use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by apache.
the class UserClient method authenticate.
private CheckedFuture<Void, SaslException> authenticate(final DrillProperties properties) {
final Map<String, String> propertiesMap = properties.stringPropertiesAsMap();
// Set correct QOP property and Strength based on server needs encryption or not.
// If ChunkMode is enabled then negotiate for buffer size equal to wrapChunkSize,
// If ChunkMode is disabled then negotiate for MAX_WRAPPED_SIZE buffer size.
propertiesMap.putAll(SaslProperties.getSaslProperties(connection.isEncryptionEnabled(), connection.getMaxWrappedSize()));
// use handleAuthFailure to setException
final SettableFuture<Void> authSettable = SettableFuture.create();
final CheckedFuture<Void, SaslException> authFuture = new AbstractCheckedFuture<Void, SaslException>(authSettable) {
@Override
protected SaslException mapException(Exception e) {
if (e instanceof ExecutionException) {
final Throwable cause = Throwables.getRootCause(e);
if (cause instanceof SaslException) {
return new SaslException(String.format("Authentication failed. [Details: %s, Error %s]", connection.getEncryptionCtxtString(), cause.getMessage()), cause);
}
}
return new SaslException(String.format("Authentication failed unexpectedly. [Details: %s, Error %s]", connection.getEncryptionCtxtString(), e.getMessage()), e);
}
};
final AuthenticatorFactory factory;
final String mechanismName;
final UserGroupInformation ugi;
final SaslClient saslClient;
try {
factory = getAuthenticatorFactory(properties);
mechanismName = factory.getSimpleName();
logger.trace("Will try to authenticate to server using {} mechanism with encryption context {}", mechanismName, connection.getEncryptionCtxtString());
ugi = factory.createAndLoginUser(propertiesMap);
saslClient = factory.createSaslClient(ugi, propertiesMap);
if (saslClient == null) {
throw new SaslException(String.format("Cannot initiate authentication using %s mechanism. Insufficient " + "credentials or selected mechanism doesn't support configured security layers?", factory.getSimpleName()));
}
connection.setSaslClient(saslClient);
} catch (final IOException e) {
authSettable.setException(e);
return authFuture;
}
logger.trace("Initiating SASL exchange.");
new AuthenticationOutcomeListener<>(this, connection, RpcType.SASL_MESSAGE, ugi, new RpcOutcomeListener<Void>() {
@Override
public void failed(RpcException ex) {
authSettable.setException(ex);
}
@Override
public void success(Void value, ByteBuf buffer) {
authComplete = true;
authSettable.set(null);
}
@Override
public void interrupted(InterruptedException e) {
authSettable.setException(e);
}
}).initiate(mechanismName);
return authFuture;
}
use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by apache.
the class BitRpcUtility method prepareSaslHandshake.
/**
* Creates various instances needed to start the SASL handshake. This is called from
* {@link BasicClient#prepareSaslHandshake(RpcConnectionHandler, List)} only for
* {@link org.apache.drill.exec.rpc.data.DataClient} and {@link org.apache.drill.exec.rpc.control.ControlClient}
*
* @param connectionHandler - Connection handler used by client's to know about success/failure conditions.
* @param serverAuthMechanisms - List of auth mechanisms configured on server side
* @param connection - ClientConnection used for authentication
* @param config - ClientConnection config
* @param endpoint - Remote DrillbitEndpoint
* @param client - Either of DataClient/ControlClient instance
* @param saslRpcType - SASL_MESSAGE RpcType for Data and Control channel
*/
public static <T extends EnumLite, CC extends ClientConnection, HS extends MessageLite, HR extends MessageLite> void prepareSaslHandshake(final RpcConnectionHandler<CC> connectionHandler, List<String> serverAuthMechanisms, CC connection, BitConnectionConfig config, DrillbitEndpoint endpoint, final BasicClient<T, CC, HS, HR> client, T saslRpcType) {
try {
final Map<String, String> saslProperties = SaslProperties.getSaslProperties(connection.isEncryptionEnabled(), connection.getMaxWrappedSize());
final UserGroupInformation ugi = UserGroupInformation.getLoginUser();
final AuthenticatorFactory factory = config.getAuthFactory(serverAuthMechanisms);
client.startSaslHandshake(connectionHandler, config.getSaslClientProperties(endpoint, saslProperties), ugi, factory, saslRpcType);
} catch (final IOException e) {
logger.error("Failed while doing setup for starting sasl handshake for connection {}", connection.getName());
final Exception ex = new RpcException(String.format("Failed to initiate authentication to %s", endpoint.getAddress()), e);
connectionHandler.connectionFailed(RpcConnectionHandler.FailureType.AUTHENTICATION, ex);
}
}
use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by apache.
the class DrillRestLoginService method login.
