use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.
the class TestUserGroupInformation method testGetUGIFromSubject.
@Test(timeout = 30000)
public void testGetUGIFromSubject() throws Exception {
KerberosPrincipal p = new KerberosPrincipal("guest");
Subject subject = new Subject();
subject.getPrincipals().add(p);
UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject);
assertNotNull(ugi);
assertEquals("guest@DEFAULT.REALM", ugi.getUserName());
}
use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.
the class KerberosTestUtils method doAs.
public static <T> T doAs(String principal, final Callable<T> callable) throws Exception {
LoginContext loginContext = null;
try {
Set<Principal> principals = new HashSet<Principal>();
principals.add(new KerberosPrincipal(KerberosTestUtils.getClientPrincipal()));
Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>());
loginContext = new LoginContext("", subject, null, new KerberosConfiguration(principal));
loginContext.login();
subject = loginContext.getSubject();
return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {
@Override
public T run() throws Exception {
return callable.call();
}
});
} catch (PrivilegedActionException ex) {
throw ex.getException();
} finally {
if (loginContext != null) {
loginContext.logout();
}
}
}
use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.
the class TestKerberosAuthenticationHandler method testDynamicPrincipalDiscovery.
// dynamic configuration of HTTP principals
@Test(timeout = 60000)
public void testDynamicPrincipalDiscovery() throws Exception {
String[] keytabUsers = new String[] { "HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host" };
String keytab = KerberosTestUtils.getKeytabFile();
getKdc().createPrincipal(new File(keytab), keytabUsers);
// destroy handler created in setUp()
handler.destroy();
Properties props = new Properties();
props.setProperty(KerberosAuthenticationHandler.KEYTAB, keytab);
props.setProperty(KerberosAuthenticationHandler.PRINCIPAL, "*");
handler = getNewAuthenticationHandler();
handler.init(props);
Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
Set<KerberosPrincipal> loginPrincipals = handler.getPrincipals();
for (String user : keytabUsers) {
Principal principal = new KerberosPrincipal(user + "@" + KerberosTestUtils.getRealm());
boolean expected = user.startsWith("HTTP/");
Assert.assertEquals("checking for " + user, expected, loginPrincipals.contains(principal));
}
}
use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.
the class UserGroupInformation method getUGIFromSubject.
/**
* Create a UserGroupInformation from a Subject with Kerberos principal.
*
* @param subject The KerberosPrincipal to use in UGI.
* The creator of subject is responsible for
* renewing credentials.
*
* @throws IOException
* @throws KerberosAuthException if the kerberos login fails
*/
public static UserGroupInformation getUGIFromSubject(Subject subject) throws IOException {
if (subject == null) {
throw new KerberosAuthException(SUBJECT_MUST_NOT_BE_NULL);
}
if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
throw new KerberosAuthException(SUBJECT_MUST_CONTAIN_PRINCIPAL);
}
KerberosPrincipal principal = subject.getPrincipals(KerberosPrincipal.class).iterator().next();
User ugiUser = new User(principal.getName(), AuthenticationMethod.KERBEROS, null);
subject.getPrincipals().add(ugiUser);
UserGroupInformation ugi = new UserGroupInformation(subject);
ugi.setLogin(null);
ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
return ugi;
}
use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.
the class SaslRpcClient method getServerPrincipal.
/**
* Get the remote server's principal. The value will be obtained from
* the config and cross-checked against the server's advertised principal.
*
* @param authType of the SASL client
* @return String of the server's principal
* @throws IOException - error determining configured principal
*/
@VisibleForTesting
String getServerPrincipal(SaslAuth authType) throws IOException {
KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
LOG.debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
if (krbInfo == null) {
// protocol has no support for kerberos
return null;
}
String serverKey = krbInfo.serverPrincipal();
if (serverKey == null) {
throw new IllegalArgumentException("Can't obtain server Kerberos config key from protocol=" + protocol.getCanonicalName());
}
// construct server advertised principal for comparision
String serverPrincipal = new KerberosPrincipal(authType.getProtocol() + "/" + authType.getServerId(), KerberosPrincipal.KRB_NT_SRV_HST).getName();
// use the pattern if defined
String serverKeyPattern = conf.get(serverKey + ".pattern");
if (serverKeyPattern != null && !serverKeyPattern.isEmpty()) {
Pattern pattern = GlobPattern.compile(serverKeyPattern);
if (!pattern.matcher(serverPrincipal).matches()) {
throw new IllegalArgumentException(String.format("Server has invalid Kerberos principal: %s," + " doesn't match the pattern: %s", serverPrincipal, serverKeyPattern));
}
} else {
// check that the server advertised principal matches our conf
String confPrincipal = SecurityUtil.getServerPrincipal(conf.get(serverKey), serverAddr.getAddress());
if (LOG.isDebugEnabled()) {
LOG.debug("getting serverKey: " + serverKey + " conf value: " + conf.get(serverKey) + " principal: " + confPrincipal);
}
if (confPrincipal == null || confPrincipal.isEmpty()) {
throw new IllegalArgumentException("Failed to specify server's Kerberos principal name");
}
KerberosName name = new KerberosName(confPrincipal);
if (name.getHostName() == null) {
throw new IllegalArgumentException("Kerberos principal name does NOT have the expected hostname part: " + confPrincipal);
}
if (!serverPrincipal.equals(confPrincipal)) {
throw new IllegalArgumentException(String.format("Server has invalid Kerberos principal: %s, expecting: %s", serverPrincipal, confPrincipal));
}
}
return serverPrincipal;
}
Aggregations