Example 1 with AppConfigurationEntry
use of javax.security.auth.login.AppConfigurationEntry in project flink by apache.
the class JaasModule method install.
@Override
public void install(SecurityUtils.SecurityConfiguration securityConfig) throws SecurityInstallException {
// ensure that a config file is always defined, for compatibility with
// ZK and Kafka which check for the system property and existence of the file
priorConfigFile = System.getProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, null);
if (priorConfigFile == null) {
File configFile = generateDefaultConfigFile();
System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, configFile.getAbsolutePath());
}
// read the JAAS configuration file
priorConfig = javax.security.auth.login.Configuration.getConfiguration();
// construct a dynamic JAAS configuration
currentConfig = new DynamicConfiguration(priorConfig);
// wire up the configured JAAS login contexts to use the krb5 entries
AppConfigurationEntry[] krb5Entries = getAppConfigurationEntries(securityConfig);
if (krb5Entries != null) {
for (String app : securityConfig.getLoginContextNames()) {
currentConfig.addAppConfigurationEntry(app, krb5Entries);
}
}
javax.security.auth.login.Configuration.setConfiguration(currentConfig);
}
Also used :
AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry)
DynamicConfiguration(org.apache.flink.runtime.security.DynamicConfiguration)
File(java.io.File)
Example 2 with AppConfigurationEntry
use of javax.security.auth.login.AppConfigurationEntry in project flink by apache.
the class JaasModule method getAppConfigurationEntries.
private static AppConfigurationEntry[] getAppConfigurationEntries(SecurityUtils.SecurityConfiguration securityConfig) {
AppConfigurationEntry userKerberosAce = null;
if (securityConfig.useTicketCache()) {
userKerberosAce = KerberosUtils.ticketCacheEntry();
}
AppConfigurationEntry keytabKerberosAce = null;
if (securityConfig.getKeytab() != null) {
keytabKerberosAce = KerberosUtils.keytabEntry(securityConfig.getKeytab(), securityConfig.getPrincipal());
}
AppConfigurationEntry[] appConfigurationEntry;
if (userKerberosAce != null && keytabKerberosAce != null) {
appConfigurationEntry = new AppConfigurationEntry[] { keytabKerberosAce, userKerberosAce };
} else if (keytabKerberosAce != null) {
appConfigurationEntry = new AppConfigurationEntry[] { keytabKerberosAce };
} else if (userKerberosAce != null) {
appConfigurationEntry = new AppConfigurationEntry[] { userKerberosAce };
} else {
return null;
}
return appConfigurationEntry;
}
Also used :
AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry)
Example 3 with AppConfigurationEntry
use of javax.security.auth.login.AppConfigurationEntry in project hadoop by apache.
the class UserGroupInformation method getUGIFromTicketCache.
/**
* Create a UserGroupInformation from a Kerberos ticket cache.
*
* @param user The principal name to load from the ticket
* cache
* @param ticketCache the path to the ticket cache file
*
* @throws IOException if the kerberos login fails
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation getUGIFromTicketCache(String ticketCache, String user) throws IOException {
if (!isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
return getBestUGI(null, user);
}
try {
Map<String, String> krbOptions = new HashMap<String, String>();
if (IBM_JAVA) {
krbOptions.put("useDefaultCcache", "true");
// The first value searched when "useDefaultCcache" is used.
System.setProperty("KRB5CCNAME", ticketCache);
} else {
krbOptions.put("doNotPrompt", "true");
krbOptions.put("useTicketCache", "true");
krbOptions.put("useKeyTab", "false");
krbOptions.put("ticketCache", ticketCache);
}
krbOptions.put("renewTGT", "false");
krbOptions.putAll(HadoopConfiguration.BASIC_JAAS_OPTIONS);
AppConfigurationEntry ace = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, krbOptions);
DynamicConfiguration dynConf = new DynamicConfiguration(new AppConfigurationEntry[] { ace });
LoginContext login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, null, dynConf);
login.login();
Subject loginSubject = login.getSubject();
Set<Principal> loginPrincipals = loginSubject.getPrincipals();
if (loginPrincipals.isEmpty()) {
throw new RuntimeException("No login principals found!");
}
if (loginPrincipals.size() != 1) {
LOG.warn("found more than one principal in the ticket cache file " + ticketCache);
}
User ugiUser = new User(loginPrincipals.iterator().next().getName(), AuthenticationMethod.KERBEROS, login);
loginSubject.getPrincipals().add(ugiUser);
UserGroupInformation ugi = new UserGroupInformation(loginSubject, false);
ugi.setLogin(login);
ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
return ugi;
} catch (LoginException le) {
KerberosAuthException kae = new KerberosAuthException(FAILURE_TO_LOGIN, le);
kae.setUser(user);
kae.setTicketCacheFile(ticketCache);
throw kae;
}
}
Also used :
HashMap(java.util.HashMap)
Subject(javax.security.auth.Subject)
AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry)
LoginContext(javax.security.auth.login.LoginContext)
LoginException(javax.security.auth.login.LoginException)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
Principal(java.security.Principal)
Example 4 with AppConfigurationEntry
use of javax.security.auth.login.AppConfigurationEntry in project flink by apache.
the class KerberosUtilsTest method testKeytabEntry.
@Test
public void testKeytabEntry() {
String keytab = "user.keytab";
String principal = "user";
AppConfigurationEntry entry = KerberosUtils.keytabEntry(keytab, principal);
assertNotNull(entry);
}
Also used :
AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry)
Test(org.junit.Test)
Example 5 with AppConfigurationEntry
use of javax.security.auth.login.AppConfigurationEntry in project flink by apache.
the class KerberosUtilsTest method testTicketCacheEntry.
@Test
public void testTicketCacheEntry() {
AppConfigurationEntry entry = KerberosUtils.ticketCacheEntry();
assertNotNull(entry);
}
Also used :
AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry)
Test(org.junit.Test)
Aggregations
AppConfigurationEntry (javax.security.auth.login.AppConfigurationEntry)74
HashMap (java.util.HashMap)30
Configuration (javax.security.auth.login.Configuration)25
Map (java.util.Map)13
Test (org.junit.Test)11
Subject (javax.security.auth.Subject)10
LoginContext (javax.security.auth.login.LoginContext)10
SSOException (com.iplanet.sso.SSOException)7
SMSException (com.sun.identity.sm.SMSException)7
HashSet (java.util.HashSet)7
JaasRealm (org.apache.karaf.jaas.config.JaasRealm)7
Set (java.util.Set)6
LoginException (javax.security.auth.login.LoginException)5
IOException (java.io.IOException)4
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)4
CallbackHandler (javax.security.auth.callback.CallbackHandler)4
LoginModuleControlFlag (javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag)4
LoginModuleImpl (org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl)4
File (java.io.File)3
Principal (java.security.Principal)3
