Examples with KerberosTicket javax.security.auth.kerberos.KerberosTicket used on opensource projects

Example 16 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project storm by apache.

the class AutoTGTKrb5LoginModule method commit.

public boolean commit() throws LoginException {
    if (isSucceeded() == false) {
        return false;
    }
    if (subject == null || subject.isReadOnly()) {
        kerbTicket = null;
        throw new LoginException("Authentication failed because the Subject is invalid.");
    }
    // Let us add the kerbClientPrinc and kerbTicket
    // We need to clone the ticket because java.security.auth.kerberos assumes TGT is unique for each subject
    // So, sharing TGT with multiple subjects can cause expired TGT to never refresh.
    KerberosTicket kerbTicketCopy = AuthUtils.cloneKerberosTicket(kerbTicket);
    subject.getPrivateCredentials().add(kerbTicketCopy);
    subject.getPrincipals().add(getKerbTicketClient());
    LOG.debug("Commit Succeeded.");
    return true;
}

Example 17 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project storm by apache.

the class AutoTGT method populateSubjectWithTGT.

private void populateSubjectWithTGT(Subject subject, Map<String, String> credentials) {
    KerberosTicket tgt = getTGT(credentials);
    if (tgt != null) {
        clearCredentials(subject, tgt);
        subject.getPrincipals().add(tgt.getClient());
        kerbTicket.set(tgt);
    } else {
        LOG.info("No TGT found in credentials");
    }
}

Example 18 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project storm by apache.

the class AutoTGT method populateCredentials.

@Override
public void populateCredentials(Map<String, String> credentials) {
    //Log the user in and get the TGT
    try {
        Configuration login_conf = AuthUtils.GetConfiguration(conf);
        ClientCallbackHandler client_callback_handler = new ClientCallbackHandler(login_conf);
        //login our user
        Configuration.setConfiguration(login_conf);
        LoginContext lc = new LoginContext(AuthUtils.LOGIN_CONTEXT_CLIENT, client_callback_handler);
        try {
            lc.login();
            final Subject subject = lc.getSubject();
            KerberosTicket tgt = getTGT(subject);
            if (tgt == null) {
                //error
                throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + login_conf);
            }
            if (!tgt.isForwardable()) {
                throw new RuntimeException("The TGT found is not forwardable");
            }
            if (!tgt.isRenewable()) {
                throw new RuntimeException("The TGT found is not renewable");
            }
            LOG.info("Pushing TGT for " + tgt.getClient() + " to topology.");
            saveTGT(tgt, credentials);
        } finally {
            lc.logout();
        }
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}

Example 19 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project storm by apache.

the class AuthUtils method deserializeKerberosTicket.

public static KerberosTicket deserializeKerberosTicket(byte[] tgtBytes) {
    KerberosTicket ret;
    try {
        ByteArrayInputStream bin = new ByteArrayInputStream(tgtBytes);
        ObjectInputStream in = new ObjectInputStream(bin);
        ret = (KerberosTicket) in.readObject();
        in.close();
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    return ret;
}

Example 20 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project hadoop by apache.

the class UserGroupInformation method fixKerberosTicketOrder.

// if the first kerberos ticket is not TGT, then remove and destroy it since
// the kerberos library of jdk always use the first kerberos ticket as TGT.
// See HADOOP-13433 for more details.
@VisibleForTesting
void fixKerberosTicketOrder() {
    Set<Object> creds = getSubject().getPrivateCredentials();
    synchronized (creds) {
        for (Iterator<Object> iter = creds.iterator(); iter.hasNext(); ) {
            Object cred = iter.next();
            if (cred instanceof KerberosTicket) {
                KerberosTicket ticket = (KerberosTicket) cred;
                if (!ticket.getServer().getName().startsWith("krbtgt")) {
                    LOG.warn("The first kerberos ticket is not TGT" + "(the server principal is {}), remove and destroy it.", ticket.getServer());
                    iter.remove();
                    try {
                        ticket.destroy();
                    } catch (DestroyFailedException e) {
                        LOG.warn("destroy ticket failed", e);
                    }
                } else {
                    return;
                }
            }
        }
    }
    LOG.warn("Warning, no kerberos ticket found while attempting to renew ticket");
}