Examples with KerberosTicket javax.security.auth.kerberos.KerberosTicket used on opensource projects

Search in sources :

Example 21 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project hadoop by apache.

the class UserGroupInformation method reloginFromKeytab.

/**
   * Re-Login a user in from a keytab file. Loads a user identity from a keytab
   * file and logs them in. They become the currently logged-in user. This
   * method assumes that {@link #loginUserFromKeytab(String, String)} had
   * happened already.
   * The Subject field of this UserGroupInformation object is updated to have
   * the new credentials.
   * @throws IOException
   * @throws KerberosAuthException on a failure
   */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public synchronized void reloginFromKeytab() throws IOException {
    if (!shouldRelogin() || !isKeytab) {
        return;
    }
    long now = Time.now();
    if (!shouldRenewImmediatelyForTests && !hasSufficientTimeElapsed(now)) {
        return;
    }
    KerberosTicket tgt = getTGT();
    //Return if TGT is valid and is not going to expire soon.
    if (tgt != null && !shouldRenewImmediatelyForTests && now < getRefreshTime(tgt)) {
        return;
    }
    LoginContext login = getLogin();
    if (login == null || keytabFile == null) {
        throw new KerberosAuthException(MUST_FIRST_LOGIN_FROM_KEYTAB);
    }
    long start = 0;
    // register most recent relogin attempt
    user.setLastLogin(now);
    try {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Initiating logout for " + getUserName());
        }
        synchronized (UserGroupInformation.class) {
            // clear up the kerberos state. But the tokens are not cleared! As per
            // the Java kerberos login module code, only the kerberos credentials
            // are cleared
            login.logout();
            // login and also update the subject field of this instance to
            // have the new credentials (pass it to the LoginContext constructor)
            login = newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject(), new HadoopConfiguration());
            if (LOG.isDebugEnabled()) {
                LOG.debug("Initiating re-login for " + keytabPrincipal);
            }
            start = Time.now();
            login.login();
            fixKerberosTicketOrder();
            metrics.loginSuccess.add(Time.now() - start);
            setLogin(login);
        }
    } catch (LoginException le) {
        if (start > 0) {
            metrics.loginFailure.add(Time.now() - start);
        }
        KerberosAuthException kae = new KerberosAuthException(LOGIN_FAILURE, le);
        kae.setPrincipal(keytabPrincipal);
        kae.setKeytabFile(keytabFile);
        throw kae;
    }
}
Also used : LoginContext(javax.security.auth.login.LoginContext) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) LoginException(javax.security.auth.login.LoginException)

Example 22 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project hadoop by apache.

the class TestFixKerberosTicketOrder method test.

@Test
public void test() throws Exception {
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(clientPrincipal, keytabFile.getCanonicalPath());
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            SaslClient client = Sasl.createSaslClient(new String[] { AuthMethod.KERBEROS.getMechanismName() }, clientPrincipal, server1Protocol, host, props, null);
            client.evaluateChallenge(new byte[0]);
            client.dispose();
            return null;
        }
    });
    Subject subject = ugi.getSubject();
    // move tgt to the last
    for (KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class)) {
        if (ticket.getServer().getName().startsWith("krbtgt")) {
            subject.getPrivateCredentials().remove(ticket);
            subject.getPrivateCredentials().add(ticket);
            break;
        }
    }
    // make sure the first ticket is not tgt
    assertFalse("The first ticket is still tgt, " + "the implementation in jdk may have been changed, " + "please reconsider the problem in HADOOP-13433", subject.getPrivateCredentials().stream().filter(c -> c instanceof KerberosTicket).map(c -> ((KerberosTicket) c).getServer().getName()).findFirst().get().startsWith("krbtgt"));
    // should fail as we send a service ticket instead of tgt to KDC.
    intercept(SaslException.class, () -> ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            SaslClient client = Sasl.createSaslClient(new String[] { AuthMethod.KERBEROS.getMechanismName() }, clientPrincipal, server2Protocol, host, props, null);
            client.evaluateChallenge(new byte[0]);
            client.dispose();
            return null;
        }
    }));
    ugi.fixKerberosTicketOrder();
    // check if TGT is the first ticket after the fix.
    assertTrue("The first ticket is not tgt", subject.getPrivateCredentials().stream().filter(c -> c instanceof KerberosTicket).map(c -> ((KerberosTicket) c).getServer().getName()).findFirst().get().startsWith("krbtgt"));
    // make sure we can still get new service ticket after the fix.
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            SaslClient client = Sasl.createSaslClient(new String[] { AuthMethod.KERBEROS.getMechanismName() }, clientPrincipal, server2Protocol, host, props, null);
            client.evaluateChallenge(new byte[0]);
            client.dispose();
            return null;
        }
    });
    assertTrue("No service ticket for " + server2Protocol + " found", subject.getPrivateCredentials(KerberosTicket.class).stream().filter(t -> t.getServer().getName().startsWith(server2Protocol)).findAny().isPresent());
}
Also used : KerberosSecurityTestcase(org.apache.hadoop.minikdc.KerberosSecurityTestcase) Assert.assertTrue(org.junit.Assert.assertTrue) HashMap(java.util.HashMap) Test(org.junit.Test) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) SaslException(javax.security.sasl.SaslException) File(java.io.File) Subject(javax.security.auth.Subject) SaslClient(javax.security.sasl.SaslClient) QualityOfProtection(org.apache.hadoop.security.SaslRpcServer.QualityOfProtection) AuthMethod(org.apache.hadoop.security.SaslRpcServer.AuthMethod) Assert.assertFalse(org.junit.Assert.assertFalse) Map(java.util.Map) Configuration(org.apache.hadoop.conf.Configuration) AuthenticationMethod(org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod) LambdaTestUtils.intercept(org.apache.hadoop.test.LambdaTestUtils.intercept) Sasl(javax.security.sasl.Sasl) Before(org.junit.Before) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) SaslException(javax.security.sasl.SaslException) Subject(javax.security.auth.Subject) SaslClient(javax.security.sasl.SaslClient) Test(org.junit.Test)

