Examples with LoginContext javax.security.auth.login.LoginContext used on opensource projects

Example 1 with LoginContext

use of javax.security.auth.login.LoginContext in project hadoop by apache.

the class UserGroupInformation method loginUserFromKeytab.

/**
   * Log a user in from a keytab file. Loads a user identity from a keytab
   * file and logs them in. They become the currently logged-in user.
   * @param user the principal name to load from the keytab
   * @param path the path to the keytab file
   * @throws IOException
   * @throws KerberosAuthException if it's a kerberos login exception.
   */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static synchronized void loginUserFromKeytab(String user, String path) throws IOException {
    if (!isSecurityEnabled())
        return;
    keytabFile = path;
    keytabPrincipal = user;
    Subject subject = new Subject();
    LoginContext login;
    long start = 0;
    try {
        login = newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject, new HadoopConfiguration());
        start = Time.now();
        login.login();
        metrics.loginSuccess.add(Time.now() - start);
        loginUser = new UserGroupInformation(subject, false);
        loginUser.setLogin(login);
        loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
    } catch (LoginException le) {
        if (start > 0) {
            metrics.loginFailure.add(Time.now() - start);
        }
        KerberosAuthException kae = new KerberosAuthException(LOGIN_FAILURE, le);
        kae.setUser(user);
        kae.setKeytabFile(path);
        throw kae;
    }
    LOG.info("Login successful for user " + keytabPrincipal + " using keytab file " + keytabFile);
}

Example 2 with LoginContext

use of javax.security.auth.login.LoginContext in project hadoop by apache.

the class UserGroupInformation method loginUserFromSubject.

/**
   * Log in a user using the given subject
   * @param subject the subject to use when logging in a user, or null to
   * create a new subject.
   *
   * If subject is not null, the creator of subject is responsible for renewing
   * credentials.
   *
   * @throws IOException if login fails
   */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static synchronized void loginUserFromSubject(Subject subject) throws IOException {
    ensureInitialized();
    boolean externalSubject = false;
    try {
        if (subject == null) {
            subject = new Subject();
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Treat subject external: " + treatSubjectExternal + ". When true, assuming keytab is managed extenally since " + " logged in from subject");
            }
            externalSubject = treatSubjectExternal;
        }
        LoginContext login = newLoginContext(authenticationMethod.getLoginAppName(), subject, new HadoopConfiguration());
        login.login();
        UserGroupInformation realUser = new UserGroupInformation(subject, externalSubject);
        realUser.setLogin(login);
        realUser.setAuthenticationMethod(authenticationMethod);
        // If the HADOOP_PROXY_USER environment variable or property
        // is specified, create a proxy user as the logged in user.
        String proxyUser = System.getenv(HADOOP_PROXY_USER);
        if (proxyUser == null) {
            proxyUser = System.getProperty(HADOOP_PROXY_USER);
        }
        loginUser = proxyUser == null ? realUser : createProxyUser(proxyUser, realUser);
        String tokenFileLocation = System.getProperty(HADOOP_TOKEN_FILES);
        if (tokenFileLocation == null) {
            tokenFileLocation = conf.get(HADOOP_TOKEN_FILES);
        }
        if (tokenFileLocation != null) {
            for (String tokenFileName : StringUtils.getTrimmedStrings(tokenFileLocation)) {
                if (tokenFileName.length() > 0) {
                    File tokenFile = new File(tokenFileName);
                    if (tokenFile.exists() && tokenFile.isFile()) {
                        Credentials cred = Credentials.readTokenStorageFile(tokenFile, conf);
                        loginUser.addCredentials(cred);
                    } else {
                        LOG.info("tokenFile(" + tokenFileName + ") does not exist");
                    }
                }
            }
        }
        String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
        if (fileLocation != null) {
            // Load the token storage file and put all of the tokens into the
            // user. Don't use the FileSystem API for reading since it has a lock
            // cycle (HADOOP-9212).
            File source = new File(fileLocation);
            LOG.debug("Reading credentials from location set in {}: {}", HADOOP_TOKEN_FILE_LOCATION, source.getCanonicalPath());
            if (!source.isFile()) {
                throw new FileNotFoundException("Source file " + source.getCanonicalPath() + " from " + HADOOP_TOKEN_FILE_LOCATION + " not found");
            }
            Credentials cred = Credentials.readTokenStorageFile(source, conf);
            LOG.debug("Loaded {} tokens", cred.numberOfTokens());
            loginUser.addCredentials(cred);
        }
        loginUser.spawnAutoRenewalThreadForUserCreds();
    } catch (LoginException le) {
        LOG.debug("failure to login", le);
        throw new KerberosAuthException(FAILURE_TO_LOGIN, le);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("UGI loginUser:" + loginUser);
    }
}

Example 3 with LoginContext

use of javax.security.auth.login.LoginContext in project hadoop by apache.

the class UserGroupInformation method getUGIFromTicketCache.

