Examples with SaslServer - javax.security.sasl.SaslServer

Example 21 with SaslServer

use of javax.security.sasl.SaslServer in project accumulo by apache.

the class UGIAssumingProcessor method process.

@Override
public boolean process(final TProtocol inProt, final TProtocol outProt) throws TException {
    TTransport trans = inProt.getTransport();
    if (!(trans instanceof TSaslServerTransport)) {
        throw new TException("Unexpected non-SASL transport " + trans.getClass() + ": " + trans);
    }
    TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
    SaslServer saslServer = saslTrans.getSaslServer();
    String authId = saslServer.getAuthorizationID();
    String endUser = authId;
    SaslMechanism mechanism;
    try {
        mechanism = SaslMechanism.get(saslServer.getMechanismName());
    } catch (Exception e) {
        log.error("Failed to process RPC with SASL mechanism {}", saslServer.getMechanismName());
        throw e;
    }
    switch(mechanism) {
        case GSSAPI:
            UserGroupInformation clientUgi = UserGroupInformation.createProxyUser(endUser, loginUser);
            final String remoteUser = clientUgi.getUserName();
            try {
                // Set the principal in the ThreadLocal for access to get authorizations
                rpcPrincipal.set(remoteUser);
                return wrapped.process(inProt, outProt);
            } finally {
                // Unset the principal after we're done using it just to be sure that it's not incorrectly
                // used in the same thread down the line.
                rpcPrincipal.set(null);
            }
        case DIGEST_MD5:
            // the rpcPrincipal for us. We don't need to do it again here.
            try {
                rpcMechanism.set(mechanism);
                return wrapped.process(inProt, outProt);
            } finally {
                // Unset the mechanism after we're done using it just to be sure that it's not incorrectly
                // used in the same thread down the line.
                rpcMechanism.set(null);
            }
        default:
            throw new IllegalArgumentException("Cannot process SASL mechanism " + mechanism);
    }
}

Also used : TException(org.apache.thrift.TException) TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) SaslServer(javax.security.sasl.SaslServer) SaslMechanism(org.apache.accumulo.core.rpc.SaslConnectionParams.SaslMechanism) TTransport(org.apache.thrift.transport.TTransport) TException(org.apache.thrift.TException) IOException(java.io.IOException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 22 with SaslServer

use of javax.security.sasl.SaslServer in project apache-kafka-on-k8s by banzaicloud.

the class SaslServerAuthenticator method createSaslKerberosServer.

private SaslServer createSaslKerberosServer(final AuthCallbackHandler saslServerCallbackHandler, final Map<String, ?> configs, Subject subject) throws IOException {
    // server is using a JAAS-authenticated subject: determine service principal name and hostname from kafka server's subject.
    final String servicePrincipal = SaslClientAuthenticator.firstPrincipal(subject);
    KerberosName kerberosName;
    try {
        kerberosName = KerberosName.parse(servicePrincipal);
    } catch (IllegalArgumentException e) {
        throw new KafkaException("Principal has name with unexpected format " + servicePrincipal);
    }
    final String servicePrincipalName = kerberosName.serviceName();
    final String serviceHostname = kerberosName.hostName();
    LOG.debug("Creating SaslServer for {} with mechanism {}", kerberosName, saslMechanism);
    // As described in http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html:
    // "To enable Java GSS to delegate to the native GSS library and its list of native mechanisms,
    // set the system property "sun.security.jgss.native" to true"
    // "In addition, when performing operations as a particular Subject, for example, Subject.doAs(...)
    // or Subject.doAsPrivileged(...), the to-be-used GSSCredential should be added to Subject's
    // private credential set. Otherwise, the GSS operations will fail since no credential is found."
    boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
    if (usingNativeJgss) {
        try {
            GSSManager manager = GSSManager.getInstance();
            // This Oid is used to represent the Kerberos version 5 GSS-API mechanism. It is defined in
            // RFC 1964.
            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
            GSSCredential cred = manager.createCredential(gssName, GSSContext.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
            subject.getPrivateCredentials().add(cred);
        } catch (GSSException ex) {
            LOG.warn("Cannot add private credential to subject; clients authentication may fail", ex);
        }
    }
    try {
        return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

            public SaslServer run() throws SaslException {
                return Sasl.createSaslServer(saslMechanism, servicePrincipalName, serviceHostname, configs, saslServerCallbackHandler);
            }
        });
    } catch (PrivilegedActionException e) {
        throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
    }
}

Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) SaslServer(javax.security.sasl.SaslServer) KerberosName(org.apache.kafka.common.security.kerberos.KerberosName) Oid(org.ietf.jgss.Oid) SaslException(javax.security.sasl.SaslException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) KafkaException(org.apache.kafka.common.KafkaException)

Example 23 with SaslServer

use of javax.security.sasl.SaslServer in project apache-kafka-on-k8s by banzaicloud.

the class DefaultKafkaPrincipalBuilderTest method testPrincipalBuilderScram.

@Test
public void testPrincipalBuilderScram() throws Exception {
    SaslServer server = mock(SaslServer.class);
    EasyMock.expect(server.getMechanismName()).andReturn(ScramMechanism.SCRAM_SHA_256.mechanismName());
    EasyMock.expect(server.getAuthorizationID()).andReturn("foo");
    replayAll();
    DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null);
    KafkaPrincipal principal = builder.build(new SaslAuthenticationContext(server, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost()));
    assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType());
    assertEquals("foo", principal.getName());
    verifyAll();
}

Also used : DefaultKafkaPrincipalBuilder(org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder) SaslServer(javax.security.sasl.SaslServer) Test(org.junit.Test)

Example 24 with SaslServer

use of javax.security.sasl.SaslServer in project kafka by apache.

the class DefaultKafkaPrincipalBuilderTest method testPrincipalBuilderScram.

@Test
public void testPrincipalBuilderScram() throws Exception {
    SaslServer server = mock(SaslServer.class);
    when(server.getMechanismName()).thenReturn(ScramMechanism.SCRAM_SHA_256.mechanismName());
    when(server.getAuthorizationID()).thenReturn("foo");
    DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, null);
    KafkaPrincipal principal = builder.build(new SaslAuthenticationContext(server, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name()));
    assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType());
    assertEquals("foo", principal.getName());
    verify(server, atLeastOnce()).getMechanismName();
    verify(server, atLeastOnce()).getAuthorizationID();
}

Also used : DefaultKafkaPrincipalBuilder(org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder) SaslServer(javax.security.sasl.SaslServer) Test(org.junit.jupiter.api.Test)

Example 25 with SaslServer

use of javax.security.sasl.SaslServer in project alluxio by Alluxio.

the class PlainSaslServerProviderTest method createNoSupportSaslServer.

/**
 * Tests the {@link Sasl#createSaslServer(String, String, String, Map, CallbackHandler)} method to
 * be null when the provider is not plain.
 */
@Test
public void createNoSupportSaslServer() throws Exception {
    // create a SaslServer which SecurityProvider has not supported
    SaslServer server = Sasl.createSaslServer("NO_PLAIN", "", "", new HashMap<String, String>(), null);
    assertNull(server);
}

Also used : SaslServer(javax.security.sasl.SaslServer) Test(org.junit.Test)

Aggregations

SaslServer (javax.security.sasl.SaslServer)27 SaslException (javax.security.sasl.SaslException)12 IOException (java.io.IOException)8 PrivilegedActionException (java.security.PrivilegedActionException)7 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)6 Principal (java.security.Principal)5 DefaultKafkaPrincipalBuilder (org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder)5 KerberosName (org.apache.kafka.common.security.kerberos.KerberosName)4 TSaslServerTransport (org.apache.thrift.transport.TSaslServerTransport)4 InetSocketAddress (java.net.InetSocketAddress)3 HashMap (java.util.HashMap)3 Callback (javax.security.auth.callback.Callback)3 LoginException (javax.security.auth.login.LoginException)3 AuthorizeCallback (javax.security.sasl.AuthorizeCallback)3 KerberosShortNamer (org.apache.kafka.common.security.kerberos.KerberosShortNamer)3 GSSCredential (org.ietf.jgss.GSSCredential)3 GSSException (org.ietf.jgss.GSSException)3 GSSManager (org.ietf.jgss.GSSManager)3 GSSName (org.ietf.jgss.GSSName)3 Oid (org.ietf.jgss.Oid)3