use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class AccumuloReplicaSystem method replicate.
@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by admin")
@Override
public Status replicate(final Path p, final Status status, final ReplicationTarget target, final ReplicaSystemHelper helper) {
final AccumuloConfiguration localConf = conf;
log.debug("Replication RPC timeout is {}", localConf.get(Property.REPLICATION_RPC_TIMEOUT.getKey()));
final String principal = getPrincipal(localConf, target);
final File keytab;
final String password;
if (localConf.getBoolean(Property.INSTANCE_RPC_SASL_ENABLED)) {
String keytabPath = getKeytab(localConf, target);
keytab = new File(keytabPath);
if (!keytab.exists() || !keytab.isFile()) {
log.error("{} is not a regular file. Cannot login to replicate", keytabPath);
return status;
}
password = null;
} else {
keytab = null;
password = getPassword(localConf, target);
}
if (keytab != null) {
try {
final UserGroupInformation accumuloUgi = UserGroupInformation.getCurrentUser();
// Get a UGI with the principal + keytab
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab.getAbsolutePath());
// Run inside a doAs to avoid nuking the Tserver's user
return ugi.doAs((PrivilegedAction<Status>) () -> {
KerberosToken token;
try {
// Do *not* replace the current user
token = new KerberosToken(principal, keytab);
} catch (IOException e) {
log.error("Failed to create KerberosToken", e);
return status;
}
ClientContext peerContext = getContextForPeer(localConf, target, principal, token);
return _replicate(p, status, target, helper, localConf, peerContext, accumuloUgi);
});
} catch (IOException e) {
// Can't log in, can't replicate
log.error("Failed to perform local login", e);
return status;
}
} else {
// Simple case: make a password token, context and then replicate
PasswordToken token = new PasswordToken(password);
ClientContext peerContext = getContextForPeer(localConf, target, principal, token);
return _replicate(p, status, target, helper, localConf, peerContext, null);
}
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosTokenEmbeddedKDCTest method test.
@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void test() throws Exception {
String user = testName.getMethodName();
File userKeytab = new File(kdc.getKeytabDir(), user + ".keytab");
if (userKeytab.exists() && !userKeytab.delete()) {
log.warn("Unable to delete {}", userKeytab);
}
kdc.createPrincipal(userKeytab, user);
user = kdc.qualifyUser(user);
UserGroupInformation.loginUserFromKeytab(user, userKeytab.getAbsolutePath());
KerberosToken token = new KerberosToken();
assertEquals(user, token.getPrincipal());
// Use the long-hand constructor, should be equivalent to short-hand
KerberosToken tokenWithPrinc = new KerberosToken(user);
assertEquals(token, tokenWithPrinc);
assertEquals(token.hashCode(), tokenWithPrinc.hashCode());
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosTokenEmbeddedKDCTest method testDestroy.
@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testDestroy() throws Exception {
String user = testName.getMethodName();
File userKeytab = new File(kdc.getKeytabDir(), user + ".keytab");
if (userKeytab.exists() && !userKeytab.delete()) {
log.warn("Unable to delete {}", userKeytab);
}
kdc.createPrincipal(userKeytab, user);
user = kdc.qualifyUser(user);
UserGroupInformation.loginUserFromKeytab(user, userKeytab.getAbsolutePath());
KerberosToken token = new KerberosToken();
assertEquals(user, token.getPrincipal());
token.destroy();
assertTrue(token.isDestroyed());
assertNull(token.getPrincipal());
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class ShellOptionsJC method getAuthenticationToken.
public AuthenticationToken getAuthenticationToken() throws Exception {
if (null == authenticationToken) {
final ClientConfiguration clientConf = getClientConfiguration();
// Automatically use a KerberosToken if the client conf is configured for SASL
final boolean saslEnabled = Boolean.parseBoolean(clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED));
if (saslEnabled) {
authenticationToken = new KerberosToken();
}
}
return authenticationToken;
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class ThriftTransportKeyTest method testConnectionCaching.
@Test
public void testConnectionCaching() throws IOException, InterruptedException {
UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]);
final KerberosToken token = EasyMock.createMock(KerberosToken.class);
final ClientConfiguration clientConf = ClientConfiguration.loadDefault();
// The primary is the first component of the principal
final String primary = "accumulo";
clientConf.withSasl(true, primary);
// A first instance of the SASL cnxn params
SaslConnectionParams saslParams1 = user1.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {
@Override
public SaslConnectionParams run() throws Exception {
return new SaslConnectionParams(clientConf, token);
}
});
// A second instance of what should be the same SaslConnectionParams
SaslConnectionParams saslParams2 = user1.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() {
@Override
public SaslConnectionParams run() throws Exception {
return new SaslConnectionParams(clientConf, token);
}
});
ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1l, null, saslParams1), ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1l, null, saslParams2);
// Should equals() and hashCode() to make sure we don't throw away thrift cnxns
assertEquals(ttk1, ttk2);
assertEquals(ttk1.hashCode(), ttk2.hashCode());
}
Aggregations