Example 1 with KeyTab
use of javax.security.auth.kerberos.KeyTab in project hadoop by apache.
the class TestUserGroupInformation method testCheckTGTAfterLoginFromSubjectHelper.
private void testCheckTGTAfterLoginFromSubjectHelper() throws Exception {
// security on, default is remove default realm
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
UserGroupInformation.setConfiguration(conf);
// Login from a pre-set subject with a keytab
final Subject subject = new Subject();
KeyTab keytab = KeyTab.getInstance();
subject.getPrivateCredentials().add(keytab);
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws IOException {
UserGroupInformation.loginUserFromSubject(subject);
// this should not throw.
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
return null;
}
});
}
Also used :
KeyTab(javax.security.auth.kerberos.KeyTab)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
Example 2 with KeyTab
use of javax.security.auth.kerberos.KeyTab in project jdk8u_jdk by JetBrains.
the class ServiceCredsCombination method check.
/**
* Checks the correct bound
* @param a get a creds for this principal, null for default one
* @param b expected name, null for still unbound, "NOCRED" for no creds
* @param objs princs, keys and keytabs in the subject
*/
private static void check(final String a, String b, Object... objs) throws Exception {
Subject subj = new Subject();
for (Object obj : objs) {
if (obj instanceof KerberosPrincipal) {
subj.getPrincipals().add((KerberosPrincipal) obj);
} else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
subj.getPrivateCredentials().add(obj);
}
}
final GSSManager man = GSSManager.getInstance();
try {
String result = Subject.doAs(subj, new PrivilegedExceptionAction<String>() {
@Override
public String run() throws GSSException {
GSSCredential cred = man.createCredential(a == null ? null : man.createName(r(a), null), GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY);
GSSName name = cred.getName();
return name == null ? null : name.toString();
}
});
if (!Objects.equals(result, r(b))) {
throw new Exception("Check failed: getInstance(" + a + ") has name " + result + ", not " + b);
}
} catch (PrivilegedActionException e) {
if (!"NOCRED".equals(b)) {
throw new Exception("Check failed: getInstance(" + a + ") is null " + ", but not one with name " + b);
}
}
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
GSSName(org.ietf.jgss.GSSName)
PrivilegedActionException(java.security.PrivilegedActionException)
Subject(javax.security.auth.Subject)
PrivilegedActionException(java.security.PrivilegedActionException)
GSSException(org.ietf.jgss.GSSException)
KerberosKey(javax.security.auth.kerberos.KerberosKey)
GSSException(org.ietf.jgss.GSSException)
KeyTab(javax.security.auth.kerberos.KeyTab)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
Example 3 with KeyTab
use of javax.security.auth.kerberos.KeyTab in project jdk8u_jdk by JetBrains.
the class ServiceCreds method getInstance.
/**
* Creates a ServiceCreds object based on info in a Subject for
* a given principal name (if specified).
* @return the object, or null if there is no private creds for it
*/
public static ServiceCreds getInstance(Subject subj, String serverPrincipal) {
ServiceCreds sc = new ServiceCreds();
sc.allPrincs = subj.getPrincipals(KerberosPrincipal.class);
// Compatibility. A key implies its own principal
for (KerberosKey key : SubjectComber.findMany(subj, serverPrincipal, null, KerberosKey.class)) {
sc.allPrincs.add(key.getPrincipal());
}
if (serverPrincipal != null) {
// A named principal
sc.kp = new KerberosPrincipal(serverPrincipal);
} else {
// only one KerberosPrincipal and there is no unbound keytabs
if (sc.allPrincs.size() == 1) {
boolean hasUnbound = false;
for (KeyTab ktab : SubjectComber.findMany(subj, null, null, KeyTab.class)) {
if (!ktab.isBound()) {
hasUnbound = true;
break;
}
}
if (!hasUnbound) {
sc.kp = sc.allPrincs.iterator().next();
serverPrincipal = sc.kp.getName();
}
}
}
sc.ktabs = SubjectComber.findMany(subj, serverPrincipal, null, KeyTab.class);
sc.kk = SubjectComber.findMany(subj, serverPrincipal, null, KerberosKey.class);
sc.tgt = SubjectComber.find(subj, null, serverPrincipal, KerberosTicket.class);
if (sc.ktabs.isEmpty() && sc.kk.isEmpty() && sc.tgt == null) {
return null;
}
sc.destroyed = false;
return sc;
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
KerberosKey(javax.security.auth.kerberos.KerberosKey)
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
KeyTab(javax.security.auth.kerberos.KeyTab)
Aggregations
KeyTab (javax.security.auth.kerberos.KeyTab)3
Subject (javax.security.auth.Subject)2
KerberosKey (javax.security.auth.kerberos.KerberosKey)2
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)2
IOException (java.io.IOException)1
PrivilegedActionException (java.security.PrivilegedActionException)1
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)1
GSSCredential (org.ietf.jgss.GSSCredential)1
GSSException (org.ietf.jgss.GSSException)1
GSSManager (org.ietf.jgss.GSSManager)1
GSSName (org.ietf.jgss.GSSName)1
