Search in sources :

Example 1 with AuthenticatorFactory

use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by apache.

the class UserClient method authenticate.

private CheckedFuture<Void, SaslException> authenticate(final DrillProperties properties) {
    final Map<String, String> propertiesMap = properties.stringPropertiesAsMap();
    // Set correct QOP property and Strength based on server needs encryption or not.
    // If ChunkMode is enabled then negotiate for buffer size equal to wrapChunkSize,
    // If ChunkMode is disabled then negotiate for MAX_WRAPPED_SIZE buffer size.
    propertiesMap.putAll(SaslProperties.getSaslProperties(connection.isEncryptionEnabled(), connection.getMaxWrappedSize()));
    // use handleAuthFailure to setException
    final SettableFuture<Void> authSettable = SettableFuture.create();
    final CheckedFuture<Void, SaslException> authFuture = new AbstractCheckedFuture<Void, SaslException>(authSettable) {

        @Override
        protected SaslException mapException(Exception e) {
            if (e instanceof ExecutionException) {
                final Throwable cause = Throwables.getRootCause(e);
                if (cause instanceof SaslException) {
                    return new SaslException(String.format("Authentication failed. [Details: %s, Error %s]", connection.getEncryptionCtxtString(), cause.getMessage()), cause);
                }
            }
            return new SaslException(String.format("Authentication failed unexpectedly. [Details: %s, Error %s]", connection.getEncryptionCtxtString(), e.getMessage()), e);
        }
    };
    final AuthenticatorFactory factory;
    final String mechanismName;
    final UserGroupInformation ugi;
    final SaslClient saslClient;
    try {
        factory = getAuthenticatorFactory(properties);
        mechanismName = factory.getSimpleName();
        logger.trace("Will try to authenticate to server using {} mechanism with encryption context {}", mechanismName, connection.getEncryptionCtxtString());
        ugi = factory.createAndLoginUser(propertiesMap);
        saslClient = factory.createSaslClient(ugi, propertiesMap);
        if (saslClient == null) {
            throw new SaslException(String.format("Cannot initiate authentication using %s mechanism. Insufficient " + "credentials or selected mechanism doesn't support configured security layers?", factory.getSimpleName()));
        }
        connection.setSaslClient(saslClient);
    } catch (final IOException e) {
        authSettable.setException(e);
        return authFuture;
    }
    logger.trace("Initiating SASL exchange.");
    new AuthenticationOutcomeListener<>(this, connection, RpcType.SASL_MESSAGE, ugi, new RpcOutcomeListener<Void>() {

        @Override
        public void failed(RpcException ex) {
            authSettable.setException(ex);
        }

        @Override
        public void success(Void value, ByteBuf buffer) {
            authComplete = true;
            authSettable.set(null);
        }

        @Override
        public void interrupted(InterruptedException e) {
            authSettable.setException(e);
        }
    }).initiate(mechanismName);
    return authFuture;
}
Also used : IOException(java.io.IOException) AbstractCheckedFuture(com.google.common.util.concurrent.AbstractCheckedFuture) SaslException(javax.security.sasl.SaslException) AuthenticatorFactory(org.apache.drill.exec.rpc.security.AuthenticatorFactory) ByteBuf(io.netty.buffer.ByteBuf) RpcException(org.apache.drill.exec.rpc.RpcException) SaslException(javax.security.sasl.SaslException) NonTransientRpcException(org.apache.drill.exec.rpc.NonTransientRpcException) IOException(java.io.IOException) ExecutionException(java.util.concurrent.ExecutionException) SaslClient(javax.security.sasl.SaslClient) RpcException(org.apache.drill.exec.rpc.RpcException) NonTransientRpcException(org.apache.drill.exec.rpc.NonTransientRpcException) ExecutionException(java.util.concurrent.ExecutionException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) RpcOutcomeListener(org.apache.drill.exec.rpc.RpcOutcomeListener)

Example 2 with AuthenticatorFactory

use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by apache.

the class BitRpcUtility method prepareSaslHandshake.

