Examples with KerberosName - org.apache.zookeeper.server.auth.KerberosName

Example 1 with KerberosName

use of org.apache.zookeeper.server.auth.KerberosName in project storm by apache.

the class KerberosSaslTransportPlugin method getServerTransportFactory.

public TTransportFactory getServerTransportFactory() throws IOException {
    //create an authentication callback handler
    CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, storm_conf);
    //login our principal
    Subject subject = null;
    try {
        //specify a configuration object to be used
        Configuration.setConfiguration(login_conf);
        //now login
        Login login = new Login(AuthUtils.LOGIN_CONTEXT_SERVER, server_callback_handler);
        subject = login.getSubject();
        login.startThreadIfNeeded();
    } catch (LoginException ex) {
        LOG.error("Server failed to login in principal:" + ex, ex);
        throw new RuntimeException(ex);
    }
    //check the credential of our principal
    if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
        throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + login_conf);
    }
    String principal = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_SERVER, "principal");
    LOG.debug("principal:" + principal);
    KerberosName serviceKerberosName = new KerberosName(principal);
    String serviceName = serviceKerberosName.getServiceName();
    String hostName = serviceKerberosName.getHostName();
    Map<String, String> props = new TreeMap<String, String>();
    props.put(Sasl.QOP, "auth");
    props.put(Sasl.SERVER_AUTH, "false");
    //create a transport factory that will invoke our auth callback for digest
    TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
    factory.addServerDefinition(KERBEROS, serviceName, hostName, props, server_callback_handler);
    //create a wrap transport factory so that we could apply user credential during connections
    TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
    LOG.info("SASL GSSAPI transport factory will be used");
    return wrapFactory;
}

Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) LoggerFactory(org.slf4j.LoggerFactory) TTransportFactory(org.apache.thrift.transport.TTransportFactory) Login(org.apache.storm.messaging.netty.Login) KerberosName(org.apache.zookeeper.server.auth.KerberosName) TreeMap(java.util.TreeMap) Subject(javax.security.auth.Subject) TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) LoginException(javax.security.auth.login.LoginException)

Example 2 with KerberosName

use of org.apache.zookeeper.server.auth.KerberosName in project jstorm by alibaba.

the class KerberosSaslTransportPlugin method getServerTransportFactory.

public TTransportFactory getServerTransportFactory() throws IOException {
    // create an authentication callback handler
    CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, storm_conf);
    // login our principal
    Subject subject = null;
    try {
        // specify a configuration object to be used
        Configuration.setConfiguration(login_conf);
        // now login
        Login login = new Login(AuthUtils.LOGIN_CONTEXT_SERVER, server_callback_handler);
        subject = login.getSubject();
    } catch (LoginException ex) {
        LOG.error("Server failed to login in principal:" + ex, ex);
        throw new RuntimeException(ex);
    }
    // check the credential of our principal
    if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
        throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + login_conf);
    }
    String principal = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_SERVER, "principal");
    LOG.debug("principal:" + principal);
    KerberosName serviceKerberosName = new KerberosName(principal);
    String serviceName = serviceKerberosName.getServiceName();
    String hostName = serviceKerberosName.getHostName();
    Map<String, String> props = new TreeMap<String, String>();
    props.put(Sasl.QOP, "auth");
    props.put(Sasl.SERVER_AUTH, "false");
    // create a transport factory that will invoke our auth callback for digest
    TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
    factory.addServerDefinition(KERBEROS, serviceName, hostName, props, server_callback_handler);
    // create a wrap transport factory so that we could apply user credential during connections
    TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
    LOG.info("SASL GSSAPI transport factory will be used");
    return wrapFactory;
}

Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) LoggerFactory(org.slf4j.LoggerFactory) TTransportFactory(org.apache.thrift.transport.TTransportFactory) Login(org.apache.zookeeper.Login) KerberosName(org.apache.zookeeper.server.auth.KerberosName) TreeMap(java.util.TreeMap) Subject(javax.security.auth.Subject) TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) LoginException(javax.security.auth.login.LoginException)

Example 3 with KerberosName

use of org.apache.zookeeper.server.auth.KerberosName in project zookeeper by apache.

the class ZooKeeperSaslClient method createSaslClient.

