Search in sources :

Example 1 with AuthenticationException

use of javax.security.sasl.AuthenticationException in project alluxio by Alluxio.

the class ImpersonationAuthenticator method authenticate.

/**
 * @param connectionUser the user of the connection
 * @param impersonationUser the user to impersonate
 * @throws AuthenticationException if the connectionUser is not allowed to impersonate the
 *         impersonationUser
 */
public void authenticate(String connectionUser, String impersonationUser) throws AuthenticationException {
    if (impersonationUser == null || connectionUser.equals(impersonationUser)) {
        // Impersonation is not being used.
        return;
    }
    Set<String> allowedUsers = mImpersonationUsers.get(connectionUser);
    Set<String> allowedGroups = mImpersonationGroups.get(connectionUser);
    if (allowedUsers == null && allowedGroups == null) {
        throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio server and " + "impersonating as impersonationUser=\"%s\" to access Alluxio file system. " + "User \"%s\" is not configured to allow any impersonation. " + "Please read the guide to configure impersonation at %s", connectionUser, impersonationUser, connectionUser, RuntimeConstants.ALLUXIO_SECURITY_DOCS_URL));
    }
    // Check the impersonation users configs
    if (allowedUsers != null) {
        if (allowedUsers.contains(WILDCARD) || allowedUsers.contains(impersonationUser)) {
            // Impersonation is allowed
            return;
        }
    }
    // Check the impersonation groups configs
    if (allowedGroups != null) {
        if (allowedGroups.contains(WILDCARD)) {
            // Impersonation is allowed for all groups
            return;
        }
        try {
            for (String impersonationGroup : CommonUtils.getGroups(impersonationUser, mConfiguration)) {
                if (allowedGroups.contains(impersonationGroup)) {
                    // Impersonation is allowed for this group
                    return;
                }
            }
        } catch (IOException e) {
            throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio master and " + "impersonating as impersonationUser=\"%s\" to access Alluxio file system: " + "Failed to get groups that impersonationUser=\"%s\" belongs to.", connectionUser, impersonationUser, impersonationUser), e);
        }
    }
    throw new AuthenticationException(String.format("Failed to authenticate client user=\"%s\" connecting to Alluxio master and " + "impersonating as impersonationUser=\"%s\" to access Alluxio file system. " + "user=\"%s\" is not configured to impersonate as impersonationUser=\"%s\"." + "Please read the guide to configure impersonation at %s", connectionUser, impersonationUser, connectionUser, impersonationUser, RuntimeConstants.ALLUXIO_SECURITY_DOCS_URL));
}
Also used : AuthenticationException(javax.security.sasl.AuthenticationException) IOException(java.io.IOException)

Example 2 with AuthenticationException

use of javax.security.sasl.AuthenticationException in project crate by crate.

the class HostBasedAuthHandler method channelRead.

@Override
public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
    if (authError != null) {
        ReferenceCountUtil.release(msg);
        Netty4TcpChannel tcpChannel = ctx.channel().attr(Netty4Transport.CHANNEL_KEY).get();
        CloseableChannel.closeChannel(tcpChannel, true);
        throw authError;
    }
    Channel channel = ctx.channel();
    InetAddress remoteAddress = Netty4HttpServerTransport.getRemoteAddress(channel);
    ConnectionProperties connectionProperties = new ConnectionProperties(remoteAddress, Protocol.TRANSPORT, SSL.getSession(channel));
    String userName = User.CRATE_USER.name();
    var authMethod = authentication.resolveAuthenticationType(userName, connectionProperties);
    if (authMethod == null) {
        ReferenceCountUtil.release(msg);
        authError = new AuthenticationException("No valid auth.host_based entry found for: " + remoteAddress);
        Netty4TcpChannel tcpChannel = ctx.channel().attr(Netty4Transport.CHANNEL_KEY).get();
        CloseableChannel.closeChannel(tcpChannel, true);
        throw authError;
    }
    try {
        authMethod.authenticate(userName, null, connectionProperties);
        ctx.pipeline().remove(this);
        super.channelRead(ctx, msg);
    } catch (Exception e) {
        ReferenceCountUtil.release(msg);
        authError = e;
        Netty4TcpChannel tcpChannel = ctx.channel().attr(Netty4Transport.CHANNEL_KEY).get();
        CloseableChannel.closeChannel(tcpChannel, true);
        throw e;
    }
}
Also used : AuthenticationException(javax.security.sasl.AuthenticationException) Channel(io.netty.channel.Channel) CloseableChannel(org.elasticsearch.common.network.CloseableChannel) ConnectionProperties(io.crate.protocols.postgres.ConnectionProperties) InetAddress(java.net.InetAddress) AuthenticationException(javax.security.sasl.AuthenticationException)

Example 3 with AuthenticationException

use of javax.security.sasl.AuthenticationException in project hive by apache.

the class PamAuthenticator method authenticate.

private boolean authenticate(String user, String password) throws AuthenticationException {
    String[] pamServices = pamServiceNames.split(",");
    String errorMsg = "Error authenticating with the PAM service: ";
    for (String pamService : pamServices) {
        try {
            Pam pam = new Pam(pamService);
            if (!pam.authenticateSuccessful(user, password)) {
                return false;
            }
        } catch (Throwable e) {
            // the client nicely
            throw new AuthenticationException(errorMsg + pamService, e);
        }
    }
    return true;
}
Also used : AuthenticationException(javax.security.sasl.AuthenticationException) Pam(net.sf.jpam.Pam)

Example 4 with AuthenticationException

use of javax.security.sasl.AuthenticationException in project hive by apache.

the class AuthFactory method getAuthTransFactory.

TTransportFactory getAuthTransFactory(boolean useSSL, Configuration conf) throws LoginException {
    TTransportFactory transportFactory;
    TSaslServerTransport.Factory serverTransportFactory;
    if (isSASLWithKerberizedHadoop()) {
        try {
            if (useFramedTransport) {
                throw new LoginException("Framed transport is not supported with SASL enabled.");
            }
            serverTransportFactory = saslServer.createSaslServerTransportFactory(MetaStoreUtils.getMetaStoreSaslProperties(conf, useSSL));
            transportFactory = saslServer.wrapTransportFactoryInClientUGI(serverTransportFactory);
        } catch (TTransportException e) {
            throw new LoginException(e.getMessage());
        }
        if (authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.KERBEROS.getAuthName())) {
        // no-op
        } else if (authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NONE.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.LDAP.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.PAM.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CUSTOM.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CONFIG.getAuthName())) {
            try {
                MetaStorePlainSaslHelper.init();
                LOG.debug("Adding server definition for PLAIN SaSL with authentication " + authTypeStr + " to transport factory " + serverTransportFactory);
                serverTransportFactory.addServerDefinition("PLAIN", authTypeStr, null, new HashMap<String, String>(), new MetaStorePlainSaslHelper.PlainServerCallbackHandler(authTypeStr, conf));
            } catch (AuthenticationException e) {
                throw new LoginException("Error setting callback handler" + e);
            }
        } else {
            throw new LoginException("Unsupported authentication type " + authTypeStr);
        }
    } else {
        if (authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NONE.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.LDAP.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.PAM.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CUSTOM.getAuthName()) || authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CONFIG.getAuthName())) {
            if (useFramedTransport) {
                throw new LoginException("Framed transport is not supported with password based " + "authentication enabled.");
            }
            if (executeSetUGI) {
                throw new LoginException("Setting " + ConfVars.EXECUTE_SET_UGI + " is not supported " + "with password based authentication enabled.");
            }
            LOG.info("Using plain SASL transport factory with " + authTypeStr + " authentication");
            transportFactory = MetaStorePlainSaslHelper.getPlainTransportFactory(authTypeStr, conf);
        } else if (authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NOSASL.getAuthName())) {
            if (executeSetUGI) {
                transportFactory = useFramedTransport ? new ChainedTTransportFactory(new TFramedTransport.Factory(), new TUGIContainingTransport.Factory()) : new TUGIContainingTransport.Factory();
            } else {
                transportFactory = useFramedTransport ? new TFramedTransport.Factory() : new TTransportFactory();
            }
        } else {
            throw new LoginException("Unsupported authentication type " + authTypeStr);
        }
    }
    return transportFactory;
}
Also used : TUGIContainingTransport(org.apache.hadoop.hive.metastore.security.TUGIContainingTransport) HashMap(java.util.HashMap) AuthenticationException(javax.security.sasl.AuthenticationException) TTransportException(org.apache.thrift.transport.TTransportException) LoggerFactory(org.slf4j.LoggerFactory) TTransportFactory(org.apache.thrift.transport.TTransportFactory) TTransportFactory(org.apache.thrift.transport.TTransportFactory) TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) TFramedTransport(org.apache.thrift.transport.layered.TFramedTransport) LoginException(javax.security.auth.login.LoginException)

Example 5 with AuthenticationException

use of javax.security.sasl.AuthenticationException in project hive by apache.

the class HiveAuthFactory method getAuthTransFactory.

public TTransportFactory getAuthTransFactory() throws LoginException {
    TTransportFactory transportFactory;
    TSaslServerTransport.Factory serverTransportFactory;
    if (isSASLWithKerberizedHadoop()) {
        try {
            serverTransportFactory = saslServer.createSaslServerTransportFactory(getSaslProperties());
        } catch (TTransportException e) {
            throw new LoginException(e.getMessage());
        }
        if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.KERBEROS.getAuthName())) {
        // no-op
        } else if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NONE.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.LDAP.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.PAM.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.CUSTOM.getAuthName())) {
            try {
                serverTransportFactory.addServerDefinition("PLAIN", authTypeStr, null, new HashMap<String, String>(), new PlainSaslHelper.PlainServerCallbackHandler(authTypeStr));
            } catch (AuthenticationException e) {
                throw new LoginException("Error setting callback handler" + e);
            }
        } else {
            throw new LoginException("Unsupported authentication type " + authTypeStr);
        }
        transportFactory = saslServer.wrapTransportFactory(serverTransportFactory);
    } else if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NONE.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.LDAP.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.PAM.getAuthName()) || authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.CUSTOM.getAuthName())) {
        transportFactory = PlainSaslHelper.getPlainTransportFactory(authTypeStr);
    } else if (authTypeStr.equalsIgnoreCase(HiveAuthConstants.AuthTypes.NOSASL.getAuthName())) {
        transportFactory = new TTransportFactory();
    } else {
        throw new LoginException("Unsupported authentication type " + authTypeStr);
    }
    String trustedDomain = HiveConf.getVar(conf, ConfVars.HIVE_SERVER2_TRUSTED_DOMAIN).trim();
    if (!trustedDomain.isEmpty()) {
        transportFactory = PlainSaslHelper.getDualPlainTransportFactory(transportFactory, trustedDomain);
    }
    return transportFactory;
}
Also used : TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) HashMap(java.util.HashMap) AuthenticationException(javax.security.sasl.AuthenticationException) TTransportException(org.apache.thrift.transport.TTransportException) LoginException(javax.security.auth.login.LoginException) TTransportFactory(org.apache.thrift.transport.TTransportFactory)

Aggregations

AuthenticationException (javax.security.sasl.AuthenticationException)8 IOException (java.io.IOException)3 HashMap (java.util.HashMap)2 NamingException (javax.naming.NamingException)2 LoginException (javax.security.auth.login.LoginException)2 Pam (net.sf.jpam.Pam)2 TSaslServerTransport (org.apache.thrift.transport.TSaslServerTransport)2 TTransportException (org.apache.thrift.transport.TTransportException)2 TTransportFactory (org.apache.thrift.transport.TTransportFactory)2 ConnectionProperties (io.crate.protocols.postgres.ConnectionProperties)1 Channel (io.netty.channel.Channel)1 InetAddress (java.net.InetAddress)1 DirSearch (org.apache.hadoop.hive.metastore.ldap.DirSearch)1 TUGIContainingTransport (org.apache.hadoop.hive.metastore.security.TUGIContainingTransport)1 DirSearch (org.apache.hive.service.auth.ldap.DirSearch)1 TFramedTransport (org.apache.thrift.transport.layered.TFramedTransport)1 CloseableChannel (org.elasticsearch.common.network.CloseableChannel)1 LoggerFactory (org.slf4j.LoggerFactory)1