/**
   * Create a UserGroupInformation from a Kerberos ticket cache.
   * 
   * @param user                The principal name to load from the ticket
   *                            cache
   * @param ticketCache     the path to the ticket cache file
   *
   * @throws IOException        if the kerberos login fails
   */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation getUGIFromTicketCache(String ticketCache, String user) throws IOException {
    if (!isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
        return getBestUGI(null, user);
    }
    try {
        Map<String, String> krbOptions = new HashMap<String, String>();
        if (IBM_JAVA) {
            krbOptions.put("useDefaultCcache", "true");
            // The first value searched when "useDefaultCcache" is used.
            System.setProperty("KRB5CCNAME", ticketCache);
        } else {
            krbOptions.put("doNotPrompt", "true");
            krbOptions.put("useTicketCache", "true");
            krbOptions.put("useKeyTab", "false");
            krbOptions.put("ticketCache", ticketCache);
        }
        krbOptions.put("renewTGT", "false");
        krbOptions.putAll(HadoopConfiguration.BASIC_JAAS_OPTIONS);
        AppConfigurationEntry ace = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, krbOptions);
        DynamicConfiguration dynConf = new DynamicConfiguration(new AppConfigurationEntry[] { ace });
        LoginContext login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, null, dynConf);
        login.login();
        Subject loginSubject = login.getSubject();
        Set<Principal> loginPrincipals = loginSubject.getPrincipals();
        if (loginPrincipals.isEmpty()) {
            throw new RuntimeException("No login principals found!");
        }
        if (loginPrincipals.size() != 1) {
            LOG.warn("found more than one principal in the ticket cache file " + ticketCache);
        }
        User ugiUser = new User(loginPrincipals.iterator().next().getName(), AuthenticationMethod.KERBEROS, login);
        loginSubject.getPrincipals().add(ugiUser);
        UserGroupInformation ugi = new UserGroupInformation(loginSubject, false);
        ugi.setLogin(login);
        ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
        return ugi;
    } catch (LoginException le) {
        KerberosAuthException kae = new KerberosAuthException(FAILURE_TO_LOGIN, le);
        kae.setUser(user);
        kae.setTicketCacheFile(ticketCache);
        throw kae;
    }
}

Example 4 with LoginContext

use of javax.security.auth.login.LoginContext in project hadoop by apache.

the class UserGroupInformation method logoutUserFromKeytab.

/**
   * Log the current user out who previously logged in using keytab.
   * This method assumes that the user logged in by calling
   * {@link #loginUserFromKeytab(String, String)}.
   *
   * @throws IOException
   * @throws KerberosAuthException if a failure occurred in logout,
   * or if the user did not log in by invoking loginUserFromKeyTab() before.
   */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public void logoutUserFromKeytab() throws IOException {
    if (!isSecurityEnabled() || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS) {
        return;
    }
    LoginContext login = getLogin();
    if (login == null || keytabFile == null) {
        throw new KerberosAuthException(MUST_FIRST_LOGIN_FROM_KEYTAB);
    }
    try {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Initiating logout for " + getUserName());
        }
        synchronized (UserGroupInformation.class) {
            login.logout();
        }
    } catch (LoginException le) {
        KerberosAuthException kae = new KerberosAuthException(LOGOUT_FAILURE, le);
        kae.setUser(user.toString());
        kae.setKeytabFile(keytabFile);
        throw kae;
    }
    LOG.info("Logout successful for user " + keytabPrincipal + " using keytab file " + keytabFile);
}

Example 5 with LoginContext

use of javax.security.auth.login.LoginContext in project hadoop by apache.

the class UserGroupInformation method reloginFromTicketCache.

/**
   * Re-Login a user in from the ticket cache.  This
   * method assumes that login had happened already.
   * The Subject field of this UserGroupInformation object is updated to have
   * the new credentials.
   * @throws IOException
   * @throws KerberosAuthException on a failure
   */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public synchronized void reloginFromTicketCache() throws IOException {
    if (!shouldRelogin() || !isKrbTkt) {
        return;
    }
    LoginContext login = getLogin();
    if (login == null) {
        throw new KerberosAuthException(MUST_FIRST_LOGIN);
    }
    long now = Time.now();
    if (!hasSufficientTimeElapsed(now)) {
        return;
    }
    // register most recent relogin attempt
    user.setLastLogin(now);
    try {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Initiating logout for " + getUserName());
        }
        //clear up the kerberos state. But the tokens are not cleared! As per 
        //the Java kerberos login module code, only the kerberos credentials
        //are cleared
        login.logout();
        //login and also update the subject field of this instance to 
        //have the new credentials (pass it to the LoginContext constructor)
        login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, getSubject(), new HadoopConfiguration());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Initiating re-login for " + getUserName());
        }
        login.login();
        fixKerberosTicketOrder();
        setLogin(login);
    } catch (LoginException le) {
        KerberosAuthException kae = new KerberosAuthException(LOGIN_FAILURE, le);
        kae.setUser(getUserName());
        throw kae;
    }
}