Search in sources :

Example 36 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.

the class TestUserGroupInformation method testGetUGIFromSubject.

@Test(timeout = 30000)
public void testGetUGIFromSubject() throws Exception {
    KerberosPrincipal p = new KerberosPrincipal("guest");
    Subject subject = new Subject();
    subject.getPrincipals().add(p);
    UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject);
    assertNotNull(ugi);
    assertEquals("guest@DEFAULT.REALM", ugi.getUserName());
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Subject(javax.security.auth.Subject) Test(org.junit.Test)

Example 37 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.

the class KerberosTestUtils method doAs.

public static <T> T doAs(String principal, final Callable<T> callable) throws Exception {
    LoginContext loginContext = null;
    try {
        Set<Principal> principals = new HashSet<Principal>();
        principals.add(new KerberosPrincipal(KerberosTestUtils.getClientPrincipal()));
        Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>());
        loginContext = new LoginContext("", subject, null, new KerberosConfiguration(principal));
        loginContext.login();
        subject = loginContext.getSubject();
        return Subject.doAs(subject, new PrivilegedExceptionAction<T>() {

            @Override
            public T run() throws Exception {
                return callable.call();
            }
        });
    } catch (PrivilegedActionException ex) {
        throw ex.getException();
    } finally {
        if (loginContext != null) {
            loginContext.logout();
        }
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) PrivilegedActionException(java.security.PrivilegedActionException) Subject(javax.security.auth.Subject) PrivilegedActionException(java.security.PrivilegedActionException) LoginContext(javax.security.auth.login.LoginContext) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal) HashSet(java.util.HashSet)

Example 38 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.

the class TestKerberosAuthenticationHandler method testDynamicPrincipalDiscovery.

// dynamic configuration of HTTP principals
@Test(timeout = 60000)
public void testDynamicPrincipalDiscovery() throws Exception {
    String[] keytabUsers = new String[] { "HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host" };
    String keytab = KerberosTestUtils.getKeytabFile();
    getKdc().createPrincipal(new File(keytab), keytabUsers);
    // destroy handler created in setUp()
    handler.destroy();
    Properties props = new Properties();
    props.setProperty(KerberosAuthenticationHandler.KEYTAB, keytab);
    props.setProperty(KerberosAuthenticationHandler.PRINCIPAL, "*");
    handler = getNewAuthenticationHandler();
    handler.init(props);
    Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
    Set<KerberosPrincipal> loginPrincipals = handler.getPrincipals();
    for (String user : keytabUsers) {
        Principal principal = new KerberosPrincipal(user + "@" + KerberosTestUtils.getRealm());
        boolean expected = user.startsWith("HTTP/");
        Assert.assertEquals("checking for " + user, expected, loginPrincipals.contains(principal));
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Properties(java.util.Properties) File(java.io.File) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal) Test(org.junit.Test)

Example 39 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.

the class UserGroupInformation method getUGIFromSubject.

/**
   * Create a UserGroupInformation from a Subject with Kerberos principal.
   *
   * @param subject             The KerberosPrincipal to use in UGI.
   *                            The creator of subject is responsible for
   *                            renewing credentials.
   *
   * @throws IOException
   * @throws KerberosAuthException if the kerberos login fails
   */
public static UserGroupInformation getUGIFromSubject(Subject subject) throws IOException {
    if (subject == null) {
        throw new KerberosAuthException(SUBJECT_MUST_NOT_BE_NULL);
    }
    if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
        throw new KerberosAuthException(SUBJECT_MUST_CONTAIN_PRINCIPAL);
    }
    KerberosPrincipal principal = subject.getPrincipals(KerberosPrincipal.class).iterator().next();
    User ugiUser = new User(principal.getName(), AuthenticationMethod.KERBEROS, null);
    subject.getPrincipals().add(ugiUser);
    UserGroupInformation ugi = new UserGroupInformation(subject);
    ugi.setLogin(null);
    ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
    return ugi;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)

Example 40 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project hadoop by apache.

the class SaslRpcClient method getServerPrincipal.

/**
   * Get the remote server's principal.  The value will be obtained from
   * the config and cross-checked against the server's advertised principal.
   * 
   * @param authType of the SASL client
   * @return String of the server's principal
   * @throws IOException - error determining configured principal
   */
@VisibleForTesting
String getServerPrincipal(SaslAuth authType) throws IOException {
    KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
    LOG.debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
    if (krbInfo == null) {
        // protocol has no support for kerberos
        return null;
    }
    String serverKey = krbInfo.serverPrincipal();
    if (serverKey == null) {
        throw new IllegalArgumentException("Can't obtain server Kerberos config key from protocol=" + protocol.getCanonicalName());
    }
    // construct server advertised principal for comparision
    String serverPrincipal = new KerberosPrincipal(authType.getProtocol() + "/" + authType.getServerId(), KerberosPrincipal.KRB_NT_SRV_HST).getName();
    // use the pattern if defined
    String serverKeyPattern = conf.get(serverKey + ".pattern");
    if (serverKeyPattern != null && !serverKeyPattern.isEmpty()) {
        Pattern pattern = GlobPattern.compile(serverKeyPattern);
        if (!pattern.matcher(serverPrincipal).matches()) {
            throw new IllegalArgumentException(String.format("Server has invalid Kerberos principal: %s," + " doesn't match the pattern: %s", serverPrincipal, serverKeyPattern));
        }
    } else {
        // check that the server advertised principal matches our conf
        String confPrincipal = SecurityUtil.getServerPrincipal(conf.get(serverKey), serverAddr.getAddress());
        if (LOG.isDebugEnabled()) {
            LOG.debug("getting serverKey: " + serverKey + " conf value: " + conf.get(serverKey) + " principal: " + confPrincipal);
        }
        if (confPrincipal == null || confPrincipal.isEmpty()) {
            throw new IllegalArgumentException("Failed to specify server's Kerberos principal name");
        }
        KerberosName name = new KerberosName(confPrincipal);
        if (name.getHostName() == null) {
            throw new IllegalArgumentException("Kerberos principal name does NOT have the expected hostname part: " + confPrincipal);
        }
        if (!serverPrincipal.equals(confPrincipal)) {
            throw new IllegalArgumentException(String.format("Server has invalid Kerberos principal: %s, expecting: %s", serverPrincipal, confPrincipal));
        }
    }
    return serverPrincipal;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Pattern(com.google.re2j.Pattern) GlobPattern(org.apache.hadoop.fs.GlobPattern) ByteString(com.google.protobuf.ByteString) KerberosName(org.apache.hadoop.security.authentication.util.KerberosName) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Aggregations

KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)71 Principal (java.security.Principal)36 Subject (javax.security.auth.Subject)31 HashSet (java.util.HashSet)21 LoginContext (javax.security.auth.login.LoginContext)20 Test (org.junit.Test)14 X500Principal (javax.security.auth.x500.X500Principal)13 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)11 IOException (java.io.IOException)10 File (java.io.File)9 KerberosKey (javax.security.auth.kerberos.KerberosKey)9 PrivilegedActionException (java.security.PrivilegedActionException)8 StringTokenizer (java.util.StringTokenizer)6 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)3 ArrayList (java.util.ArrayList)3 Date (java.util.Date)3 HashMap (java.util.HashMap)3 Properties (java.util.Properties)3 CallbackHandler (javax.security.auth.callback.CallbackHandler)3 KeyTab (javax.security.auth.kerberos.KeyTab)3