Example 23 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project presto by prestodb.

the class CachingKerberosHadoopAuthentication method calculateNextRefreshTime.

private long calculateNextRefreshTime(UserGroupInformation userGroupInformation) {
    Subject subject = getSubject(userGroupInformation);
    checkArgument(subject != null, "subject must be present in kerberos based UGI");
    KerberosTicket tgtTicket = getTicketGrantingTicket(subject);
    return KerberosTicketUtils.getRefreshTime(tgtTicket);
}
Also used : KerberosTicket(javax.security.auth.kerberos.KerberosTicket) UserGroupInformationShim.getSubject(org.apache.hadoop.security.UserGroupInformationShim.getSubject) Subject(javax.security.auth.Subject)

Example 24 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jstorm by alibaba.

the class AutoTGT method getTGT.

private static KerberosTicket getTGT(Subject subject) {
    Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class);
    for (KerberosTicket ticket : tickets) {
        KerberosPrincipal server = ticket.getServer();
        if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
            tickets = null;
            return ticket;
        }
    }
    tickets = null;
    return null;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosTicket(javax.security.auth.kerberos.KerberosTicket)

Example 25 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jstorm by alibaba.

the class AutoTGT method populateCredentials.

@Override
public void populateCredentials(Map<String, String> credentials) {
    // Log the user in and get the TGT
    try {
        Configuration login_conf = AuthUtils.GetConfiguration(conf);
        ClientCallbackHandler client_callback_handler = new ClientCallbackHandler(login_conf);
        // login our user
        Configuration.setConfiguration(login_conf);
        LoginContext lc = new LoginContext(AuthUtils.LOGIN_CONTEXT_CLIENT, client_callback_handler);
        try {
            lc.login();
            final Subject subject = lc.getSubject();
            KerberosTicket tgt = getTGT(subject);
            if (tgt == null) {
                // error
                throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + login_conf);
            }
            if (!tgt.isForwardable()) {
                throw new RuntimeException("The TGT found is not forwardable");
            }
            if (!tgt.isRenewable()) {
                throw new RuntimeException("The TGT found is not renewable");
            }
            LOG.info("Pushing TGT for " + tgt.getClient() + " to topology.");
            saveTGT(tgt, credentials);
        } finally {
            lc.logout();
        }
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
Also used : LoginContext(javax.security.auth.login.LoginContext) Configuration(javax.security.auth.login.Configuration) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) Subject(javax.security.auth.Subject) LoginException(javax.security.auth.login.LoginException) DestroyFailedException(javax.security.auth.DestroyFailedException) RefreshFailedException(javax.security.auth.RefreshFailedException)

Aggregations

KerberosTicket (javax.security.auth.kerberos.KerberosTicket)35 Subject (javax.security.auth.Subject)13 Principal (java.security.Principal)7 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)7 Test (org.junit.Test)7 DestroyFailedException (javax.security.auth.DestroyFailedException)6 RefreshFailedException (javax.security.auth.RefreshFailedException)6 LoginException (javax.security.auth.login.LoginException)6 HashMap (java.util.HashMap)4 LoginContext (javax.security.auth.login.LoginContext)4 IOException (java.io.IOException)3 Date (java.util.Date)3 KerberosKey (javax.security.auth.kerberos.KerberosKey)3 AbstractKerberosITest (org.apache.directory.server.kerberos.kdc.AbstractKerberosITest)3 ByteArrayInputStream (java.io.ByteArrayInputStream)2 ObjectInputStream (java.io.ObjectInputStream)2 InetAddress (java.net.InetAddress)2 PrivilegedActionException (java.security.PrivilegedActionException)2 Map (java.util.Map)2 Configuration (javax.security.auth.login.Configuration)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial