use of org.apache.storm.messaging.netty.Login in project storm by apache.
the class KerberosSaslTransportPlugin method getServerTransportFactory.
public TTransportFactory getServerTransportFactory() throws IOException {
//create an authentication callback handler
CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, storm_conf);
//login our principal
Subject subject = null;
try {
//specify a configuration object to be used
Configuration.setConfiguration(login_conf);
//now login
Login login = new Login(AuthUtils.LOGIN_CONTEXT_SERVER, server_callback_handler);
subject = login.getSubject();
login.startThreadIfNeeded();
} catch (LoginException ex) {
LOG.error("Server failed to login in principal:" + ex, ex);
throw new RuntimeException(ex);
}
//check the credential of our principal
if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + login_conf);
}
String principal = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_SERVER, "principal");
LOG.debug("principal:" + principal);
KerberosName serviceKerberosName = new KerberosName(principal);
String serviceName = serviceKerberosName.getServiceName();
String hostName = serviceKerberosName.getHostName();
Map<String, String> props = new TreeMap<String, String>();
props.put(Sasl.QOP, "auth");
props.put(Sasl.SERVER_AUTH, "false");
//create a transport factory that will invoke our auth callback for digest
TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
factory.addServerDefinition(KERBEROS, serviceName, hostName, props, server_callback_handler);
//create a wrap transport factory so that we could apply user credential during connections
TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
LOG.info("SASL GSSAPI transport factory will be used");
return wrapFactory;
}
use of org.apache.storm.messaging.netty.Login in project storm by apache.
the class KerberosSaslTransportPlugin method kerberosConnect.
private TTransport kerberosConnect(TTransport transport, String serverHost, String asUser) throws IOException {
// login our user
SortedMap<String, ?> authConf = ClientAuthUtils.pullConfig(conf, ClientAuthUtils.LOGIN_CONTEXT_CLIENT);
if (authConf == null) {
throw new RuntimeException("Error in parsing the kerberos login Configuration, returned null");
}
boolean disableLoginCache = false;
if (authConf.containsKey(DISABLE_LOGIN_CACHE)) {
disableLoginCache = Boolean.valueOf((String) authConf.get(DISABLE_LOGIN_CACHE));
}
Login login;
LoginCacheKey key = new LoginCacheKey(authConf);
if (disableLoginCache) {
LOG.debug("Kerberos Login Cache is disabled, attempting to contact the Kerberos Server");
login = mkLogin();
// this is to prevent the potential bug that
// if the Login Cache is (1) enabled, and then (2) disabled and then (3) enabled again,
// and if the LoginCacheKey remains unchanged, (3) will use the Login cache from (1), which could be wrong,
// because the TGT cache (as well as the principle) could have been changed during (2)
loginCache.remove(key);
} else {
LOG.debug("Trying to get the Kerberos Login from the Login Cache");
login = loginCache.get(key);
if (login == null) {
synchronized (loginCache) {
login = loginCache.get(key);
if (login == null) {
LOG.debug("Kerberos Login was not found in the Login Cache, attempting to contact the Kerberos Server");
login = mkLogin();
loginCache.put(key, login);
}
}
}
}
final Subject subject = login.getSubject();
if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
// error
throw new RuntimeException("Fail to verify user principal with section \"" + ClientAuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + ClientAuthUtils.getJaasConf(conf));
}
final String principal = StringUtils.isBlank(asUser) ? getPrincipal(subject) : asUser;
String serviceName = ClientAuthUtils.get(conf, ClientAuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName");
if (serviceName == null) {
serviceName = ClientAuthUtils.SERVICE;
}
Map<String, String> props = new TreeMap<>();
props.put(Sasl.QOP, "auth");
props.put(Sasl.SERVER_AUTH, "false");
LOG.debug("SASL GSSAPI client transport is being established");
final TTransport sasalTransport = new TSaslClientTransport(KERBEROS, principal, serviceName, serverHost, props, null, transport);
// open Sasl transport with the login credential
try {
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
@Override
public Void run() {
try {
LOG.debug("do as:" + principal);
sasalTransport.open();
} catch (Exception e) {
LOG.error("Client failed to open SaslClientTransport to interact with a server during " + "session initiation: " + e, e);
}
return null;
}
});
} catch (PrivilegedActionException e) {
throw new RuntimeException(e);
}
return sasalTransport;
}
use of org.apache.storm.messaging.netty.Login in project storm by apache.
the class KerberosSaslTransportPlugin method getServerTransportFactory.
@Override
public TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException {
if (workerTokenAuthorizer == null) {
workerTokenAuthorizer = new WorkerTokenAuthorizer(conf, type);
}
// create an authentication callback handler
CallbackHandler serverCallbackHandler = new ServerCallbackHandler(conf, impersonationAllowed);
String jaasConfFile = ClientAuthUtils.getJaasConf(conf);
// login our principal
Subject subject = null;
try {
// now login
Login login = new Login(ClientAuthUtils.LOGIN_CONTEXT_SERVER, serverCallbackHandler, jaasConfFile);
subject = login.getSubject();
login.startThreadIfNeeded();
} catch (LoginException ex) {
LOG.error("Server failed to login in principal:" + ex, ex);
throw new RuntimeException(ex);
}
// check the credential of our principal
if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
throw new RuntimeException("Fail to verify user principal with section \"" + ClientAuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + jaasConfFile);
}
String principal = ClientAuthUtils.get(conf, ClientAuthUtils.LOGIN_CONTEXT_SERVER, "principal");
LOG.debug("principal:" + principal);
KerberosName serviceKerberosName = new KerberosName(principal);
String serviceName = serviceKerberosName.getServiceName();
String hostName = serviceKerberosName.getHostName();
Map<String, String> props = new TreeMap<>();
props.put(Sasl.QOP, "auth");
props.put(Sasl.SERVER_AUTH, "false");
// create a transport factory that will invoke our auth callback for digest
TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
factory.addServerDefinition(KERBEROS, serviceName, hostName, props, serverCallbackHandler);
// Also add in support for worker tokens
factory.addServerDefinition(DIGEST, ClientAuthUtils.SERVICE, hostName, null, new SimpleSaslServerCallbackHandler(impersonationAllowed, workerTokenAuthorizer));
// create a wrap transport factory so that we could apply user credential during connections
TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
LOG.info("SASL GSSAPI transport factory will be used");
return wrapFactory;
}
use of org.apache.storm.messaging.netty.Login in project storm by apache.
the class KerberosSaslTransportPlugin method mkLogin.
private Login mkLogin() throws IOException {
try {
// create an authentication callback handler
ClientCallbackHandler clientCallbackHandler = new ClientCallbackHandler(conf);
// now login
Login login = new Login(ClientAuthUtils.LOGIN_CONTEXT_CLIENT, clientCallbackHandler, ClientAuthUtils.getJaasConf(conf));
login.startThreadIfNeeded();
return login;
} catch (LoginException ex) {
LOG.error("Server failed to login in principal:" + ex, ex);
throw new RuntimeException(ex);
}
}
Aggregations