/**
 * Creates various instances needed to start the SASL handshake. This is called from
 * {@link BasicClient#prepareSaslHandshake(RpcConnectionHandler, List)} only for
 * {@link org.apache.drill.exec.rpc.data.DataClient} and {@link org.apache.drill.exec.rpc.control.ControlClient}
 *
 * @param connectionHandler    - Connection handler used by client's to know about success/failure conditions.
 * @param serverAuthMechanisms - List of auth mechanisms configured on server side
 * @param connection - ClientConnection used for authentication
 * @param config - ClientConnection config
 * @param endpoint - Remote DrillbitEndpoint
 * @param client - Either of DataClient/ControlClient instance
 * @param saslRpcType - SASL_MESSAGE RpcType for Data and Control channel
 */
public static <T extends EnumLite, CC extends ClientConnection, HS extends MessageLite, HR extends MessageLite> void prepareSaslHandshake(final RpcConnectionHandler<CC> connectionHandler, List<String> serverAuthMechanisms, CC connection, BitConnectionConfig config, DrillbitEndpoint endpoint, final BasicClient<T, CC, HS, HR> client, T saslRpcType) {
    try {
        final Map<String, String> saslProperties = SaslProperties.getSaslProperties(connection.isEncryptionEnabled(), connection.getMaxWrappedSize());
        final UserGroupInformation ugi = UserGroupInformation.getLoginUser();
        final AuthenticatorFactory factory = config.getAuthFactory(serverAuthMechanisms);
        client.startSaslHandshake(connectionHandler, config.getSaslClientProperties(endpoint, saslProperties), ugi, factory, saslRpcType);
    } catch (final IOException e) {
        logger.error("Failed while doing setup for starting sasl handshake for connection {}", connection.getName());
        final Exception ex = new RpcException(String.format("Failed to initiate authentication to %s", endpoint.getAddress()), e);
        connectionHandler.connectionFailed(RpcConnectionHandler.FailureType.AUTHENTICATION, ex);
    }
}
Also used : IOException(java.io.IOException) AuthenticatorFactory(org.apache.drill.exec.rpc.security.AuthenticatorFactory) IOException(java.io.IOException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 3 with AuthenticatorFactory

use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by apache.

the class DrillRestLoginService method login.

@Override
public UserIdentity login(String username, Object credentials) {
    if (!(credentials instanceof String)) {
        return null;
    }
    try {
        // Authenticate WebUser locally using UserAuthenticator. If WebServer is started that guarantees the PLAIN
        // mechanism is configured and authenticator is also available
        final AuthenticatorFactory plainFactory = drillbitContext.getAuthProvider().getAuthenticatorFactory(PlainFactory.SIMPLE_NAME);
        final UserAuthenticator userAuthenticator = ((PlainFactory) plainFactory).getAuthenticator();
        // Authenticate the user with configured Authenticator
        userAuthenticator.authenticate(username, credentials.toString());
        logger.debug("WebUser {} is successfully authenticated", username);
        final SystemOptionManager sysOptions = drillbitContext.getOptionManager();
        final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(username, sysOptions.getOption(ExecConstants.ADMIN_USERS_KEY).string_val, sysOptions.getOption(ExecConstants.ADMIN_USER_GROUPS_KEY).string_val);
        // Create the UserPrincipal corresponding to logged in user.
        final Principal userPrincipal = new DrillUserPrincipal(username, isAdmin);
        final Subject subject = new Subject();
        subject.getPrincipals().add(userPrincipal);
        subject.getPrivateCredentials().add(credentials);
        if (isAdmin) {
            subject.getPrincipals().addAll(DrillUserPrincipal.ADMIN_PRINCIPALS);
            return identityService.newUserIdentity(subject, userPrincipal, DrillUserPrincipal.ADMIN_USER_ROLES);
        } else {
            subject.getPrincipals().addAll(DrillUserPrincipal.NON_ADMIN_PRINCIPALS);
            return identityService.newUserIdentity(subject, userPrincipal, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
        }
    } catch (final Exception e) {
        if (e instanceof UserAuthenticationException) {
            logger.debug("Authentication failed for WebUser '{}'", username, e);
        } else {
            logger.error("UnExpected failure occurred for WebUser {} during login.", username, e);
        }
        return null;
    }
}
Also used : UserAuthenticationException(org.apache.drill.exec.rpc.user.security.UserAuthenticationException) SystemOptionManager(org.apache.drill.exec.server.options.SystemOptionManager) UserAuthenticator(org.apache.drill.exec.rpc.user.security.UserAuthenticator) PlainFactory(org.apache.drill.exec.rpc.security.plain.PlainFactory) AuthenticatorFactory(org.apache.drill.exec.rpc.security.AuthenticatorFactory) Principal(java.security.Principal) Subject(javax.security.auth.Subject) UserAuthenticationException(org.apache.drill.exec.rpc.user.security.UserAuthenticationException)

Example 4 with AuthenticatorFactory

use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by axbaretto.

the class DrillRestLoginService method login.

