Search in sources :

Example 81 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project fabric8 by jboss-fuse.

the class ZooKeeperSaslClient method createSaslClient.

private synchronized SaslClient createSaslClient(final String servicePrincipal, final String loginContext) throws LoginException {
    try {
        if (login == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("JAAS loginContext is: " + loginContext);
            }
            // note that the login object is static: it's shared amongst all zookeeper-related connections.
            // createSaslClient() must be declared synchronized so that login is initialized only once.
            login = new Login(loginContext, new ClientCallbackHandler(null));
            login.startThreadIfNeeded();
        }
        Subject subject = login.getSubject();
        SaslClient saslClient;
        // if empty, use DIGEST-MD5; otherwise, use GSSAPI.
        if (subject.getPrincipals().isEmpty()) {
            // no principals: must not be GSSAPI: use DIGEST-MD5 mechanism instead.
            LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");
            String[] mechs = { "DIGEST-MD5" };
            String username = (String) (subject.getPublicCredentials().toArray()[0]);
            String password = (String) (subject.getPrivateCredentials().toArray()[0]);
            // "zk-sasl-md5" is a hard-wired 'domain' parameter shared with zookeeper server code (see ServerCnxnFactory.java)
            saslClient = Sasl.createSaslClient(mechs, username, "zookeeper", "zk-sasl-md5", null, new ClientCallbackHandler(password));
            return saslClient;
        } else {
            // GSSAPI.
            boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
            if (usingNativeJgss) {
                // """
                try {
                    GSSManager manager = GSSManager.getInstance();
                    Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
                    GSSCredential cred = manager.createCredential(null, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY);
                    subject.getPrivateCredentials().add(cred);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Added private credential to subject: " + cred);
                    }
                } catch (GSSException ex) {
                    LOG.warn("Cannot add private credential to subject; " + "authentication at the server may fail", ex);
                }
            }
            final Object[] principals = subject.getPrincipals().toArray();
            // determine client principal from subject.
            final Principal clientPrincipal = (Principal) principals[0];
            final KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName());
            // assume that server and client are in the same realm (by default; unless the system property
            // "zookeeper.server.realm" is set).
            String serverRealm = System.getProperty("zookeeper.server.realm", clientKerberosName.getRealm());
            KerberosName serviceKerberosName = new KerberosName(servicePrincipal + "@" + serverRealm);
            final String serviceName = serviceKerberosName.getServiceName();
            final String serviceHostname = serviceKerberosName.getHostName();
            final String clientPrincipalName = clientKerberosName.toString();
            try {
                saslClient = Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() {

                    public SaslClient run() throws SaslException {
                        LOG.info("Client will use GSSAPI as SASL mechanism.");
                        String[] mechs = { "GSSAPI" };
                        LOG.debug("creating sasl client: client=" + clientPrincipalName + ";service=" + serviceName + ";serviceHostname=" + serviceHostname);
                        SaslClient saslClient = Sasl.createSaslClient(mechs, clientPrincipalName, serviceName, serviceHostname, null, new ClientCallbackHandler(null));
                        return saslClient;
                    }
                });
                return saslClient;
            } catch (Exception e) {
                LOG.error("Exception while trying to create SASL client", e);
                e.printStackTrace();
                return null;
            }
        }
    } catch (LoginException e) {
        // We throw LoginExceptions...
        throw e;
    } catch (Exception e) {
        // ..but consume (with a log message) all other types of exceptions.
        LOG.error("Exception while trying to create SASL client: " + e);
        return null;
    }
}
Also used : Login(org.apache.zookeeper.Login) Oid(org.ietf.jgss.Oid) KerberosName(org.apache.zookeeper.server.auth.KerberosName) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) Subject(javax.security.auth.Subject) LoginException(javax.security.auth.login.LoginException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) SaslException(javax.security.sasl.SaslException) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) GSSException(org.ietf.jgss.GSSException) SaslClient(javax.security.sasl.SaslClient) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) LoginException(javax.security.auth.login.LoginException) Principal(java.security.Principal)

