Example 11 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class SaslServerDigestCallbackHandler method getIdentifier.
private AuthenticationTokenIdentifier getIdentifier(String id, AuthenticationTokenSecretManager secretManager) throws InvalidToken {
byte[] tokenId = decodeIdentifier(id);
AuthenticationTokenIdentifier tokenIdentifier = secretManager.createIdentifier();
try {
tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
} catch (IOException e) {
throw (InvalidToken) new InvalidToken("Can't de-serialize tokenIdentifier").initCause(e);
}
return tokenIdentifier;
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
IOException(java.io.IOException)
DataInputStream(java.io.DataInputStream)
Example 12 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class SaslServerDigestCallbackHandler method handle.
@Override
public void handle(Callback[] callbacks) throws InvalidToken, UnsupportedCallbackException {
NameCallback nc = null;
PasswordCallback pc = null;
AuthorizeCallback ac = null;
for (Callback callback : callbacks) {
if (callback instanceof AuthorizeCallback) {
ac = (AuthorizeCallback) callback;
} else if (callback instanceof NameCallback) {
nc = (NameCallback) callback;
} else if (callback instanceof PasswordCallback) {
pc = (PasswordCallback) callback;
} else if (callback instanceof RealmCallback) {
// realm is ignored
continue;
} else {
throw new UnsupportedCallbackException(callback, "Unrecognized SASL DIGEST-MD5 Callback");
}
}
if (pc != null) {
AuthenticationTokenIdentifier tokenIdentifier = getIdentifier(nc.getDefaultName(), secretManager);
char[] password = getPassword(secretManager, tokenIdentifier);
UserGroupInformation user = null;
user = tokenIdentifier.getUser();
// Set the principal since we already deserialized the token identifier
UGIAssumingProcessor.getRpcPrincipalThreadLocal().set(user.getUserName());
log.trace("SASL server DIGEST-MD5 callback: setting password for client: {}", tokenIdentifier.getUser());
pc.setPassword(password);
}
if (ac != null) {
String authid = ac.getAuthenticationID();
String authzid = ac.getAuthorizationID();
if (authid.equals(authzid)) {
ac.setAuthorized(true);
} else {
ac.setAuthorized(false);
}
if (ac.isAuthorized()) {
String username = getIdentifier(authzid, secretManager).getUser().getUserName();
log.trace("SASL server DIGEST-MD5 callback: setting canonicalized client ID: {}", username);
ac.setAuthorizedID(authzid);
}
}
}
Also used :
NameCallback(javax.security.auth.callback.NameCallback)
RealmCallback(javax.security.sasl.RealmCallback)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
NameCallback(javax.security.auth.callback.NameCallback)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Callback(javax.security.auth.callback.Callback)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
RealmCallback(javax.security.sasl.RealmCallback)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 13 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class MasterClientServiceHandler method getDelegationToken.
@Override
public TDelegationToken getDelegationToken(TInfo tinfo, TCredentials credentials, TDelegationTokenConfig tConfig) throws ThriftSecurityException, TException {
if (!master.security.canObtainDelegationToken(credentials)) {
throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
}
// Round-about way to verify that SASL is also enabled.
if (!master.delegationTokensAvailable()) {
throw new TException("Delegation tokens are not available for use");
}
final DelegationTokenConfig config = DelegationTokenConfigSerializer.deserialize(tConfig);
final AuthenticationTokenSecretManager secretManager = master.getSecretManager();
try {
Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(credentials.principal, config);
return new TDelegationToken(ByteBuffer.wrap(pair.getKey().getPassword()), pair.getValue().getThriftIdentifier());
} catch (Exception e) {
throw new TException(e.getMessage());
}
}
Also used :
TException(org.apache.thrift.TException)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
TDelegationTokenConfig(org.apache.accumulo.core.security.thrift.TDelegationTokenConfig)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
AuthenticationTokenSecretManager(org.apache.accumulo.server.security.delegation.AuthenticationTokenSecretManager)
TDelegationToken(org.apache.accumulo.core.security.thrift.TDelegationToken)
TDelegationToken(org.apache.accumulo.core.security.thrift.TDelegationToken)
Token(org.apache.hadoop.security.token.Token)
ThriftSecurityException(org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException)
ThriftSecurityException(org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
TabletDeletedException(org.apache.accumulo.server.util.TabletIterator.TabletDeletedException)
KeeperException(org.apache.zookeeper.KeeperException)
TException(org.apache.thrift.TException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
NoNodeException(org.apache.zookeeper.KeeperException.NoNodeException)
ThriftTableOperationException(org.apache.accumulo.core.client.impl.thrift.ThriftTableOperationException)
Example 14 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenSecretManagerTest method testExpiredPasswordsThrowError.
