Examples with Login org.apache.storm.messaging.netty.Login used on opensource projects

Search in sources :

Example 1 with Login

use of org.apache.storm.messaging.netty.Login in project storm by apache.

the class KerberosSaslTransportPlugin method getServerTransportFactory.

public TTransportFactory getServerTransportFactory() throws IOException {
    //create an authentication callback handler
    CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, storm_conf);
    //login our principal
    Subject subject = null;
    try {
        //specify a configuration object to be used
        Configuration.setConfiguration(login_conf);
        //now login
        Login login = new Login(AuthUtils.LOGIN_CONTEXT_SERVER, server_callback_handler);
        subject = login.getSubject();
        login.startThreadIfNeeded();
    } catch (LoginException ex) {
        LOG.error("Server failed to login in principal:" + ex, ex);
        throw new RuntimeException(ex);
    }
    //check the credential of our principal
    if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
        throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + login_conf);
    }
    String principal = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_SERVER, "principal");
    LOG.debug("principal:" + principal);
    KerberosName serviceKerberosName = new KerberosName(principal);
    String serviceName = serviceKerberosName.getServiceName();
    String hostName = serviceKerberosName.getHostName();
    Map<String, String> props = new TreeMap<String, String>();
    props.put(Sasl.QOP, "auth");
    props.put(Sasl.SERVER_AUTH, "false");
    //create a transport factory that will invoke our auth callback for digest
    TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
    factory.addServerDefinition(KERBEROS, serviceName, hostName, props, server_callback_handler);
    //create a wrap transport factory so that we could apply user credential during connections
    TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
    LOG.info("SASL GSSAPI transport factory will be used");
    return wrapFactory;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) LoggerFactory(org.slf4j.LoggerFactory) TTransportFactory(org.apache.thrift.transport.TTransportFactory) Login(org.apache.storm.messaging.netty.Login) KerberosName(org.apache.zookeeper.server.auth.KerberosName) TreeMap(java.util.TreeMap) Subject(javax.security.auth.Subject) TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) LoginException(javax.security.auth.login.LoginException)

Example 2 with Login

use of org.apache.storm.messaging.netty.Login in project storm by apache.

the class KerberosSaslTransportPlugin method kerberosConnect.

private TTransport kerberosConnect(TTransport transport, String serverHost, String asUser) throws IOException {
    // login our user
    SortedMap<String, ?> authConf = ClientAuthUtils.pullConfig(conf, ClientAuthUtils.LOGIN_CONTEXT_CLIENT);
    if (authConf == null) {
        throw new RuntimeException("Error in parsing the kerberos login Configuration, returned null");
    }
    boolean disableLoginCache = false;
    if (authConf.containsKey(DISABLE_LOGIN_CACHE)) {
        disableLoginCache = Boolean.valueOf((String) authConf.get(DISABLE_LOGIN_CACHE));
    }
    Login login;
    LoginCacheKey key = new LoginCacheKey(authConf);
    if (disableLoginCache) {
        LOG.debug("Kerberos Login Cache is disabled, attempting to contact the Kerberos Server");
        login = mkLogin();
        // this is to prevent the potential bug that
        // if the Login Cache is (1) enabled, and then (2) disabled and then (3) enabled again,
        // and if the LoginCacheKey remains unchanged, (3) will use the Login cache from (1), which could be wrong,
        // because the TGT cache (as well as the principle) could have been changed during (2)
        loginCache.remove(key);
    } else {
        LOG.debug("Trying to get the Kerberos Login from the Login Cache");
        login = loginCache.get(key);
        if (login == null) {
            synchronized (loginCache) {
                login = loginCache.get(key);
                if (login == null) {
                    LOG.debug("Kerberos Login was not found in the Login Cache, attempting to contact the Kerberos Server");
                    login = mkLogin();
                    loginCache.put(key, login);
                }
            }
        }
    }
    final Subject subject = login.getSubject();
    if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
        // error
        throw new RuntimeException("Fail to verify user principal with section \"" + ClientAuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + ClientAuthUtils.getJaasConf(conf));
    }
    final String principal = StringUtils.isBlank(asUser) ? getPrincipal(subject) : asUser;
    String serviceName = ClientAuthUtils.get(conf, ClientAuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName");
    if (serviceName == null) {
        serviceName = ClientAuthUtils.SERVICE;
    }
    Map<String, String> props = new TreeMap<>();
    props.put(Sasl.QOP, "auth");
    props.put(Sasl.SERVER_AUTH, "false");
    LOG.debug("SASL GSSAPI client transport is being established");
    final TTransport sasalTransport = new TSaslClientTransport(KERBEROS, principal, serviceName, serverHost, props, null, transport);
    // open Sasl transport with the login credential
    try {
        Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {

            @Override
            public Void run() {
                try {
                    LOG.debug("do as:" + principal);
                    sasalTransport.open();
                } catch (Exception e) {
                    LOG.error("Client failed to open SaslClientTransport to interact with a server during " + "session initiation: " + e, e);
                }
                return null;
            }
        });
    } catch (PrivilegedActionException e) {
        throw new RuntimeException(e);
    }
    return sasalTransport;
}
Also used : KerberosTicket(javax.security.auth.kerberos.KerberosTicket) PrivilegedActionException(java.security.PrivilegedActionException) TSaslClientTransport(org.apache.storm.thrift.transport.TSaslClientTransport) Login(org.apache.storm.messaging.netty.Login) TreeMap(java.util.TreeMap) Subject(javax.security.auth.Subject) LoginException(javax.security.auth.login.LoginException) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) TTransportException(org.apache.storm.thrift.transport.TTransportException) TTransport(org.apache.storm.thrift.transport.TTransport)

Example 3 with Login

use of org.apache.storm.messaging.netty.Login in project storm by apache.

the class KerberosSaslTransportPlugin method getServerTransportFactory.

