support krb5

[zhuliquan]

Usage:

package main

import (
	"fmt"
	"time"

	"github.com/go-zookeeper/zk"
)

func main() {

	zkConn, _, err := zk.Connect([]string{"localhost"}, time.Second*10, zk.WithSASLConfig(
		&zk.SASLConfig{
			SASLType: zk.KERBEROS,
			KerberosConfig: &zk.KerberosConfig{
				KeytabPath:  "./test.keytab",
				KrbCfgPath:  "./test.config",
				Realm:       "test.com",
				Username:    "test",
				ServiceName: "zookeeper",
			},
		},
	))
	if err != nil {
		panic(err)
	}
	if res, _, err := zkConn.Get("/test/test_krb5"); err != nil {
		fmt.Println("get %v from zookeeper", res)
	} else {
		panic(err)
	}
}

[kirbyzhou]

It seems do not work for me.

1. The handshake of SASL seems failed.
2. No error returns by zk.Get when auth failure.

kirbyzhou@Kirby-WorkBook gozktest % go test

2022/03/15 16:06:17 connected to 10.120.238.27:2181
2022/03/15 16:06:17 authenticated: id=75472220670704181, timeout=10000
2022/03/15 16:06:17 failed to init session context while performing kerberos authentication, err: wrong Token ID. Expected 0504, was 6030
2022/03/15 16:06:17 failed to authorize with kerberos, err: wrong Token ID. Expected 0504, was 6030, zookeeper server: kb01.sa:2181
2022/03/15 16:06:17 error in resending auth creds: wrong Token ID. Expected 0504, was 6030
2022/03/15 16:06:17 recv loop terminated: failed to read from connection: read tcp 172.20.9.129:56321->10.120.238.27:2181: use of closed network connection
get [] from zookeeper
PASS
ok  	gitlab.sensorsdata.cn/kirbyzhou/gozktest	0.555s

kirbyzhou@Kirby-WorkBook gozktest % cat basic_test.go

package example

import (
	"fmt"
	"time"
	"testing"
	"github.com/go-zookeeper/zk"
)

func TestBasic(t *testing.T) {
	host := "kb01.sa"
	zkConn, _, err := zk.Connect([]string{host}, time.Second*10, zk.WithSASLConfig(
		&zk.SASLConfig{
			SASLType: zk.KERBEROS,
			KerberosConfig: &zk.KerberosConfig{
				KeytabPath:  "./debugresetreset35323.keytab",
				KrbCfgPath:  "/etc/krb5.conf",
				Realm:       "SA",
				Username:    "debugresetreset35323",
				ServiceName: "zookeeper",
			},
		},
	))
	if err != nil {
		panic(err)
	}
	if res, _, err := zkConn.Get("/debugresetreset35323_sa"); err != nil {
		fmt.Printf("get %+v from zookeeper\n", res)
	} else {
		panic(err)
	}
}

standard java client works

% cat conf/jaas.conf

Client {
   com.sun.security.auth.module.Krb5LoginModule required
	   useKeyTab=true
	   storeKey=false
	   keyTab="file:/Users/kirbyzhou/Develop/go-zookeeper/zookeeper/conf/debugresetreset35323.keytab"
	   principal="debugresetreset35323@SA"
	   useTicketCache=false
	   debug=true;
};

% bin/zkCli.sh -server kb01.sa ls /debugresetreset35323_sa

....
2022-03-15 16:10:45,502 [myid:kb01.sa:2181] - INFO  [main-SendThread(kb01.sa:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism.
2022-03-15 16:10:45,511 [myid:kb01.sa:2181] - INFO  [main-SendThread(kb01.sa:2181):ClientCnxn$SendThread@1112] - Opening socket connection to server kb01.sa/10.120.238.27:2181. Will attempt to SASL-authenticate using Login Context section 'Client'
2022-03-15 16:10:45,528 [myid:kb01.sa:2181] - INFO  [main-SendThread(kb01.sa:2181):ClientCnxn$SendThread@959] - Socket connection established, initiating session, client: /172.20.9.129:56923, server: kb01.sa/10.120.238.27:2181
2022-03-15 16:10:45,576 [myid:kb01.sa:2181] - INFO  [main-SendThread(kb01.sa:2181):ClientCnxn$SendThread@1394] - Session establishment complete on server kb01.sa/10.120.238.27:2181, sessionid = 0x10c2195b77cc380, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null

WATCHER::

WatchedEvent state:SaslAuthenticated type:None path:null
[advertising, applications, backpack, cluster_hosts, deploy_topo, discovery, external, global_conf, monitor, resource, scheduler, sea_area, sensors_node_type, sensors_role_group, service_topology, sp]

[kirbyzhou]

Sorry, it is a bug of gokrb5, which doesnot support old WrapToken formant used with RC4.

jcmturner/gokrb5#460