@Override
public UserIdentity login(String username, Object credentials) {
    if (!(credentials instanceof String)) {
        return null;
    }
    try {
        // Authenticate WebUser locally using UserAuthenticator. If WebServer is started that guarantees the PLAIN
        // mechanism is configured and authenticator is also available
        final AuthenticatorFactory plainFactory = drillbitContext.getAuthProvider().getAuthenticatorFactory(PlainFactory.SIMPLE_NAME);
        final UserAuthenticator userAuthenticator = ((PlainFactory) plainFactory).getAuthenticator();
        // Authenticate the user with configured Authenticator
        userAuthenticator.authenticate(username, credentials.toString());
        logger.debug("WebUser {} is successfully authenticated", username);
        final SystemOptionManager sysOptions = drillbitContext.getOptionManager();
        final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(username, ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions), ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));
        // Create the UserPrincipal corresponding to logged in user.
        final Principal userPrincipal = new DrillUserPrincipal(username, isAdmin);
        final Subject subject = new Subject();
        subject.getPrincipals().add(userPrincipal);
        subject.getPrivateCredentials().add(credentials);
        if (isAdmin) {
            subject.getPrincipals().addAll(DrillUserPrincipal.ADMIN_PRINCIPALS);
            return identityService.newUserIdentity(subject, userPrincipal, DrillUserPrincipal.ADMIN_USER_ROLES);
        } else {
            subject.getPrincipals().addAll(DrillUserPrincipal.NON_ADMIN_PRINCIPALS);
            return identityService.newUserIdentity(subject, userPrincipal, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
        }
    } catch (final Exception e) {
        if (e instanceof UserAuthenticationException) {
            logger.debug("Authentication failed for WebUser '{}'", username, e);
        } else {
            logger.error("UnExpected failure occurred for WebUser {} during login.", username, e);
        }
        return null;
    }
}
Also used : UserAuthenticationException(org.apache.drill.exec.rpc.user.security.UserAuthenticationException) SystemOptionManager(org.apache.drill.exec.server.options.SystemOptionManager) UserAuthenticator(org.apache.drill.exec.rpc.user.security.UserAuthenticator) PlainFactory(org.apache.drill.exec.rpc.security.plain.PlainFactory) AuthenticatorFactory(org.apache.drill.exec.rpc.security.AuthenticatorFactory) Principal(java.security.Principal) Subject(javax.security.auth.Subject) UserAuthenticationException(org.apache.drill.exec.rpc.user.security.UserAuthenticationException)

Example 5 with AuthenticatorFactory

use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by axbaretto.

the class BitRpcUtility method prepareSaslHandshake.

/**
 * Creates various instances needed to start the SASL handshake. This is called from
 * {@link BasicClient#prepareSaslHandshake(RpcConnectionHandler, List)} only for
 * {@link org.apache.drill.exec.rpc.data.DataClient} and {@link org.apache.drill.exec.rpc.control.ControlClient}
 *
 * @param connectionHandler    - Connection handler used by client's to know about success/failure conditions.
 * @param serverAuthMechanisms - List of auth mechanisms configured on server side
 * @param connection - ClientConnection used for authentication
 * @param config - ClientConnection config
 * @param endpoint - Remote DrillbitEndpoint
 * @param client - Either of DataClient/ControlClient instance
 * @param saslRpcType - SASL_MESSAGE RpcType for Data and Control channel
 */
public static <T extends EnumLite, CC extends ClientConnection, HS extends MessageLite, HR extends MessageLite> void prepareSaslHandshake(final RpcConnectionHandler<CC> connectionHandler, List<String> serverAuthMechanisms, CC connection, BitConnectionConfig config, DrillbitEndpoint endpoint, final BasicClient<T, CC, HS, HR> client, T saslRpcType) {
    try {
        final Map<String, String> saslProperties = SaslProperties.getSaslProperties(connection.isEncryptionEnabled(), connection.getMaxWrappedSize());
        final UserGroupInformation ugi = UserGroupInformation.getLoginUser();
        final AuthenticatorFactory factory = config.getAuthFactory(serverAuthMechanisms);
        client.startSaslHandshake(connectionHandler, config.getSaslClientProperties(endpoint, saslProperties), ugi, factory, saslRpcType);
    } catch (final IOException e) {
        logger.error("Failed while doing setup for starting sasl handshake for connection", connection.getName());
        final Exception ex = new RpcException(String.format("Failed to initiate authentication to %s", endpoint.getAddress()), e);
        connectionHandler.connectionFailed(RpcConnectionHandler.FailureType.AUTHENTICATION, ex);
    }
}
Also used : IOException(java.io.IOException) AuthenticatorFactory(org.apache.drill.exec.rpc.security.AuthenticatorFactory) IOException(java.io.IOException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

AuthenticatorFactory (org.apache.drill.exec.rpc.security.AuthenticatorFactory)8 IOException (java.io.IOException)5 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)5 Principal (java.security.Principal)3 ExecutionException (java.util.concurrent.ExecutionException)3 Subject (javax.security.auth.Subject)3 SaslException (javax.security.sasl.SaslException)3 NonTransientRpcException (org.apache.drill.exec.rpc.NonTransientRpcException)3 RpcException (org.apache.drill.exec.rpc.RpcException)3 PlainFactory (org.apache.drill.exec.rpc.security.plain.PlainFactory)3 UserAuthenticationException (org.apache.drill.exec.rpc.user.security.UserAuthenticationException)3 UserAuthenticator (org.apache.drill.exec.rpc.user.security.UserAuthenticator)3 SystemOptionManager (org.apache.drill.exec.server.options.SystemOptionManager)3 TimeoutException (java.util.concurrent.TimeoutException)2 DrillException (org.apache.drill.common.exceptions.DrillException)2 InvalidConnectionInfoException (org.apache.drill.exec.client.InvalidConnectionInfoException)2 AbstractCheckedFuture (com.google.common.util.concurrent.AbstractCheckedFuture)1 ByteBuf (io.netty.buffer.ByteBuf)1 SaslClient (javax.security.sasl.SaslClient)1 RpcOutcomeListener (org.apache.drill.exec.rpc.RpcOutcomeListener)1