@Override
public TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException {
    if (workerTokenAuthorizer == null) {
        workerTokenAuthorizer = new WorkerTokenAuthorizer(conf, type);
    }
    // create an authentication callback handler
    CallbackHandler serverCallbackHandler = new ServerCallbackHandler(conf, impersonationAllowed);
    String jaasConfFile = ClientAuthUtils.getJaasConf(conf);
    // login our principal
    Subject subject = null;
    try {
        // now login
        Login login = new Login(ClientAuthUtils.LOGIN_CONTEXT_SERVER, serverCallbackHandler, jaasConfFile);
        subject = login.getSubject();
        login.startThreadIfNeeded();
    } catch (LoginException ex) {
        LOG.error("Server failed to login in principal:" + ex, ex);
        throw new RuntimeException(ex);
    }
    // check the credential of our principal
    if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
        throw new RuntimeException("Fail to verify user principal with section \"" + ClientAuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + jaasConfFile);
    }
    String principal = ClientAuthUtils.get(conf, ClientAuthUtils.LOGIN_CONTEXT_SERVER, "principal");
    LOG.debug("principal:" + principal);
    KerberosName serviceKerberosName = new KerberosName(principal);
    String serviceName = serviceKerberosName.getServiceName();
    String hostName = serviceKerberosName.getHostName();
    Map<String, String> props = new TreeMap<>();
    props.put(Sasl.QOP, "auth");
    props.put(Sasl.SERVER_AUTH, "false");
    // create a transport factory that will invoke our auth callback for digest
    TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
    factory.addServerDefinition(KERBEROS, serviceName, hostName, props, serverCallbackHandler);
    // Also add in support for worker tokens
    factory.addServerDefinition(DIGEST, ClientAuthUtils.SERVICE, hostName, null, new SimpleSaslServerCallbackHandler(impersonationAllowed, workerTokenAuthorizer));
    // create a wrap transport factory so that we could apply user credential during connections
    TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
    LOG.info("SASL GSSAPI transport factory will be used");
    return wrapFactory;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler) SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler) WorkerTokenAuthorizer(org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) LoggerFactory(org.slf4j.LoggerFactory) TTransportFactory(org.apache.storm.thrift.transport.TTransportFactory) Login(org.apache.storm.messaging.netty.Login) KerberosName(org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName) TreeMap(java.util.TreeMap) SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler) Subject(javax.security.auth.Subject) TSaslServerTransport(org.apache.storm.thrift.transport.TSaslServerTransport) LoginException(javax.security.auth.login.LoginException) SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)

Example 4 with Login

use of org.apache.storm.messaging.netty.Login in project storm by apache.

the class KerberosSaslTransportPlugin method mkLogin.

private Login mkLogin() throws IOException {
    try {
        // create an authentication callback handler
        ClientCallbackHandler clientCallbackHandler = new ClientCallbackHandler(conf);
        // now login
        Login login = new Login(ClientAuthUtils.LOGIN_CONTEXT_CLIENT, clientCallbackHandler, ClientAuthUtils.getJaasConf(conf));
        login.startThreadIfNeeded();
        return login;
    } catch (LoginException ex) {
        LOG.error("Server failed to login in principal:" + ex, ex);
        throw new RuntimeException(ex);
    }
}
Also used : WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler) LoginException(javax.security.auth.login.LoginException) Login(org.apache.storm.messaging.netty.Login)

Aggregations

LoginException (javax.security.auth.login.LoginException)4 Login (org.apache.storm.messaging.netty.Login)4 TreeMap (java.util.TreeMap)3 Subject (javax.security.auth.Subject)3 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)3 CallbackHandler (javax.security.auth.callback.CallbackHandler)2 WorkerTokenClientCallbackHandler (org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)2 LoggerFactory (org.slf4j.LoggerFactory)2 IOException (java.io.IOException)1 PrivilegedActionException (java.security.PrivilegedActionException)1 SimpleSaslServerCallbackHandler (org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)1 WorkerTokenAuthorizer (org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer)1 KerberosName (org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName)1 TSaslClientTransport (org.apache.storm.thrift.transport.TSaslClientTransport)1 TSaslServerTransport (org.apache.storm.thrift.transport.TSaslServerTransport)1 TTransport (org.apache.storm.thrift.transport.TTransport)1 TTransportException (org.apache.storm.thrift.transport.TTransportException)1 TTransportFactory (org.apache.storm.thrift.transport.TTransportFactory)1 TSaslServerTransport (org.apache.thrift.transport.TSaslServerTransport)1 TTransportFactory (org.apache.thrift.transport.TTransportFactory)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial