Example 76 with AppConfigurationEntry
use of javax.security.auth.login.AppConfigurationEntry in project cdap by caskdata.
the class SecurityUtil method enableKerberosLogin.
/**
* Enables Kerberos authentication based on configuration.
*
* @param cConf configuration object.
*/
public static void enableKerberosLogin(CConfiguration cConf) throws IOException {
if (System.getProperty(Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG) != null) {
LOG.warn("Environment variable '{}' was already set to {}. Not generating JAAS configuration.", Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG, System.getProperty(Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG));
return;
}
if (!isKerberosEnabled(cConf)) {
LOG.info("Kerberos login is not enabled. To enable Kerberos login, enable {} and configure {} and {}", Constants.Security.KERBEROS_ENABLED, Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL, Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH);
return;
}
Preconditions.checkArgument(cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL) != null, "Kerberos authentication is enabled, but " + Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL + " is not configured");
String principal = cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL);
principal = expandPrincipal(principal);
Preconditions.checkArgument(cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH) != null, "Kerberos authentication is enabled, but " + Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH + " is not configured");
File keytabFile = new File(cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH));
Preconditions.checkArgument(Files.isReadable(keytabFile.toPath()), "Keytab file is not a readable file: %s", keytabFile);
LOG.info("Using Kerberos principal {} and keytab {}", principal, keytabFile.getAbsolutePath());
System.setProperty(Constants.External.Zookeeper.ENV_AUTH_PROVIDER_1, "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
System.setProperty(Constants.External.Zookeeper.ENV_ALLOW_SASL_FAILED_CLIENTS, "true");
System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client");
final Map<String, String> properties = new HashMap<>();
properties.put("doNotPrompt", "true");
properties.put("useKeyTab", "true");
properties.put("useTicketCache", "false");
properties.put("principal", principal);
properties.put("keyTab", keytabFile.getAbsolutePath());
final AppConfigurationEntry configurationEntry = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, properties);
Configuration configuration = new Configuration() {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String s) {
return new AppConfigurationEntry[] { configurationEntry };
}
};
// apply the configuration
Configuration.setConfiguration(configuration);
}
Also used :
AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry)
CConfiguration(co.cask.cdap.common.conf.CConfiguration)
Configuration(javax.security.auth.login.Configuration)
HashMap(java.util.HashMap)
File(java.io.File)
Aggregations
AppConfigurationEntry (javax.security.auth.login.AppConfigurationEntry)76
HashMap (java.util.HashMap)31
Configuration (javax.security.auth.login.Configuration)26
Map (java.util.Map)13
Test (org.junit.Test)11
Subject (javax.security.auth.Subject)10
LoginContext (javax.security.auth.login.LoginContext)10
SSOException (com.iplanet.sso.SSOException)7
SMSException (com.sun.identity.sm.SMSException)7
HashSet (java.util.HashSet)7
JaasRealm (org.apache.karaf.jaas.config.JaasRealm)7
Set (java.util.Set)6
LoginException (javax.security.auth.login.LoginException)5
IOException (java.io.IOException)4
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)4
CallbackHandler (javax.security.auth.callback.CallbackHandler)4
LoginModuleControlFlag (javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag)4
LoginModuleImpl (org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl)4
File (java.io.File)3
Principal (java.security.Principal)3
