Search in sources :

Example 31 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project athenz by yahoo.

the class KerberosAuthority method login.

@SuppressWarnings({ "unchecked", "rawtypes" })
public synchronized void login(boolean logoutFirst) {
    long now = System.currentTimeMillis();
    if ((now - lastLogin) < loginWindow) {
        // recently logged in so dont bother do it again
        return;
    }
    Subject subject = null;
    if (servicePrincipal != null) {
        Set<java.security.Principal> principals = new HashSet<>(1);
        principals.add(new KerberosPrincipal(servicePrincipal));
        subject = new Subject(false, principals, new HashSet<>(), new HashSet<>());
    }
    LoginConfig loginConfig = new LoginConfig(keyTabConfFile, servicePrincipal);
    initState = null;
    try {
        // NOTE: if no callback handler specified
        // LoginContext uses the auth.login.defaultCallbackHandler security property for the fully
        // qualified class name of a default handler implementation
        LoginContext loginContext;
        CallbackHandler loginHandler = null;
        if (loginCallbackHandler != null && !loginCallbackHandler.isEmpty()) {
            Class cbhandlerClass = Class.forName(loginCallbackHandler);
            loginHandler = (CallbackHandler) cbhandlerClass.getConstructor(String.class, String.class).newInstance(servicePrincipal, null);
        }
        if (subject == null) {
            loginContext = new LoginContext(jaasConfigSection, Objects.requireNonNull(loginHandler));
        } else {
            loginContext = new LoginContext(jaasConfigSection, subject, loginHandler, loginConfig);
        }
        if (logoutFirst) {
            loginContext.logout();
        }
        loginContext.login();
        subject = loginContext.getSubject();
        serviceSubject.set(subject);
        lastLogin = System.currentTimeMillis();
    } catch (Exception exc) {
        initState = exc;
        String params = "svc-princ=" + servicePrincipal + " login-callback=" + loginCallbackHandler + " keytab=" + keyTabConfFile + " jaas-section=" + jaasConfigSection;
        LOG.error("KerberosAuthority:initialize: Login context failure: config params=({}) exc: {}", params, exc.getMessage());
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) CallbackHandler(javax.security.auth.callback.CallbackHandler) Subject(javax.security.auth.Subject) LoginContext(javax.security.auth.login.LoginContext) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(com.yahoo.athenz.auth.Principal)

Example 32 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project pentaho-kettle by pentaho.

the class SessionConfigurator method getServiceSubject.

private Subject getServiceSubject(ClientLoginConfig loginConfig) throws Exception {
    Set<Principal> princ = new HashSet<>(1);
    princ.add(new KerberosPrincipal(this.principal));
    Subject sub = new Subject(false, princ, new HashSet(), new HashSet());
    loginContext = new LoginContext("", sub, null, loginConfig);
    loginContext.login();
    return loginContext.getSubject();
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) LoginContext(javax.security.auth.login.LoginContext) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet)

Example 33 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project ranger by apache.

the class CredentialsProviderUtil method getTGT.

public static synchronized KerberosTicket getTGT(Subject subject) {
    Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class);
    for (KerberosTicket ticket : tickets) {
        KerberosPrincipal server = ticket.getServer();
        if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
            if (logger.isDebugEnabled()) {
                logger.debug("Client principal is \"" + ticket.getClient().getName() + "\".");
                logger.debug("Server principal is \"" + ticket.getServer().getName() + "\".");
            }
            return ticket;
        }
    }
    return null;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosTicket(javax.security.auth.kerberos.KerberosTicket)

Example 34 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.

the class AbstractSecureRegistryTest method login.

