Examples with UsersWithHosts org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts used on opensource projects

Example 6 with UsersWithHosts

use of org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts in project accumulo by apache.

the class UserImpersonationTest method testSingleUserAndHost.

@Test
public void testSingleUserAndHost() {
    String server = "server", host = "single_host.domain.com", client = "single_client";
    setValidHosts(server, host);
    setValidUsers(server, client);
    UserImpersonation impersonation = new UserImpersonation(conf);
    UsersWithHosts uwh = impersonation.get(server);
    assertNotNull(uwh);
    assertFalse(uwh.acceptsAllHosts());
    assertFalse(uwh.acceptsAllUsers());
    assertNotEquals(AlwaysTrueSet.class, uwh.getHosts().getClass());
    assertNotEquals(AlwaysTrueSet.class, uwh.getUsers().getClass());
    assertTrue(uwh.getUsers().contains(client));
    assertTrue(uwh.getHosts().contains(host));
    assertFalse(uwh.getUsers().contains("some_other_user"));
    assertFalse(uwh.getHosts().contains("other_host.domain.com"));
}

Example 7 with UsersWithHosts

use of org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts in project accumulo by apache.

the class KerberosAuthenticator method authenticateUser.

@Override
public boolean authenticateUser(String principal, AuthenticationToken token) throws AccumuloSecurityException {
    final String rpcPrincipal = UGIAssumingProcessor.rpcPrincipal();
    if (!rpcPrincipal.equals(principal)) {
        // KerberosAuthenticator can't do perform this because KerberosToken is just a shim and doesn't contain the actual credentials
        // Double check that the rpc user can impersonate as the requested user.
        UsersWithHosts usersWithHosts = impersonation.get(rpcPrincipal);
        if (null == usersWithHosts) {
            throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
        }
        if (!usersWithHosts.getUsers().contains(principal)) {
            throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
        }
        log.debug("Allowing impersonation of {} by {}", principal, rpcPrincipal);
    }
    // User is authenticated at the transport layer -- nothing extra is necessary
    if (token instanceof KerberosToken || token instanceof DelegationTokenImpl) {
        return true;
    }
    return false;
}

Example 8 with UsersWithHosts

use of org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts in project accumulo by apache.

the class TCredentialsUpdatingInvocationHandler method updateArgs.

/**
 * Try to find a TCredentials object in the argument list, and, when the AuthenticationToken is a KerberosToken, set the principal from the SASL server as the
 * TCredentials principal. This ensures that users can't spoof a different principal into the Credentials than what they used to authenticate.
 */
protected void updateArgs(Object[] args) throws ThriftSecurityException {
    // If we don't have at least two args
    if (args == null || args.length < 2) {
        return;
    }
    TCredentials tcreds = null;
    if (args[0] != null && args[0] instanceof TCredentials) {
        tcreds = (TCredentials) args[0];
    } else if (args[1] != null && args[1] instanceof TCredentials) {
        tcreds = (TCredentials) args[1];
    }
    // If we don't find a tcredentials in the first two positions
    if (null == tcreds) {
        // Not all calls require authentication (e.g. closeMultiScan). We need to let these pass through.
        log.trace("Did not find a TCredentials object in the first two positions of the argument list, not updating principal");
        return;
    }
    Class<? extends AuthenticationToken> tokenClass = getTokenClassFromName(tcreds.tokenClassName);
    // The Accumulo principal extracted from the SASL transport
    final String principal = UGIAssumingProcessor.rpcPrincipal();
    // If we authenticated the user over DIGEST-MD5 and they have a DelegationToken, the principals should match
    if (SaslMechanism.DIGEST_MD5 == UGIAssumingProcessor.rpcMechanism() && DelegationTokenImpl.class.isAssignableFrom(tokenClass)) {
        if (!principal.equals(tcreds.principal)) {
            log.warn("{} issued RPC with delegation token over DIGEST-MD5 as the Accumulo principal {}. Disallowing RPC", principal, tcreds.principal);
            throw new ThriftSecurityException("RPC principal did not match provided Accumulo principal", SecurityErrorCode.BAD_CREDENTIALS);
        }
        return;
    }
    // If the authentication token isn't a KerberosToken
    if (!KerberosToken.class.isAssignableFrom(tokenClass) && !SystemToken.class.isAssignableFrom(tokenClass)) {
        // Don't include messages about SystemToken since it's internal
        log.debug("Will not update principal on authentication tokens other than KerberosToken. Received {}", tokenClass);
        throw new ThriftSecurityException("Did not receive a valid token", SecurityErrorCode.BAD_CREDENTIALS);
    }
    if (null == principal) {
        log.debug("Found KerberosToken in TCredentials, but did not receive principal from SASL processor");
        throw new ThriftSecurityException("Did not extract principal from Thrift SASL processor", SecurityErrorCode.BAD_CREDENTIALS);
    }
    // The principal from the SASL transport should match what the user requested as their Accumulo principal
    if (!principal.equals(tcreds.principal)) {
        UsersWithHosts usersWithHosts = impersonation.get(principal);
        if (null == usersWithHosts) {
            principalMismatch(principal, tcreds.principal);
        }
        if (!usersWithHosts.getUsers().contains(tcreds.principal)) {
            principalMismatch(principal, tcreds.principal);
        }
        String clientAddr = TServerUtils.clientAddress.get();
        if (!usersWithHosts.getHosts().contains(clientAddr)) {
            final String msg = "Principal in credentials object allowed mismatched Kerberos principals, but not on " + clientAddr;
            log.warn(msg);
            throw new ThriftSecurityException(msg, SecurityErrorCode.BAD_CREDENTIALS);
        }
    }
}

