use of javax.security.sasl.AuthenticationException in project alluxio by Alluxio.
the class ImpersonationAuthenticator method authenticate.
/**
* @param connectionUser the user of the connection
* @param impersonationUser the user to impersonate
* @throws AuthenticationException if the connectionUser is not allowed to impersonate the
* impersonationUser
*/
public void authenticate(String connectionUser, String impersonationUser) throws AuthenticationException {
if (impersonationUser == null || connectionUser.equals(impersonationUser)) {
// Impersonation is not being used.
return;
}
Set<String> allowedUsers = mImpersonationUsers.get(connectionUser);
Set<String> allowedGroups = mImpersonationGroups.get(connectionUser);
if (allowedUsers == null && allowedGroups == null) {
throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio server and " + "impersonating as impersonationUser=\"%s\" to access Alluxio file system. " + "User \"%s\" is not configured to allow any impersonation. " + "Please read the guide to configure impersonation at %s", connectionUser, impersonationUser, connectionUser, RuntimeConstants.ALLUXIO_SECURITY_DOCS_URL));
}
// Check the impersonation users configs
if (allowedUsers != null) {
if (allowedUsers.contains(WILDCARD) || allowedUsers.contains(impersonationUser)) {
// Impersonation is allowed
return;
}
}
// Check the impersonation groups configs
if (allowedGroups != null) {
if (allowedGroups.contains(WILDCARD)) {
// Impersonation is allowed for all groups
return;
}
try {
for (String impersonationGroup : CommonUtils.getGroups(impersonationUser, mConfiguration)) {
if (allowedGroups.contains(impersonationGroup)) {
// Impersonation is allowed for this group
return;
}
}
} catch (IOException e) {
throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio master and " + "impersonating as impersonationUser=\"%s\" to access Alluxio file system: " + "Failed to get groups that impersonationUser=\"%s\" belongs to.", connectionUser, impersonationUser, impersonationUser), e);
}
}
throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio master and " + "impersonating as impersonationUser=\"%s\" to access Alluxio file system. " + "user=\"%s\" is not configured to impersonate as impersonationUser=\"%s\"." + "Please read the guide to configure impersonation at %s", connectionUser, impersonationUser, connectionUser, impersonationUser, RuntimeConstants.ALLUXIO_SECURITY_DOCS_URL));
}
use of javax.security.sasl.AuthenticationException in project crate by crate.
the class HostBasedAuthHandler method channelRead.
@Override
public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
if (authError != null) {
ReferenceCountUtil.release(msg);
Netty4TcpChannel tcpChannel = ctx.channel().attr(Netty4Transport.CHANNEL_KEY).get();
CloseableChannel.closeChannel(tcpChannel, true);
throw authError;
}
Channel channel = ctx.channel();
InetAddress remoteAddress = Netty4HttpServerTransport.getRemoteAddress(channel);
ConnectionProperties connectionProperties = new ConnectionProperties(remoteAddress, Protocol.TRANSPORT, SSL.getSession(channel));
String userName = User.CRATE_USER.name();
var authMethod = authentication.resolveAuthenticationType(userName, connectionProperties);
if (authMethod == null) {
ReferenceCountUtil.release(msg);
authError = new AuthenticationException("No valid auth.host_based entry found for: " + remoteAddress);
Netty4TcpChannel tcpChannel = ctx.channel().attr(Netty4Transport.CHANNEL_KEY).get();
CloseableChannel.closeChannel(tcpChannel, true);
throw authError;
}
try {
authMethod.authenticate(userName, null, connectionProperties);
ctx.pipeline().remove(this);
super.channelRead(ctx, msg);
} catch (Exception e) {
ReferenceCountUtil.release(msg);
authError = e;
Netty4TcpChannel tcpChannel = ctx.channel().attr(Netty4Transport.CHANNEL_KEY).get();
CloseableChannel.closeChannel(tcpChannel, true);
throw e;
}
}
use of javax.security.sasl.AuthenticationException in project hive by apache.
the class PamAuthenticator method authenticate.
private boolean authenticate(String user, String password) throws AuthenticationException {
String[] pamServices = pamServiceNames.split(",");
String errorMsg = "Error authenticating with the PAM service: ";
for (String pamService : pamServices) {
try {
Pam pam = new Pam(pamService);
if (!pam.authenticateSuccessful(user, password)) {
return false;
}
} catch (Throwable e) {
// the client nicely
throw new AuthenticationException(errorMsg + pamService, e);
}
}
return true;
}
use of javax.security.sasl.AuthenticationException in project hive by apache.
the class AuthFactory method getAuthTransFactory.
