Examples with TCredentials org.apache.accumulo.core.security.thrift.TCredentials used on opensource projects

Example 16 with TCredentials

use of org.apache.accumulo.core.security.thrift.TCredentials in project accumulo by apache.

the class TservConstraintEnvTest method testGetAuthorizationsContainer.

@Test
public void testGetAuthorizationsContainer() throws ThriftSecurityException {
    SecurityOperation security = createMock(SecurityOperation.class);
    TCredentials goodCred = createMock(TCredentials.class);
    TCredentials badCred = createMock(TCredentials.class);
    ByteSequence bs = new ArrayByteSequence("foo".getBytes());
    List<ByteBuffer> bbList = Collections.singletonList(ByteBuffer.wrap(bs.getBackingArray(), bs.offset(), bs.length()));
    expect(security.authenticatedUserHasAuthorizations(goodCred, bbList)).andReturn(true);
    expect(security.authenticatedUserHasAuthorizations(badCred, bbList)).andReturn(false);
    replay(security);
    assertTrue(new TservConstraintEnv(security, goodCred).getAuthorizationsContainer().contains(bs));
    assertFalse(new TservConstraintEnv(security, badCred).getAuthorizationsContainer().contains(bs));
}

Example 17 with TCredentials

use of org.apache.accumulo.core.security.thrift.TCredentials in project accumulo by apache.

the class TCredentialsUpdatingInvocationHandler method updateArgs.

/**
 * Try to find a TCredentials object in the argument list, and, when the AuthenticationToken is a KerberosToken, set the principal from the SASL server as the
 * TCredentials principal. This ensures that users can't spoof a different principal into the Credentials than what they used to authenticate.
 */
protected void updateArgs(Object[] args) throws ThriftSecurityException {
    // If we don't have at least two args
    if (args == null || args.length < 2) {
        return;
    }
    TCredentials tcreds = null;
    if (args[0] != null && args[0] instanceof TCredentials) {
        tcreds = (TCredentials) args[0];
    } else if (args[1] != null && args[1] instanceof TCredentials) {
        tcreds = (TCredentials) args[1];
    }
    // If we don't find a tcredentials in the first two positions
    if (null == tcreds) {
        // Not all calls require authentication (e.g. closeMultiScan). We need to let these pass through.
        log.trace("Did not find a TCredentials object in the first two positions of the argument list, not updating principal");
        return;
    }
    Class<? extends AuthenticationToken> tokenClass = getTokenClassFromName(tcreds.tokenClassName);
    // The Accumulo principal extracted from the SASL transport
    final String principal = UGIAssumingProcessor.rpcPrincipal();
    // If we authenticated the user over DIGEST-MD5 and they have a DelegationToken, the principals should match
    if (SaslMechanism.DIGEST_MD5 == UGIAssumingProcessor.rpcMechanism() && DelegationTokenImpl.class.isAssignableFrom(tokenClass)) {
        if (!principal.equals(tcreds.principal)) {
            log.warn("{} issued RPC with delegation token over DIGEST-MD5 as the Accumulo principal {}. Disallowing RPC", principal, tcreds.principal);
            throw new ThriftSecurityException("RPC principal did not match provided Accumulo principal", SecurityErrorCode.BAD_CREDENTIALS);
        }
        return;
    }
    // If the authentication token isn't a KerberosToken
    if (!KerberosToken.class.isAssignableFrom(tokenClass) && !SystemToken.class.isAssignableFrom(tokenClass)) {
        // Don't include messages about SystemToken since it's internal
        log.debug("Will not update principal on authentication tokens other than KerberosToken. Received {}", tokenClass);
        throw new ThriftSecurityException("Did not receive a valid token", SecurityErrorCode.BAD_CREDENTIALS);
    }
    if (null == principal) {
        log.debug("Found KerberosToken in TCredentials, but did not receive principal from SASL processor");
        throw new ThriftSecurityException("Did not extract principal from Thrift SASL processor", SecurityErrorCode.BAD_CREDENTIALS);
    }
    // The principal from the SASL transport should match what the user requested as their Accumulo principal
    if (!principal.equals(tcreds.principal)) {
        UsersWithHosts usersWithHosts = impersonation.get(principal);
        if (null == usersWithHosts) {
            principalMismatch(principal, tcreds.principal);
        }
        if (!usersWithHosts.getUsers().contains(tcreds.principal)) {
            principalMismatch(principal, tcreds.principal);
        }
        String clientAddr = TServerUtils.clientAddress.get();
        if (!usersWithHosts.getHosts().contains(clientAddr)) {
            final String msg = "Principal in credentials object allowed mismatched Kerberos principals, but not on " + clientAddr;
            log.warn(msg);
            throw new ThriftSecurityException(msg, SecurityErrorCode.BAD_CREDENTIALS);
        }
    }
}

