha
0050: 64 6F 6F 70 1B 0E 74 74   74 74 2D 31 30 2D 34 2D  doop..tttt-10-4-
0060: 34 2D 33 37 A3 82 01 E2   30 82 01 DE A0 03 02 01  4-37....0.......
0070: 12 A1 03 02 01 01 A2 82   01 D0 04 82 01 CC B2 85  ................
0080: 1F CB 45 91 B3 32 B3 DA   C4 42 44 8D 24 E8 78 2E  ..E..2...BD.$.x.
0090: C2 E6 BC C5 2E 5E 1B EC   F1 90 F7 95 55 25 68 AC  .....^......U%h.
00A0: 3C 19 64 06 60 0C 9B 8A   99 B8 19 41 26 72 B5 3D  <.d.`......A&r.=
00B0: 57 18 9B 9A 46 B0 3C 49   4D 7B 85 75 5A 21 44 1C  W...F.<IM..uZ!D.
00C0: B2 92 FE 2F 8F 34 0C 57   C2 DC 53 75 AE F0 B9 6B  .../.4.W..Su...k
00D0: A5 C2 0F DD 73 00 D4 A4   6F 78 58 18 C9 36 1D 36  ....s...oxX..6.6
00E0: DF DD BF 5C 06 E0 7F FF   0E D3 61 A3 38 22 75 E0  ...\......a.8"u.
00F0: BC 17 5F AE 69 0C EB ED   1E D6 43 33 2C 1B DC 59  .._.i.....C3,..Y
0100: AB 20 92 D6 71 6F 99 E4   D2 30 8B 51 12 72 F6 AA  . ..qo...0.Q.r..
0110: 5C 62 7E 58 D4 D4 FA C0   23 2D 8E A6 D6 54 5A 6F  \b.X....#-...TZo
0120: 96 B7 A3 A0 56 BD A7 BD   41 48 B0 C1 E8 FE 60 CF  ....V...AH....`.
0130: 68 7C F3 FF F2 D9 05 14   21 7A 5F CB FE 24 28 7C  h.......!z_..$(.
0140: EA 87 71 FC 2C E3 DD 73   DC 57 4B 55 4B 7D 90 5F  ..q.,..s.WKUK.._
0150: 33 61 01 2E 1B 23 83 B0   C4 62 E2 0A E6 E7 6F 7A  3a...#...b....oz
0160: B1 EA 0D BD E1 15 43 16   09 AD 32 2F C1 A6 95 64  ......C...2/...d
0170: F5 37 88 32 61 D7 08 E8   58 E2 01 B1 13 F5 27 B6  .7.2a...X.....'.
0180: B2 87 32 33 85 36 FC 0B   F0 6D BC DC 39 54 30 54  ..23.6...m..9T0T
0190: 6F 07 13 E6 C2 AC D2 9F   3D E3 25 9E BE 4A 23 B6  o.......=.%..J#.
01A0: 5E 0B C5 68 C5 AF 2A 66   27 32 69 7E AD FC AA AC  ^..h..*f'2i.....
01B0: C5 6B 61 F9 0A 9C AD C0   5B 20 F5 DE 20 3D B0 E1  .ka.....[ .. =..
01C0: 5C B0 B3 39 DE B3 2D 70   B5 D4 88 D6 E1 39 D0 60  \..9..-p.....9.`
01D0: 27 A5 CC EE 2A 6F 9B C5   4D B9 E2 07 5B BF AA CD  '...*o..M...[...
01E0: 9C EB 6A 68 FF 3A 14 E2   63 AB 9E 8A DA F5 66 1C  ..jh.:..c.....f.
01F0: 67 5A CD 7A 7E A4 7A 39   18 17 BB AA 58 27 20 AD  gZ.z..z9....X' .
0200: 28 09 BD 71 18 60 F8 2C   0B 85 F0 74 D1 F9 89 01  (..q.`.,...t....
0210: 23 2F 4C 59 5B 8E E7 63   B9 C1 C6 9B 77 AB 17 16  #/LY[..c....w...
0220: FC A2 43 F8 1C C5 6D EF   7A 6A 5F B0 1B 32 F7 01  ..C...m.zj_..2..
0230: BC 52 7F CE F2 C5 44 08   01 89 8D 29 65 BF C4 D9  .R....D....)e...
0240: 85 A8 AC 17 94 78 07 1A   E8 59 A4 81 E1 30 81 DE  .....x...Y...0..
0250: A0 03 02 01 12 A2 81 D6   04 81 D3 77 20 D7 80 C5  ...........w ...
0260: D6 41 DB 0F F6 7D D9 8F   F3 DE 35 B6 54 31 18 D1  .A........5.T1..
0270: 5F BE 34 94 AB 2B 95 29   36 8B DD 37 B2 7E 5E 9C  _.4..+.)6..7..^.
0280: FC 0B EA 17 F0 83 34 99   23 35 D2 9B D0 0B E3 E5  ......4.#5......
0290: 41 59 6B 69 E9 47 C2 FB   FB 38 8D 51 11 EB 2F C8  AYki.G...8.Q../.
02A0: 19 7B 09 50 81 D9 69 88   80 68 39 CD D1 EB 24 A5  ...P..i..h9...$.
02B0: EC D6 38 7F A9 56 38 74   4F 39 F1 D7 97 7A A3 8A  ..8..V8tO9...z..
02C0: EC 4A EB C9 37 72 62 20   7E 30 A8 35 A4 D4 BE 6A  .J..7rb .0.5...j
02D0: 1C C0 31 44 93 90 CB 16   F6 08 7A 2F 23 B4 A6 4B  ..1D......z/#..K
02E0: 97 2D BC BC 9C 1D 47 0D   FB 64 0C 1C 47 D0 25 DC  .-....G..d..G.%.
02F0: 13 A7 7D C8 0B C7 04 A9   98 8D EC F4 77 D7 27 9D  ............w.'.
0300: 88 2B 6A BB 2F BE B3 75   2D 97 DA 3A EB 80 77 4B  .+j./..u-..:..wK
0310: 07 5D 4C 6A 19 6A 5D 0B   3D D5 B9 31 EE 4F 87 5F  .]Lj.j].=..1.O._
0320: 5D 7A 97 D6 4B A8 B5 77   72 6B 38 79 C8 FD        ]z..K..wrk8y..

对于不可打印字符,通过“.”符号输出。

下面,对以上案例中的日志信息的源码进行分析。

2.1.CredentialsUtil输出日志

CredentialsUtil全称为sun.security.krb5.internal.CredentialsUtil,该类中会输出以下日志信息

(1)>>> Credentials acquireServiceCreds

(2)>>> serviceCredsSingle

(3)>>> Credentials serviceCredsSingle

(4)>>> TGS credentials serviceCredsSingle

(5)>>> Handling S4U2Self referral

(6)>>> Handling S4U2Proxy referral

2.2.EType输出日志

EType全称为sun.security.krb5.internal.crypto.EType,该类中会输出以下日志信息

(1)>>> EType

2.3.CksumType 输出日志

CksumType全称为sun.security.krb5.internal.crypto.CksumType ,该类中会输出以下日志信息

(1)>>> CksumType:

2.4.NetClient输出日志

NetClient全称为sun.security.krb5.internal.NetClient,该类中会输出以下日志信息

(1)>>>DEBUG: TCPClient could not read length field

(2)>>>DEBUG: TCPClient reading

(3)>>>DEBUG: TCPClient zero or negative length field:

(4)>>>DEBUG: TCPClient could not read complete packet (

2.5.Config输出日志

Config全称为sun.security.krb5.Config,该类中会输出以下日志信息

(1)default etypes for

2.6.Krb5Context输出日志

Krb5Context全称为sun.security.jgss.krb5.Krb5Context,该类会输出以下日志信息

(1)Attempt to obtain service

(2)Found service ticket in

(3)Service ticket not found in

(4)>>> Constrained deleg from

(5)Entered Krb5Context.initSecContext with

(6)Subject is readOnly;Kerberos Service ticket not stored

(7)Created InitSecContextToken:

2.7.KdcComm输出日志

KdcComm全称为sun.security.krb5.KdcComm,该类会输出以下日志信息

(1)>>> KrbKdcReq send: error trying

(2)>>> KrbKdcReq send: kdc=

(3)>>> KrbKdcReq send: #bytes read=

(4)>>> KDCCommunication: kdc=

(5)>>> KdcAccessibility: add

(6)>>> KdcAccessibility: remove

(7)>>> KdcAccessibility: reset

2.8.Credentials输出日志

Credentials全称为sun.security.krb5.Credentials,该类会输出以下日志信息

(1)>>> DEBUG: ----Credentials----

(2)----Credentials end----

3.日志相关源码查看

一般来说,我们很难通过日志直接定位到对应的源码。因为源码在https://github.com/openjdk/jdk中,如果要查看日志报错的具体信息或逻辑,需要解析该源码。

4.本文的价值

本文主要回答以下两个问题:

(1)在开发过程中,遇到kerberos认证的问题时,如何打开kerberos的debug日志看更详细的日志信息?

(2)如何根据kerberos的debug日志信息定位到对应的源码逻辑。

上一篇: Kafka配置说明(一)
下一篇: 敏捷开发