TTransportFactory getAuthTransFactory(boolean useSSL, Configuration conf) throws LoginException {
TTransportFactory transportFactory;
TSaslServerTransport.Factory serverTransportFactory;
if (isSASLWithKerberizedHadoop()) {
try {
if (useFramedTransport) {
throw new LoginException("Framed transport is not supported with SASL enabled.");
}
serverTransportFactory = saslServer.createSaslServerTransportFactory(MetaStoreUtils.getMetaStoreSaslProperties(conf, useSSL));
transportFactory = saslServer.wrapTransportFactoryInClientUGI(serverTransportFactory);
} catch (TTransportException e) {
throw new LoginException(e.getMessage());
}
if (authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.KERBEROS.getAuthName())) {
// no-op
} else if (authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NONE.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.LDAP.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.PAM.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CUSTOM.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CONFIG.getAuthName())) {
try {
MetaStorePlainSaslHelper.init();
LOG.debug("Adding server definition for PLAIN SaSL with authentication " + authTypeStr + " to transport factory " + serverTransportFactory);
serverTransportFactory.addServerDefinition("PLAIN", authTypeStr, null, new HashMap<String, String>(), new MetaStorePlainSaslHelper.PlainServerCallbackHandler(authTypeStr, conf));
} catch (AuthenticationException e) {
throw new LoginException("Error setting callback handler" + e);
}
} else {
throw new LoginException("Unsupported authentication type " + authTypeStr);
}
} else {
if (authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NONE.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.LDAP.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.PAM.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CUSTOM.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CONFIG.getAuthName())) {
if (useFramedTransport) {
throw new LoginException("Framed transport is not supported with password based " + "authentication enabled.");
}
if (executeSetUGI) {
throw new LoginException("Setting " + ConfVars.EXECUTE_SET_UGI + " is not supported " + "with password based authentication enabled.");
}
LOG.info("Using plain SASL transport factory with " + authTypeStr + " authentication");
transportFactory = MetaStorePlainSaslHelper.getPlainTransportFactory(authTypeStr, conf);
} else if (authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NOSASL.getAuthName())) {
if (executeSetUGI) {
transportFactory = useFramedTransport ? new ChainedTTransportFactory(new TFramedTransport.Factory(), new TUGIContainingTransport.Factory()) : new TUGIContainingTransport.Factory();
} else {
transportFactory = useFramedTransport ? new TFramedTransport.Factory() : new TTransportFactory();
}
} else {
throw new LoginException("Unsupported authentication type " + authTypeStr);
}
}
return transportFactory;
}
use of javax.security.sasl.AuthenticationException in project hive by apache.
the class HiveAuthFactory method getAuthTransFactory.
public TTransportFactory getAuthTransFactory() throws LoginException {
TTransportFactory transportFactory;
TSaslServerTransport.Factory serverTransportFactory;
if (isSASLWithKerberizedHadoop()) {
try {
serverTransportFactory = saslServer.createSaslServerTransportFactory(getSaslProperties());
} catch (TTransportException e) {
throw new LoginException(e.getMessage());
}
if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.KERBEROS.getAuthName())) {
// no-op
} else if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NONE.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.LDAP.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.PAM.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.CUSTOM.getAuthName())) {
try {
serverTransportFactory.addServerDefinition("PLAIN", authTypeStr, null, new HashMap<String, String>(), new PlainSaslHelper.PlainServerCallbackHandler(authTypeStr));
} catch (AuthenticationException e) {
throw new LoginException("Error setting callback handler" + e);
}
} else {
throw new LoginException("Unsupported authentication type " + authTypeStr);
}
transportFactory = saslServer.wrapTransportFactory(serverTransportFactory);
} else if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NONE.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.LDAP.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.PAM.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.CUSTOM.getAuthName())) {
transportFactory = PlainSaslHelper.getPlainTransportFactory(authTypeStr);
} else if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NOSASL.getAuthName())) {
transportFactory = new TTransportFactory();
} else {
throw new LoginException("Unsupported authentication type " + authTypeStr);
}
String trustedDomain = HiveConf.getVar(conf, ConfVars.HIVE_SERVER2_TRUSTED_DOMAIN).trim();
if (!trustedDomain.isEmpty()) {
transportFactory = PlainSaslHelper.getDualPlainTransportFactory(transportFactory, trustedDomain);
}
return transportFactory;
}
Aggregations