Example 82 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project apache-kafka-on-k8s by banzaicloud.

the class SaslServerAuthenticator method createSaslServer.

private void createSaslServer(String mechanism) throws IOException {
    this.saslMechanism = mechanism;
    Subject subject = subjects.get(mechanism);
    if (!ScramMechanism.isScram(mechanism))
        callbackHandler = new SaslServerCallbackHandler(jaasContexts.get(mechanism));
    else
        callbackHandler = new ScramServerCallbackHandler(credentialCache.cache(mechanism, ScramCredential.class), tokenCache);
    callbackHandler.configure(configs, Mode.SERVER, subject, saslMechanism);
    if (mechanism.equals(SaslConfigs.GSSAPI_MECHANISM)) {
        saslServer = createSaslKerberosServer(callbackHandler, configs, subject);
    } else {
        try {
            saslServer = Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

                public SaslServer run() throws SaslException {
                    return Sasl.createSaslServer(saslMechanism, "kafka", serverAddress().getHostName(), configs, callbackHandler);
                }
            });
        } catch (PrivilegedActionException e) {
            throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
        }
    }
}
Also used : ScramCredential(org.apache.kafka.common.security.scram.ScramCredential) ScramServerCallbackHandler(org.apache.kafka.common.security.scram.ScramServerCallbackHandler) PrivilegedActionException(java.security.PrivilegedActionException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) SaslException(javax.security.sasl.SaslException) Subject(javax.security.auth.Subject)

Example 83 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project Bytecoder by mirkosertic.

the class FactoryURLClassLoader method findClass.

/**
 * Finds and loads the class with the specified name from the URL search
 * path. Any URLs referring to JAR files are loaded and opened as needed
 * until the class is found.
 *
 * @param name the name of the class
 * @return the resulting class
 * @exception ClassNotFoundException if the class could not be found,
 *            or if the loader is closed.
 * @exception NullPointerException if {@code name} is {@code null}.
 */
protected Class<?> findClass(final String name) throws ClassNotFoundException {
    final Class<?> result;
    try {
        result = AccessController.doPrivileged(new PrivilegedExceptionAction<>() {

            public Class<?> run() throws ClassNotFoundException {
                String path = name.replace('.', '/').concat(".class");
                Resource res = ucp.getResource(path, false);
                if (res != null) {
                    try {
                        return defineClass(name, res);
                    } catch (IOException e) {
                        throw new ClassNotFoundException(name, e);
                    }
                } else {
                    return null;
                }
            }
        }, acc);
    } catch (java.security.PrivilegedActionException pae) {
        throw (ClassNotFoundException) pae.getException();
    }
    if (result == null) {
        throw new ClassNotFoundException(name);
    }
    return result;
}
Also used : Resource(jdk.internal.loader.Resource) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) IOException(java.io.IOException)

Example 84 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project Bytecoder by mirkosertic.

the class Calendar method readObject.

/**
 * Reconstitutes this object from a stream (i.e., deserialize it).
 */
private void readObject(ObjectInputStream stream) throws IOException, ClassNotFoundException {
    final ObjectInputStream input = stream;
    input.defaultReadObject();
    stamp = new int[FIELD_COUNT];
    // streamed out anymore.  We expect 'time' to be correct.
    if (serialVersionOnStream >= 2) {
        isTimeSet = true;
        if (fields == null) {
            fields = new int[FIELD_COUNT];
        }
        if (isSet == null) {
            isSet = new boolean[FIELD_COUNT];
        }
    } else if (serialVersionOnStream >= 0) {
        for (int i = 0; i < FIELD_COUNT; ++i) {
            stamp[i] = isSet[i] ? COMPUTED : UNSET;
        }
    }
    serialVersionOnStream = currentSerialVersion;
    // If there's a ZoneInfo object, use it for zone.
    ZoneInfo zi = null;
    try {
        zi = AccessController.doPrivileged(new PrivilegedExceptionAction<>() {