/**
   * Log in, defaulting to the client context
   * @param principal principal
   * @param context context
   * @param keytab keytab
   * @return the logged in context
   * @throws LoginException failure to log in
   * @throws FileNotFoundException no keytab
   */
protected LoginContext login(String principal, String context, File keytab) throws LoginException, FileNotFoundException {
    LOG.info("Logging in as {} in context {} with keytab {}", principal, context, keytab);
    if (!keytab.exists()) {
        throw new FileNotFoundException(keytab.getAbsolutePath());
    }
    Set<Principal> principals = new HashSet<Principal>();
    principals.add(new KerberosPrincipal(principal));
    Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>());
    LoginContext login;
    login = new LoginContext(context, subject, null, KerberosConfiguration.createClientConfig(principal, keytab));
    login.login();
    return login;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) LoginContext(javax.security.auth.login.LoginContext) FileNotFoundException(java.io.FileNotFoundException) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet)

Example 35 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.

the class TestUGIWithMiniKdc method testAutoRenewalThreadRetryWithKdc.

@Test(timeout = 120000)
public void testAutoRenewalThreadRetryWithKdc() throws Exception {
    GenericTestUtils.setLogLevel(UserGroupInformation.LOG, Level.DEBUG);
    final Configuration conf = new Configuration();
    // Relogin every 1 second
    conf.setLong(HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN, 1);
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, conf);
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.setEnableRenewThreadCreationForTest(true);
    LoginContext loginContext = null;
    try {
        final String principal = "foo";
        final File workDir = new File(System.getProperty("test.dir", "target"));
        final File keytab = new File(workDir, "foo.keytab");
        final Set<Principal> principals = new HashSet<>();
        principals.add(new KerberosPrincipal(principal));
        setupKdc();
        kdc.createPrincipal(keytab, principal);
        // client login
        final Subject subject = new Subject(false, principals, new HashSet<>(), new HashSet<>());
        loginContext = new LoginContext("", subject, null, new javax.security.auth.login.Configuration() {

            @Override
            public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
                Map<String, String> options = new HashMap<>();
                options.put("principal", principal);
                options.put("refreshKrb5Config", "true");
                if (PlatformName.IBM_JAVA) {
                    options.put("useKeytab", keytab.getPath());
                    options.put("credsType", "both");
                } else {
                    options.put("keyTab", keytab.getPath());
                    options.put("useKeyTab", "true");
                    options.put("storeKey", "true");
                    options.put("doNotPrompt", "true");
                    options.put("useTicketCache", "true");
                    options.put("renewTGT", "true");
                    options.put("isInitiator", Boolean.toString(true));
                }
                String ticketCache = System.getenv("KRB5CCNAME");
                if (ticketCache != null) {
                    options.put("ticketCache", ticketCache);
                }
                options.put("debug", "true");
                return new AppConfigurationEntry[] { new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) };
            }
        });
        loginContext.login();
        final Subject loginSubject = loginContext.getSubject();
        UserGroupInformation.loginUserFromSubject(loginSubject);
        // Verify retry happens. Do not verify retry count to reduce flakiness.
        // Detailed back-off logic is tested separately in
        // TestUserGroupInformation#testGetNextRetryTime
        LambdaTestUtils.await(30000, 500, () -> {
            final int count = UserGroupInformation.metrics.getRenewalFailures().value();
            UserGroupInformation.LOG.info("Renew failure count is {}", count);
            return count > 0;
        });
    } finally {
        if (loginContext != null) {
            loginContext.logout();
        }
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Configuration(org.apache.hadoop.conf.Configuration) HashMap(java.util.HashMap) Subject(javax.security.auth.Subject) AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry) LoginContext(javax.security.auth.login.LoginContext) File(java.io.File) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)71 Principal (java.security.Principal)36 Subject (javax.security.auth.Subject)31 HashSet (java.util.HashSet)21 LoginContext (javax.security.auth.login.LoginContext)20 Test (org.junit.Test)14 X500Principal (javax.security.auth.x500.X500Principal)13 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)11 IOException (java.io.IOException)10 File (java.io.File)9 KerberosKey (javax.security.auth.kerberos.KerberosKey)9 PrivilegedActionException (java.security.PrivilegedActionException)8 StringTokenizer (java.util.StringTokenizer)6 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)3 ArrayList (java.util.ArrayList)3 Date (java.util.Date)3 HashMap (java.util.HashMap)3 Properties (java.util.Properties)3 CallbackHandler (javax.security.auth.callback.CallbackHandler)3 KeyTab (javax.security.auth.kerberos.KeyTab)3