Example 9 with UsersWithHosts

use of org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts in project accumulo by apache.

the class UserImpersonationTest method testMultipleAllowedImpersonators.

@Test
public void testMultipleAllowedImpersonators() {
    String server1 = "server1", server2 = "server2", host1 = "host1", host2 = "host2", host3 = "host3", client1 = "client1", client2 = "client2", client3 = "client3";
    // server1 can impersonate client1 and client2 from host1 or host2
    setValidHosts(server1, Joiner.on(',').join(host1, host2));
    setValidUsers(server1, Joiner.on(',').join(client1, client2));
    // server2 can impersonate only client3 from host3
    setValidHosts(server2, host3);
    setValidUsers(server2, client3);
    UserImpersonation impersonation = new UserImpersonation(conf);
    UsersWithHosts uwh = impersonation.get(server1);
    assertNotNull(uwh);
    assertFalse(uwh.acceptsAllHosts());
    assertFalse(uwh.acceptsAllUsers());
    assertNotEquals(AlwaysTrueSet.class, uwh.getHosts().getClass());
    assertNotEquals(AlwaysTrueSet.class, uwh.getUsers().getClass());
    assertTrue(uwh.getUsers().contains(client1));
    assertTrue(uwh.getUsers().contains(client2));
    assertFalse(uwh.getUsers().contains(client3));
    assertFalse(uwh.getUsers().contains("other_client"));
    assertTrue(uwh.getHosts().contains(host1));
    assertTrue(uwh.getHosts().contains(host2));
    assertFalse(uwh.getHosts().contains(host3));
    assertFalse(uwh.getHosts().contains("other_host"));
    uwh = impersonation.get(server2);
    assertNotNull(uwh);
    assertFalse(uwh.acceptsAllHosts());
    assertFalse(uwh.acceptsAllUsers());
    assertNotEquals(AlwaysTrueSet.class, uwh.getHosts().getClass());
    assertNotEquals(AlwaysTrueSet.class, uwh.getUsers().getClass());
    assertFalse(uwh.getUsers().contains(client1));
    assertFalse(uwh.getUsers().contains(client2));
    assertTrue(uwh.getUsers().contains(client3));
    assertFalse(uwh.getUsers().contains("other_client"));
    assertFalse(uwh.getHosts().contains(host1));
    assertFalse(uwh.getHosts().contains(host2));
    assertTrue(uwh.getHosts().contains(host3));
    assertFalse(uwh.getHosts().contains("other_host"));
    // client3 is not allowed to impersonate anyone
    assertNull(impersonation.get(client3));
}

Example 10 with UsersWithHosts

use of org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts in project accumulo by apache.

the class UserImpersonationTest method testMultipleExplicitUsers.

@Test
public void testMultipleExplicitUsers() {
    String server = "server", client1 = "client1", client2 = "client2", client3 = "client3";
    setValidHosts(server, "*");
    setValidUsers(server, Joiner.on(',').join(client1, client2, client3));
    UserImpersonation impersonation = new UserImpersonation(conf);
    UsersWithHosts uwh = impersonation.get(server);
    assertNotNull(uwh);
    assertTrue(uwh.acceptsAllHosts());
    assertFalse(uwh.acceptsAllUsers());
    assertEquals(AlwaysTrueSet.class, uwh.getHosts().getClass());
    assertNotEquals(AlwaysTrueSet.class, uwh.getUsers().getClass());
    assertTrue(uwh.getUsers().contains(client1));
    assertTrue(uwh.getUsers().contains(client2));
    assertTrue(uwh.getUsers().contains(client3));
    assertFalse(uwh.getUsers().contains("other_client"));
}