private SaslClient createSaslClient(final String servicePrincipal, final String loginContext) throws LoginException {
    try {
        if (!initializedLogin) {
            synchronized (this) {
                if (login == null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("JAAS loginContext is: " + loginContext);
                    }
                    // note that the login object is static: it's shared amongst all zookeeper-related connections.
                    // in order to ensure the login is initialized only once, it must be synchronized the code snippet.
                    login = new Login(loginContext, new ClientCallbackHandler(null), clientConfig);
                    login.startThreadIfNeeded();
                    initializedLogin = true;
                }
            }
        }
        Subject subject = login.getSubject();
        SaslClient saslClient;
        // if empty, use DIGEST-MD5; otherwise, use GSSAPI.
        if (subject.getPrincipals().isEmpty()) {
            // no principals: must not be GSSAPI: use DIGEST-MD5 mechanism instead.
            LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");
            String[] mechs = { "DIGEST-MD5" };
            String username = (String) (subject.getPublicCredentials().toArray()[0]);
            String password = (String) (subject.getPrivateCredentials().toArray()[0]);
            // "zk-sasl-md5" is a hard-wired 'domain' parameter shared with zookeeper server code (see ServerCnxnFactory.java)
            saslClient = Sasl.createSaslClient(mechs, username, "zookeeper", "zk-sasl-md5", null, new ClientCallbackHandler(password));
            return saslClient;
        } else {
            // GSSAPI.
            boolean usingNativeJgss = clientConfig.getBoolean(ZKConfig.JGSS_NATIVE);
            if (usingNativeJgss) {
                // """
                try {
                    GSSManager manager = GSSManager.getInstance();
                    Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
                    GSSCredential cred = manager.createCredential(null, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY);
                    subject.getPrivateCredentials().add(cred);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Added private credential to subject: " + cred);
                    }
                } catch (GSSException ex) {
                    LOG.warn("Cannot add private credential to subject; " + "authentication at the server may fail", ex);
                }
            }
            final Object[] principals = subject.getPrincipals().toArray();
            // determine client principal from subject.
            final Principal clientPrincipal = (Principal) principals[0];
            final KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName());
            // assume that server and client are in the same realm (by default; unless the system property
            // "zookeeper.server.realm" is set).
            String serverRealm = clientConfig.getProperty(ZKClientConfig.ZOOKEEPER_SERVER_REALM, clientKerberosName.getRealm());
            KerberosName serviceKerberosName = new KerberosName(servicePrincipal + "@" + serverRealm);
            final String serviceName = serviceKerberosName.getServiceName();
            final String serviceHostname = serviceKerberosName.getHostName();
            final String clientPrincipalName = clientKerberosName.toString();
            try {
                saslClient = Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() {

                    public SaslClient run() throws SaslException {
                        LOG.info("Client will use GSSAPI as SASL mechanism.");
                        String[] mechs = { "GSSAPI" };
                        LOG.debug("creating sasl client: client=" + clientPrincipalName + ";service=" + serviceName + ";serviceHostname=" + serviceHostname);
                        SaslClient saslClient = Sasl.createSaslClient(mechs, clientPrincipalName, serviceName, serviceHostname, null, new ClientCallbackHandler(null));
                        return saslClient;
                    }
                });
                return saslClient;
            } catch (Exception e) {
                LOG.error("Exception while trying to create SASL client", e);
                e.printStackTrace();
                return null;
            }
        }
    } catch (LoginException e) {
        // We throw LoginExceptions...
        throw e;
    } catch (Exception e) {
        // ..but consume (with a log message) all other types of exceptions.
        LOG.error("Exception while trying to create SASL client: " + e);
        return null;
    }
}

Also used : Login(org.apache.zookeeper.Login) Oid(org.ietf.jgss.Oid) KerberosName(org.apache.zookeeper.server.auth.KerberosName) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) Subject(javax.security.auth.Subject) LoginException(javax.security.auth.login.LoginException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) SaslException(javax.security.sasl.SaslException) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) GSSException(org.ietf.jgss.GSSException) SaslClient(javax.security.sasl.SaslClient) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) LoginException(javax.security.auth.login.LoginException) Principal(java.security.Principal)

Aggregations

Subject (javax.security.auth.Subject)3 LoginException (javax.security.auth.login.LoginException)3 KerberosName (org.apache.zookeeper.server.auth.KerberosName)3 TreeMap (java.util.TreeMap)2 CallbackHandler (javax.security.auth.callback.CallbackHandler)2 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)2 TSaslServerTransport (org.apache.thrift.transport.TSaslServerTransport)2 TTransportFactory (org.apache.thrift.transport.TTransportFactory)2 Login (org.apache.zookeeper.Login)2 LoggerFactory (org.slf4j.LoggerFactory)2 IOException (java.io.IOException)1 Principal (java.security.Principal)1 PrivilegedActionException (java.security.PrivilegedActionException)1 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 SaslClient (javax.security.sasl.SaslClient)1 SaslException (javax.security.sasl.SaslException)1 Login (org.apache.storm.messaging.netty.Login)1 GSSCredential (org.ietf.jgss.GSSCredential)1 GSSException (org.ietf.jgss.GSSException)1