Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Add Kerberos support to Http Sampler (HttpClient4)
Status: RESOLVED FIXED
Product: JMeter
Classification: Unclassified
Component: HTTP
2.7
All All
: P1 enhancement with 4 votes (vote)
: ---
Assigned To: JMeter issues mailing list
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2012-06-28 04:20 UTC by Nicolas Raoul
Modified: 2013-08-03 18:37 UTC (History)
4 users (show)



Attachments
Add support for kerberos (27.66 KB, patch)
2013-05-30 12:35 UTC, Felix Schumacher
Details | Diff
configurations used for tests (4.77 KB, application/x-compressed-tar)
2013-06-05 20:03 UTC, Felix Schumacher
Details
Add kerberos support (27.65 KB, patch)
2013-07-09 18:23 UTC, Felix Schumacher
Details | Diff
Updated patch in unified format (25.87 KB, patch)
2013-07-14 19:42 UTC, Philippe Mouawad
Details | Diff
add kerberos support to jmeter (31.35 KB, patch)
2013-07-24 10:36 UTC, Felix Schumacher
Details | Diff
Add support for kerberos (28.20 KB, patch)
2013-07-30 10:51 UTC, Felix Schumacher
Details | Diff
correct comments in jaas.conf (2.67 KB, patch)
2013-08-03 10:47 UTC, Felix Schumacher
Details | Diff
change wording for docs (1.95 KB, patch)
2013-08-03 15:19 UTC, Felix Schumacher
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nicolas Raoul 2012-06-28 04:20:58 UTC
I must investigate a problem that occurs only if using Kerberos (does not occur with basic auth).

Unfortunately, JMeter does not support Kerberos, so I have to use a proprietary tool. See http://stackoverflow.com/q/4164320

If I understood well, JMeter uses HttpClient.
Here is how to configure HttpClient for Kerberos (paragraph 4.10):
http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html

Thanks a lot!
Nicolas Raoul
Comment 1 mlissner 2012-07-19 23:47:58 UTC
Would love to see this feature added. Without Kerberos support, we can't have confidence in our performance tests.
Comment 2 Philippe Mouawad 2012-07-21 21:17:36 UTC
Hello,
Would it be possible for you to setup a Kerberos publicly available site so we could implement this protocol ?

Thank you
Regards
Comment 3 Felix Schumacher 2013-05-30 12:35:49 UTC
Created attachment 30342 [details]
Add support for kerberos

Add support to jmeter (trunk) for http4client.

Configuration is done via a new KerberosManager class. AuthManager was extended to support configuration of kerberos for certain domains. Http-Sampler classes were extended to support kerberos.

This patch was tested with ApacheDS 2.0.0-M12 and Apache tomcat 7.0.40 under linux (ubuntu 13.04).
Comment 4 Philippe Mouawad 2013-06-03 21:23:36 UTC
Thanks for patch, will review as soon as possible.
If you can provide configuration used to test it would be great.
Comment 5 Felix Schumacher 2013-06-05 20:03:45 UTC
Created attachment 30401 [details]
configurations used for tests

The configurations are splitted into three directories.

One for apacheds, one for tomcat and one for jmeter. To test I have used three virtual machines called client.example.com, www.example.com and kerberos.example.com.

On kerberos.example.com I extracted the apacheds-2.0.0M3 tar.gz, copied instances/default to instances/example.com and applied the example.com.diff. Than I started the example.com instance by running bin/apacheds example.com (you might have to chmod +x ).

When started the example.com.ldif can be applied by running 
  ldapadd -x -h kerberos.example.com:10389 -D uid=admin,ou=system -W -f example.com.ldif
and giving the password 'secret' when asked.

On the machine www.example.com I extracted a tomcat-7.0.40 and applied the server.xml.diff to conf/server.xml.
I copied the file jaas.conf and krb5.ini into conf. Then you will have to generate the conf/www.example.com.keytab with ktutil.
Run ktutil and enter at the prompt
 addent -password -p HTTP/www.example.com@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96
Again enter password 'secret'
Now enter
  wkt conf/www.example.com.keytab
and lastly enter
  quit
Now you should have a keytab in conf called conf/www.example.com.keytab
You should be able to start tomcat by calling ./bin/startup.sh

Now compile jmeter go into the jmeter-testplan directory and start jmeter. Openn the kerberos.jmx testplan and run it.

If I haven't forgotten a step in this short howto, it should take two samples without one error.
Comment 6 Felix Schumacher 2013-07-09 18:23:02 UTC
Created attachment 30572 [details]
Add kerberos support

Patch aligned with current trunk, so it applies cleanly.
Comment 7 Felix Schumacher 2013-07-09 18:24:08 UTC
Infos about how to setup a kerberos infrastructure are given.
Comment 8 Philippe Mouawad 2013-07-14 19:40:03 UTC
Hello, 
Thanks for patch.
Few notes about it:
- could you provide it in unified format,"If you are providing a patch to fix a bug, please ensure it is in unified diff format. If using Eclipse, please set the patch root to "Project", not the default "Workspace" which is harder to apply."
- looking at implementation, I see the following issues or enhancements :
1) kerberos is a boolean, I think it would be better to have a select box if we want to have another type of auth like Digest
2) Code seems to me intrusive regarding Kerberos in HTTPHC4Impl. This is probably due to Subject.doAs. Maybe we should enhance AuthManager with a method like isSubjectBased(url). If it returns true , we would call authManager.getSubject(authorization) and call Subject.doAs, if not we just call httpClient.execute. This way it would not be directly related to Kerberos.
Same for setConnectionAuthorization, maybe we should call authManager.handle(auth), which would make code cleaner.
Comment 9 Philippe Mouawad 2013-07-14 19:42:15 UTC
Created attachment 30591 [details]
Updated patch in unified format
Comment 10 Felix Schumacher 2013-07-24 10:36:23 UTC
Created attachment 30621 [details]
add kerberos support to jmeter

My old patch was in unified format. I think you just wanted to have another base directory. I used standard "git diff", which appends an "a" and "b" prefix. Now I have used "git diff --no-prefix" which should make you happy.

I also have addressed your first comment about having multiple mechanisms in AuthManager. Now you can select one value of a newly added enum Mechanism (BASIC and KERBEROS being the only values).

Next I will address your next comment.
Comment 11 Philippe Mouawad 2013-07-27 13:02:23 UTC
Hello,
Many thanks you for new update.

It's better but still there is something that I would like to improve.

It seems to me in HttpHC4Impl, it would be nice to do something like this:
authManager.configureCredentials(url, (AbstractHttpClient)client);

AuthManager would take care of applying the auth policy.

Same for executeRequest, it would be nice to just have this:
    private HttpResponse executeRequest(final HttpClient httpClient,
            final HttpRequestBase httpRequest, final HttpContext localContext, final URL url)
            throws IOException, ClientProtocolException {
        AuthManager authManager = getAuthManager();
        if (authManager != null) {
            if(authManager.getSubject(url) != null) {
                Subject subject = authManager.getSubject(url);
                try {
                    return Subject.doAs(subject,
                            new PrivilegedExceptionAction<HttpResponse>() {

                                @Override
                                public HttpResponse run() throws Exception {
                                    return httpClient.execute(httpRequest,
                                            localContext);
                                }
                            });
                } catch (PrivilegedActionException e) {
                    log.warn(
                            "Can't execute httpRequest with kerberos-subject",
                            e);
                    return null;
                }
            }
           
        }
        // perform the non-kerberos sample
        return httpClient.execute(httpRequest, localContext);
    }


The issue is that KerberosManager is not visible to AuthManager.

So wouldn't it be better to remove KerberosManager GUI and enhance HTTP Authorization Manager to have a GUI that changes depending on Mechanism. In this case Mechanism would not be an additional column but a select box outside of table and depending on value additional attributes would appear:

BASIC => Nothing
Kerberos => krb5.cong, jaas file, debug
DIGEST => Nothing
...


Another little question, why does KerberosManager implement TestIterationListener and TestStateListener, it does not seem useful to me as methods are empty.

sebb, milamber what's your opinion ?
Comment 12 Sebb 2013-07-27 13:29:01 UTC
Not sure why this was resolved as fixed; reopening
Comment 13 Philippe Mouawad 2013-07-27 13:36:01 UTC
My mistake, was needinfo
Comment 14 Sebb 2013-07-27 13:53:50 UTC
The AuthManager is treated specially for HTTP requests, so it seems sensible to use that feature for Kerberos Auth.

As far as the GUI is concerned, there could be a check box, or a tabbed selection like we use now for the Http Post Body.

I think we should restrict Kerberos to the HC4 implementation; less code to test and maintain.
Comment 15 Philippe Mouawad 2013-07-27 14:06:59 UTC
Agree for limiting it to hc4.
Regarding gui, did you look at provided patch, it adds a gui for kerberosmanager+ mechanism column for authmanager,
so I was proposing something a bit different
Comment 16 Sebb 2013-07-27 19:15:57 UTC
(In reply to Philippe Mouawad from comment #15)
> Regarding gui, did you look at provided patch

Not yet

> it adds a gui for
> kerberosmanager+ mechanism column for authmanager,
> so I was proposing something a bit different

I've just realised: does AuthManager need to support both Kerberos and existing auth in the same GUI? I.e. is there a need for a single AM to support different auth mechanisms for different hosts?
Comment 17 Philippe Mouawad 2013-07-28 13:53:36 UTC
> I've just realised: does AuthManager need to support both Kerberos and
> existing auth in the same GUI? I.e. is there a need for a single AM to
> support different auth mechanisms for different hosts?

Can you clarify what you mean ? 
I understood your previous comment like this:
1) We add a tabbed pane with the different policies
2) Kerberos one would have what there is in Kerberos Manager configuration

This would be interesting as we could have access to Kerberos Manager from AuthManager and could be able to avoid kerberos implementation details being in HttpHc4Impl.
Comment 18 Sebb 2013-07-28 23:55:31 UTC
(In reply to Philippe Mouawad from comment #17)
> > I've just realised: does AuthManager need to support both Kerberos and
> > existing auth in the same GUI? I.e. is there a need for a single AM to
> > support different auth mechanisms for different hosts?
> 
> Can you clarify what you mean ? 
> I understood your previous comment like this:
> 1) We add a tabbed pane with the different policies
> 2) Kerberos one would have what there is in Kerberos Manager configuration

Yes.

> This would be interesting as we could have access to Kerberos Manager from
> AuthManager and could be able to avoid kerberos implementation details being
> in HttpHc4Impl.

Yes.

But the issue is: with the existing AM, it supports multiple credentials for different hosts. If there were a separate tab for Kerberos, I assume it could support multiple Kerboros entries for different hosts. How would the GUI support both Kerberos and non-Kerberos? It would be very odd if some of the credentials were not visible but were still active.

So I suspect we either need to somehow use the same table, or perhaps add another table that is visible concurrently.
Comment 19 Felix Schumacher 2013-07-30 10:51:48 UTC
Created attachment 30650 [details]
Add support for kerberos

I have inserted KerberosManager into AuthManager and implemented the methods hasSubjectForUrl and getSubjectForUrl in AuthManager.

That way the changes for httpclient are a bit less intrusive.

Since the kerberos settings are done via System-properties we can't have more than one setting in an entire JVM. So we could put the configuration for kerberos in AuthManager as well.