Example 18 with TCredentials

use of org.apache.accumulo.core.security.thrift.TCredentials in project accumulo by apache.

the class TCredentialsUpdatingInvocationHandlerTest method testAllowedImpersonationFromSpecificHost.

@SuppressWarnings("deprecation")
@Test
public void testAllowedImpersonationFromSpecificHost() throws Exception {
    final String proxyServer = "proxy", client = "client", host = "host.domain.com";
    cc.set(Property.INSTANCE_RPC_SASL_PROXYUSERS.getKey() + proxyServer + ".users", client);
    cc.set(Property.INSTANCE_RPC_SASL_PROXYUSERS.getKey() + proxyServer + ".hosts", host);
    proxy = new TCredentialsUpdatingInvocationHandler<>(new Object(), conf);
    TCredentials tcreds = new TCredentials("client", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString());
    UGIAssumingProcessor.rpcPrincipal.set(proxyServer);
    TServerUtils.clientAddress.set(host);
    proxy.updateArgs(new Object[] { new Object(), tcreds });
}

Example 19 with TCredentials

use of org.apache.accumulo.core.security.thrift.TCredentials in project accumulo by apache.

the class TCredentialsUpdatingInvocationHandlerTest method testAllowedImpersonationForSpecificUsers.

@SuppressWarnings("deprecation")
@Test
public void testAllowedImpersonationForSpecificUsers() throws Exception {
    final String proxyServer = "proxy";
    cc.set(Property.INSTANCE_RPC_SASL_PROXYUSERS.getKey() + proxyServer + ".users", "client1,client2");
    cc.set(Property.INSTANCE_RPC_SASL_PROXYUSERS.getKey() + proxyServer + ".hosts", "*");
    proxy = new TCredentialsUpdatingInvocationHandler<>(new Object(), conf);
    TCredentials tcreds = new TCredentials("client1", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString());
    UGIAssumingProcessor.rpcPrincipal.set(proxyServer);
    proxy.updateArgs(new Object[] { new Object(), tcreds });
    tcreds = new TCredentials("client2", KerberosToken.class.getName(), ByteBuffer.allocate(0), UUID.randomUUID().toString());
    proxy.updateArgs(new Object[] { new Object(), tcreds });
}

Example 20 with TCredentials

use of org.apache.accumulo.core.security.thrift.TCredentials in project accumulo by apache.

the class TCredentialsUpdatingInvocationHandlerTest method testCachedTokenClass.

@Test
public void testCachedTokenClass() throws Exception {
    final String principal = "root";
    ConcurrentHashMap<String, Class<? extends AuthenticationToken>> cache = proxy.getTokenCache();
    cache.clear();
    TCredentials tcreds = new TCredentials(principal, KerberosToken.CLASS_NAME, ByteBuffer.allocate(0), UUID.randomUUID().toString());
    UGIAssumingProcessor.rpcPrincipal.set(principal);
    proxy.updateArgs(new Object[] { new Object(), tcreds });
    Assert.assertEquals(1, cache.size());
    Assert.assertEquals(KerberosToken.class, cache.get(KerberosToken.CLASS_NAME));
}