@Test(expected = InvalidToken.class)
public void testExpiredPasswordsThrowError() throws Exception {
// start of the test
long then = System.currentTimeMillis();
// 500ms lifetime
long tokenLifetime = 500;
AuthenticationTokenSecretManager secretManager = new AuthenticationTokenSecretManager(instance, tokenLifetime);
// Add a current key
secretManager.addKey(new AuthenticationKey(1, then, then + tokenLifetime, keyGen.generateKey()));
String principal = "user@EXAMPLE.COM";
Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(principal, cfg);
Token<AuthenticationTokenIdentifier> token = pair.getKey();
// Add a small buffer to make sure we move past the expiration of 0 for the token.
Thread.sleep(1000);
// Reconstitute the token identifier (will happen when clients are involved)
AuthenticationTokenIdentifier id = new AuthenticationTokenIdentifier();
id.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
secretManager.retrievePassword(id);
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DataInputStream(java.io.DataInputStream)
Test(org.junit.Test)
Example 15 with AuthenticationTokenIdentifier
use of org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier in project accumulo by apache.
the class AuthenticationTokenSecretManagerTest method testGenerateToken.
@Test
public void testGenerateToken() throws Exception {
// start of the test
long then = System.currentTimeMillis();
// 1 minute
long tokenLifetime = 60 * 1000;
AuthenticationTokenSecretManager secretManager = new AuthenticationTokenSecretManager(instance, tokenLifetime);
// Add a current key
secretManager.addKey(new AuthenticationKey(1, then, then + tokenLifetime, keyGen.generateKey()));
String principal = "user@EXAMPLE.COM";
Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> pair = secretManager.generateToken(principal, cfg);
assertNotNull(pair);
Token<AuthenticationTokenIdentifier> token = pair.getKey();
assertNotNull(token);
assertEquals(AuthenticationTokenIdentifier.TOKEN_KIND, token.getKind());
// Reconstitute the token identifier (will happen when clients are involved)
AuthenticationTokenIdentifier id = new AuthenticationTokenIdentifier();
id.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
long now = System.currentTimeMillis();
// Issue date should be after the test started, but before we deserialized the token
assertTrue("Issue date did not fall within the expected upper bound. Expected less than " + now + ", but was " + id.getIssueDate(), id.getIssueDate() <= now);
assertTrue("Issue date did not fall within the expected lower bound. Expected greater than " + then + ", but was " + id.getIssueDate(), id.getIssueDate() >= then);
// Expiration is the token lifetime plus the issue date
assertEquals(id.getIssueDate() + tokenLifetime, id.getExpirationDate());
// Verify instance ID
assertEquals(instanceId, id.getInstanceId());
// The returned id should be the same as the reconstructed id
assertEquals(pair.getValue(), id);
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
AuthenticationTokenIdentifier(org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DataInputStream(java.io.DataInputStream)
Test(org.junit.Test)
Aggregations
AuthenticationTokenIdentifier (org.apache.accumulo.core.client.impl.AuthenticationTokenIdentifier)30
Test (org.junit.Test)20
ByteArrayInputStream (java.io.ByteArrayInputStream)13
DataInputStream (java.io.DataInputStream)13
Token (org.apache.hadoop.security.token.Token)13
DelegationTokenImpl (org.apache.accumulo.core.client.impl.DelegationTokenImpl)11
IOException (java.io.IOException)7
AccumuloException (org.apache.accumulo.core.client.AccumuloException)7
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)6
Instance (org.apache.accumulo.core.client.Instance)6
TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)6
DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)6
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)6
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)6
Connector (org.apache.accumulo.core.client.Connector)5
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)5
DelegationToken (org.apache.accumulo.core.client.security.tokens.DelegationToken)4
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
DataOutputStream (java.io.DataOutputStream)3