For now one will have to set the config via JVM_ARGS="-Djava.security.login.config=.../jaas.conf -Djava.security.krb5.conf=.../krb5.conf", since the KerberosConfig seems to be not used now:(
Comment 20 Sebb 2013-07-30 16:11:33 UTC
If the settings really have to be provided via System properties, why do we need an AuthManager entry? Maybe the user should just edit system.properties.
Comment 21 Philippe Mouawad 2013-07-30 21:18:12 UTC
Date: Tue Jul 30 21:16:35 2013
New Revision: 1508633

URL: http://svn.apache.org/r1508633
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Bugzilla Id: 53480

Added:
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/KerberosManager.java   (with props)
Modified:
    jmeter/trunk/src/core/org/apache/jmeter/resources/messages.properties
    jmeter/trunk/src/core/org/apache/jmeter/resources/messages_de.properties
    jmeter/trunk/src/core/org/apache/jmeter/resources/messages_fr.properties
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/Authorization.java
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/gui/AuthPanel.java
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/sampler/HTTPHC4Impl.java
    jmeter/trunk/xdocs/changes.xml
Comment 22 Philippe Mouawad 2013-07-30 21:21:29 UTC
Keeping open for now.
Needs documentation and further testing.
Comment 23 Philippe Mouawad 2013-08-02 13:53:38 UTC
Note following System JVM args must be set (there is a mistake in previous comment):

JVM_ARGS="-Djava.security.auth.login.config=jaas.conf -Djava.security.krb5.conf=krb5.conf"


Added them in system.properties
Comment 24 Philippe Mouawad 2013-08-02 13:55:58 UTC
Date: Tue Jul 30 21:38:33 2013
New Revision: 1508641

URL: http://svn.apache.org/r1508641
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Fix Test Plan to add new column
Bugzilla Id: 53480

Modified:
    jmeter/trunk/bin/testfiles/AuthManagerTestPlan.jmx
    

Date: Tue Jul 30 21:43:00 2013
New Revision: 1508646

URL: http://svn.apache.org/r1508646
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Fix Test Plan to add new column
Bugzilla Id: 53480

Modified:
    jmeter/trunk/bin/testfiles/GuiTest231.jmx
    
    
Date: Wed Jul 31 13:37:30 2013
New Revision: 1508850

URL: http://svn.apache.org/r1508850
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Revert to previous test plan
Bugzilla Id: 53480

Modified:
    jmeter/trunk/bin/testfiles/AuthManagerTestPlan.jmx
    
Date: Wed Jul 31 13:40:27 2013
New Revision: 1508851

URL: http://svn.apache.org/r1508851
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Revert to previous test plan
Bugzilla Id: 53480

Modified:
    jmeter/trunk/bin/testfiles/GuiTest231.jmx

Date: Wed Jul 31 13:41:00 2013
New Revision: 1508852

URL: http://svn.apache.org/r1508852
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Fix Tests failure
Bugzilla Id: 53480

Modified:
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/Authorization.java
    

    

Date: Fri Aug  2 13:52:59 2013
New Revision: 1509712

URL: http://svn.apache.org/r1509712
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Add configuration
Bugzilla Id: 53480

Added:
    jmeter/trunk/bin/jaas.conf
    jmeter/trunk/bin/krb5.ini   (with props)
Modified:
    jmeter/trunk/bin/system.properties
Comment 25 Philippe Mouawad 2013-08-02 21:01:15 UTC
Date: Fri Aug  2 20:47:31 2013
New Revision: 1509850

URL: http://svn.apache.org/r1509850
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Add client configuration
Bugzilla Id: 53480

Added:
    jmeter/trunk/bin/krb5.conf
    
Date: Fri Aug  2 20:48:01 2013
New Revision: 1509851

URL: http://svn.apache.org/r1509851
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Fix and document client configuration
Bugzilla Id: 53480

Modified:
    jmeter/trunk/bin/jaas.conf
    
Date: Fri Aug  2 20:48:38 2013
New Revision: 1509852

URL: http://svn.apache.org/r1509852
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Remove server configuration
Bugzilla Id: 53480

