Search in sources :

Example 16 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class AccumuloReplicaSystem method replicate.

@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by admin")
@Override
public Status replicate(final Path p, final Status status, final ReplicationTarget target, final ReplicaSystemHelper helper) {
    final AccumuloConfiguration localConf = conf;
    log.debug("Replication RPC timeout is {}", localConf.get(Property.REPLICATION_RPC_TIMEOUT.getKey()));
    final String principal = getPrincipal(localConf, target);
    final File keytab;
    final String password;
    if (localConf.getBoolean(Property.INSTANCE_RPC_SASL_ENABLED)) {
        String keytabPath = getKeytab(localConf, target);
        keytab = new File(keytabPath);
        if (!keytab.exists() || !keytab.isFile()) {
            log.error("{} is not a regular file. Cannot login to replicate", keytabPath);
            return status;
        }
        password = null;
    } else {
        keytab = null;
        password = getPassword(localConf, target);
    }
    if (keytab != null) {
        try {
            final UserGroupInformation accumuloUgi = UserGroupInformation.getCurrentUser();
            // Get a UGI with the principal + keytab
            UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab.getAbsolutePath());
            // Run inside a doAs to avoid nuking the Tserver's user
            return ugi.doAs((PrivilegedAction<Status>) () -> {
                KerberosToken token;
                try {
                    // Do *not* replace the current user
                    token = new KerberosToken(principal, keytab);
                } catch (IOException e) {
                    log.error("Failed to create KerberosToken", e);
                    return status;
                }
                ClientContext peerContext = getContextForPeer(localConf, target, principal, token);
                return _replicate(p, status, target, helper, localConf, peerContext, accumuloUgi);
            });
        } catch (IOException e) {
            // Can't log in, can't replicate
            log.error("Failed to perform local login", e);
            return status;
        }
    } else {
        // Simple case: make a password token, context and then replicate
        PasswordToken token = new PasswordToken(password);
        ClientContext peerContext = getContextForPeer(localConf, target, principal, token);
        return _replicate(p, status, target, helper, localConf, peerContext, null);
    }
}
Also used : Status(org.apache.accumulo.server.replication.proto.Replication.Status) PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) ClientContext(org.apache.accumulo.core.clientImpl.ClientContext) IOException(java.io.IOException) File(java.io.File) RFile(org.apache.accumulo.core.file.rfile.RFile) AccumuloConfiguration(org.apache.accumulo.core.conf.AccumuloConfiguration) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings)

Example 17 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosTokenEmbeddedKDCTest method test.

@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void test() throws Exception {
    String user = testName.getMethodName();
    File userKeytab = new File(kdc.getKeytabDir(), user + ".keytab");
    if (userKeytab.exists() && !userKeytab.delete()) {
        log.warn("Unable to delete {}", userKeytab);
    }
    kdc.createPrincipal(userKeytab, user);
    user = kdc.qualifyUser(user);
    UserGroupInformation.loginUserFromKeytab(user, userKeytab.getAbsolutePath());
    KerberosToken token = new KerberosToken();
    assertEquals(user, token.getPrincipal());
    // Use the long-hand constructor, should be equivalent to short-hand
    KerberosToken tokenWithPrinc = new KerberosToken(user);
    assertEquals(token, tokenWithPrinc);
    assertEquals(token.hashCode(), tokenWithPrinc.hashCode());
}
Also used : KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) File(java.io.File) Test(org.junit.Test) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings)

Example 18 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosTokenEmbeddedKDCTest method testDestroy.

@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testDestroy() throws Exception {
    String user = testName.getMethodName();
    File userKeytab = new File(kdc.getKeytabDir(), user + ".keytab");
    if (userKeytab.exists() && !userKeytab.delete()) {
        log.warn("Unable to delete {}", userKeytab);
    }
    kdc.createPrincipal(userKeytab, user);
    user = kdc.qualifyUser(user);
    UserGroupInformation.loginUserFromKeytab(user, userKeytab.getAbsolutePath());
    KerberosToken token = new KerberosToken();
    assertEquals(user, token.getPrincipal());
    token.destroy();
    assertTrue(token.isDestroyed());
    assertNull(token.getPrincipal());
}
Also used : KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) File(java.io.File) Test(org.junit.Test) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings)

Example 19 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class ShellOptionsJC method getAuthenticationToken.

public AuthenticationToken getAuthenticationToken() throws Exception {
    if (null == authenticationToken) {
        final ClientConfiguration clientConf = getClientConfiguration();
        // Automatically use a KerberosToken if the client conf is configured for SASL
        final boolean saslEnabled = Boolean.parseBoolean(clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
        if (saslEnabled) {
            authenticationToken = new KerberosToken();
        }
    }
    return authenticationToken;
}
Also used : KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration)

Example 20 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class ThriftTransportKeyTest method testConnectionCaching.

@Test
public void testConnectionCaching() throws IOException, InterruptedException {
    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]);
    final KerberosToken token = EasyMock.createMock(KerberosToken.class);
    final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
    // The primary is the first component of the principal
    final String primary = "accumulo";
    clientConf.withSasl(true, primary);
    // A first instance of the SASL cnxn params
    SaslConnectionParams saslParams1 = user1.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            return new SaslConnectionParams(clientConf, token);
        }
    });
    // A second instance of what should be the same SaslConnectionParams
    SaslConnectionParams saslParams2 = user1.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {

        @Override
        public SaslConnectionParams run() throws Exception {
            return new SaslConnectionParams(clientConf, token);
        }
    });
    ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1l, null, saslParams1), ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1l, null, saslParams2);
    // Should equals() and hashCode() to make sure we don't throw away thrift cnxns
    assertEquals(ttk1, ttk2);
    assertEquals(ttk1.hashCode(), ttk2.hashCode());
}
Also used : KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) SaslConnectionParams(org.apache.accumulo.core.rpc.SaslConnectionParams) ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration) IOException(java.io.IOException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)46 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)23 Test (org.junit.Test)23 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)21 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)16 IOException (java.io.IOException)15 DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)14 AccumuloClient (org.apache.accumulo.core.client.AccumuloClient)13 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)12 File (java.io.File)11 Connector (org.apache.accumulo.core.client.Connector)8 DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)8 SuppressFBWarnings (edu.umd.cs.findbugs.annotations.SuppressFBWarnings)7 AccumuloException (org.apache.accumulo.core.client.AccumuloException)7 ClusterUser (org.apache.accumulo.cluster.ClusterUser)6 ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)6 ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)5 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5 AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)5 Test (org.junit.jupiter.api.Test)5