September 25, 2020

Apache Kerby 2.0.0 release: Java Kerberos binding

2 min read

Apache Kerby ™ is a Java Kerberos binding that provides a rich, intuitive and interoperable implementation of libraries, KDC, and various infrastructures that integrate PKI, OTP and the command-set (OAuth2). Apache Kerby provides the features needed in a modern environment (cloud, Hadoop, and mobile).

Apache Tomcat Native

The Initiatives/Goals

  • Aims to become the preferred Kerberos server implementation in java, with rich facilities that integrate Kerberos, PKI and token (OAuth2) on both client and server sides.
  • Provides client API to interact with any KDC server.
  • Provides an embeddable and standalone KDC server that supports various backends for storing principals and keys.
  • Comes with in-memory, Mavibot(MVCC BTree), JSON, LDAP and Zookeeper backends to store data.
  • Embedded KDC server allows easy integration into products for unit testing or production deployment.
  • Supports FAST/Preauthentication framework to allow popular and useful authentication mechanisms.
  • Supports PKINIT mechanism to allow clients to request tickets using x509 certificate credentials.
  • Supports Token Preauth mechanism to allow clients to request tickets using JWT tokens.
  • Supports OTP mechanism to allow clients to request tickets using One Time Password.
  • Provides support for JAAS, GSSAPI and SASL frameworks that applications can leverage.
  • Minimal dependencies, SLF4J is the only external dependency in the core part.

Apache Kerby 2.0.0 released.


This release has 43 resolved issues since the 1.1.1 (May 2018) release. The main new function is HAS (Hadoop Authentication Service). HAS is a solution to support authentication in the open source big data ecosystem in cloud computing platforms with the following features:

  1. It provides a new authentication mechanism to customize and integrate with existing user authentication and authorization systems.
  2. It provides REST APIs and facility tools to simplify Kerberos support
  3. It provides a MySQL backend for High Availability.
  4. The new authentication mechanism now supports most of the components of the open source big data ecosystem with little or no changes to the components themselves, including HDFS, HBase, Zookeeper, Hive, Spark…