Removed:
    jmeter/trunk/bin/krb5.ini
    
Date: Fri Aug  2 20:51:09 2013
New Revision: 1509855

URL: http://svn.apache.org/r1509855
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Make jaas application configuration and default to JMeter
Bugzilla Id: 53480

Modified:
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/KerberosManager.java
    
Date: Fri Aug  2 20:57:17 2013
New Revision: 1509856

URL: http://svn.apache.org/r1509856
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Add ability to clear kerberos subjects on each Main Loop iteration
Bugzilla Id: 53480

Modified:
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java
    jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/gui/AuthPanel.java
    
Date: Fri Aug  2 20:58:14 2013
New Revision: 1509857

URL: http://svn.apache.org/r1509857
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Add ability to clear kerberos subjects on each Main Loop iteration
i18n
Bugzilla Id: 53480

Modified:
    jmeter/trunk/src/core/org/apache/jmeter/resources/messages.properties
    jmeter/trunk/src/core/org/apache/jmeter/resources/messages_fr.properties
    
Date: Fri Aug  2 20:59:57 2013
New Revision: 1509858

URL: http://svn.apache.org/r1509858
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Make jaas application configuration and default to JMeter
Bugzilla Id: 53480

Modified:
    jmeter/trunk/bin/jmeter.properties
Comment 26 Felix Schumacher 2013-08-03 10:33:12 UTC
Comments in jaas.conf can not be made with '#' they have to be marked C/javadoc like with /** .... */
Comment 27 Philippe Mouawad 2013-08-03 10:39:06 UTC
Date: Sat Aug  3 10:35:46 2013
New Revision: 1509954

URL: http://svn.apache.org/r1509954
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Fix comments in jaas.conf
Bugzilla Id: 53480

Modified:
    jmeter/trunk/bin/jaas.conf
    
Date: Sat Aug  3 10:37:58 2013
New Revision: 1509955

URL: http://svn.apache.org/r1509955
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Fix comments in krb5.conf
Bugzilla Id: 53480

Modified:
    jmeter/trunk/bin/krb5.conf
Comment 28 Felix Schumacher 2013-08-03 10:47:09 UTC
Created attachment 30668 [details]
correct comments in jaas.conf

Comments have to be in c-style /* -- */
Comment 29 Philippe Mouawad 2013-08-03 12:48:24 UTC
Thanks Felix, fixed it before your patch upload.

Feel free to review and double check .

Regarding Serializable, making KerberosManager public fixed the warning.
Thanks
Comment 30 Philippe Mouawad 2013-08-03 13:28:24 UTC
Date: Sat Aug  3 13:25:31 2013
New Revision: 1509985

URL: http://svn.apache.org/r1509985
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Update documentation
Bugzilla Id: 53480

Modified:
    jmeter/trunk/xdocs/usermanual/component_reference.xml


Date: Sat Aug  3 13:26:12 2013
New Revision: 1509986

URL: http://svn.apache.org/r1509986
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Update screenshots
Bugzilla Id: 53480

Modified:
    jmeter/trunk/docs/images/screenshots/http-config/auth-manager-example1b.png
    jmeter/trunk/docs/images/screenshots/http-config/http-auth-manager.png
    jmeter/trunk/xdocs/images/screenshots/http-config/auth-manager-example1b.png
    jmeter/trunk/xdocs/images/screenshots/http-config/http-auth-manager.png
Comment 31 Felix Schumacher 2013-08-03 15:19:28 UTC
Created attachment 30669 [details]
change wording for docs

I think it is better style to write out numbers in sentences. I have positioned a comma to a different position and formulated the passage about more docs a bit different.

But since I am not a native speaker, it could be all wrong :)
Comment 32 Philippe Mouawad 2013-08-03 18:37:18 UTC
Date: Sat Aug  3 18:36:16 2013
New Revision: 1510053

URL: http://svn.apache.org/r1510053
Log:
Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4)
Update docs as per Felix Schumacher patch and complete documentation
Bugzilla Id: 53480

Modified:
    jmeter/trunk/xdocs/usermanual/component_reference.xml