            @Override
            public ZoneInfo run() throws Exception {
                return (ZoneInfo) input.readObject();
            }
        }, CalendarAccessControlContext.INSTANCE);
    } catch (PrivilegedActionException pae) {
        Exception e = pae.getException();
        if (!(e instanceof OptionalDataException)) {
            if (e instanceof RuntimeException) {
                throw (RuntimeException) e;
            } else if (e instanceof IOException) {
                throw (IOException) e;
            } else if (e instanceof ClassNotFoundException) {
                throw (ClassNotFoundException) e;
            }
            throw new RuntimeException(e);
        }
    }
    if (zi != null) {
        zone = zi;
    }
    // implementation as much as possible.
    if (zone instanceof SimpleTimeZone) {
        String id = zone.getID();
        TimeZone tz = TimeZone.getTimeZone(id);
        if (tz != null && tz.hasSameRules(zone) && tz.getID().equals(id)) {
            zone = tz;
        }
    }
}
Also used : PrivilegedActionException(java.security.PrivilegedActionException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) IOException(java.io.IOException) OptionalDataException(java.io.OptionalDataException) ZoneInfo(sun.util.calendar.ZoneInfo) PrivilegedActionException(java.security.PrivilegedActionException) OptionalDataException(java.io.OptionalDataException) IOException(java.io.IOException) ObjectInputStream(java.io.ObjectInputStream)

Example 85 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project jackrabbit-oak by apache.

the class AbstractLoginModule method getRoot.

/**
 * Tries to obtain a {@code Root} object from the callback handler using
 * a new RepositoryCallback and keeps the value as private field.
 * If the callback handler isn't able to handle the RepositoryCallback
 * this method returns {@code null}.
 *
 * @return The {@code Root} associated with this {@code LoginModule} or
 *         {@code null}.
 */
@CheckForNull
protected Root getRoot() {
    if (root == null && callbackHandler != null) {
        try {
            final RepositoryCallback rcb = new RepositoryCallback();
            callbackHandler.handle(new Callback[] { rcb });
            final ContentRepository repository = rcb.getContentRepository();
            if (repository != null) {
                systemSession = Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction<ContentSession>() {

                    @Override
                    public ContentSession run() throws LoginException, NoSuchWorkspaceException {
                        return repository.login(null, rcb.getWorkspaceName());
                    }
                });
                root = systemSession.getLatestRoot();
            } else {
                log.debug("Unable to retrieve the Root via RepositoryCallback; ContentRepository not available.");
            }
        } catch (UnsupportedCallbackException | PrivilegedActionException | IOException e) {
            log.debug(e.getMessage());
        }
    }
    return root;
}
Also used : RepositoryCallback(org.apache.jackrabbit.oak.spi.security.authentication.callback.RepositoryCallback) PrivilegedActionException(java.security.PrivilegedActionException) ContentRepository(org.apache.jackrabbit.oak.api.ContentRepository) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) IOException(java.io.IOException) CheckForNull(javax.annotation.CheckForNull)

Aggregations

PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)387 IOException (java.io.IOException)199 PrivilegedActionException (java.security.PrivilegedActionException)135 Test (org.junit.Test)104 Connection (org.apache.hadoop.hbase.client.Connection)81 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)76 Table (org.apache.hadoop.hbase.client.Table)62 TableName (org.apache.hadoop.hbase.TableName)57 Result (org.apache.hadoop.hbase.client.Result)56 Scan (org.apache.hadoop.hbase.client.Scan)55 ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)53 Delete (org.apache.hadoop.hbase.client.Delete)48 InterruptedIOException (java.io.InterruptedIOException)47 Cell (org.apache.hadoop.hbase.Cell)38 CellScanner (org.apache.hadoop.hbase.CellScanner)38 Configuration (org.apache.hadoop.conf.Configuration)36 File (java.io.File)33 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)33 Path (org.apache.hadoop.fs.Path)23 ArrayList (java.util.ArrayList)22