@Override
public UserIdentity login(String username, Object credentials) {
if (!(credentials instanceof String)) {
return null;
}
try {
// Authenticate WebUser locally using UserAuthenticator. If WebServer is started that guarantees the PLAIN
// mechanism is configured and authenticator is also available
final AuthenticatorFactory plainFactory = drillbitContext.getAuthProvider().getAuthenticatorFactory(PlainFactory.SIMPLE_NAME);
final UserAuthenticator userAuthenticator = ((PlainFactory) plainFactory).getAuthenticator();
// Authenticate the user with configured Authenticator
userAuthenticator.authenticate(username, credentials.toString());
logger.debug("WebUser {} is successfully authenticated", username);
final SystemOptionManager sysOptions = drillbitContext.getOptionManager();
final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(username, sysOptions.getOption(ExecConstants.ADMIN_USERS_KEY).string_val, sysOptions.getOption(ExecConstants.ADMIN_USER_GROUPS_KEY).string_val);
// Create the UserPrincipal corresponding to logged in user.
final Principal userPrincipal = new DrillUserPrincipal(username, isAdmin);
final Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
subject.getPrivateCredentials().add(credentials);
if (isAdmin) {
subject.getPrincipals().addAll(DrillUserPrincipal.ADMIN_PRINCIPALS);
return identityService.newUserIdentity(subject, userPrincipal, DrillUserPrincipal.ADMIN_USER_ROLES);
} else {
subject.getPrincipals().addAll(DrillUserPrincipal.NON_ADMIN_PRINCIPALS);
return identityService.newUserIdentity(subject, userPrincipal, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
}
} catch (final Exception e) {
if (e instanceof UserAuthenticationException) {
logger.debug("Authentication failed for WebUser '{}'", username, e);
} else {
logger.error("UnExpected failure occurred for WebUser {} during login.", username, e);
}
return null;
}
}
use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by axbaretto.
the class DrillRestLoginService method login.
@Override
public UserIdentity login(String username, Object credentials) {
if (!(credentials instanceof String)) {
return null;
}
try {
// Authenticate WebUser locally using UserAuthenticator. If WebServer is started that guarantees the PLAIN
// mechanism is configured and authenticator is also available
final AuthenticatorFactory plainFactory = drillbitContext.getAuthProvider().getAuthenticatorFactory(PlainFactory.SIMPLE_NAME);
final UserAuthenticator userAuthenticator = ((PlainFactory) plainFactory).getAuthenticator();
// Authenticate the user with configured Authenticator
userAuthenticator.authenticate(username, credentials.toString());
logger.debug("WebUser {} is successfully authenticated", username);
final SystemOptionManager sysOptions = drillbitContext.getOptionManager();
final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(username, ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions), ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));
// Create the UserPrincipal corresponding to logged in user.
final Principal userPrincipal = new DrillUserPrincipal(username, isAdmin);
final Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
subject.getPrivateCredentials().add(credentials);
if (isAdmin) {
subject.getPrincipals().addAll(DrillUserPrincipal.ADMIN_PRINCIPALS);
return identityService.newUserIdentity(subject, userPrincipal, DrillUserPrincipal.ADMIN_USER_ROLES);
} else {
subject.getPrincipals().addAll(DrillUserPrincipal.NON_ADMIN_PRINCIPALS);
return identityService.newUserIdentity(subject, userPrincipal, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
}
} catch (final Exception e) {
if (e instanceof UserAuthenticationException) {
logger.debug("Authentication failed for WebUser '{}'", username, e);
} else {
logger.error("UnExpected failure occurred for WebUser {} during login.", username, e);
}
return null;
}
}
use of org.apache.drill.exec.rpc.security.AuthenticatorFactory in project drill by axbaretto.
the class BitRpcUtility method prepareSaslHandshake.
/**
* Creates various instances needed to start the SASL handshake. This is called from
* {@link BasicClient#prepareSaslHandshake(RpcConnectionHandler, List)} only for
* {@link org.apache.drill.exec.rpc.data.DataClient} and {@link org.apache.drill.exec.rpc.control.ControlClient}
*
* @param connectionHandler - Connection handler used by client's to know about success/failure conditions.
* @param serverAuthMechanisms - List of auth mechanisms configured on server side
* @param connection - ClientConnection used for authentication
* @param config - ClientConnection config
* @param endpoint - Remote DrillbitEndpoint
* @param client - Either of DataClient/ControlClient instance
* @param saslRpcType - SASL_MESSAGE RpcType for Data and Control channel
*/
public static <T extends EnumLite, CC extends ClientConnection, HS extends MessageLite, HR extends MessageLite> void prepareSaslHandshake(final RpcConnectionHandler<CC> connectionHandler, List<String> serverAuthMechanisms, CC connection, BitConnectionConfig config, DrillbitEndpoint endpoint, final BasicClient<T, CC, HS, HR> client, T saslRpcType) {
try {
final Map<String, String> saslProperties = SaslProperties.getSaslProperties(connection.isEncryptionEnabled(), connection.getMaxWrappedSize());
final UserGroupInformation ugi = UserGroupInformation.getLoginUser();
final AuthenticatorFactory factory = config.getAuthFactory(serverAuthMechanisms);
client.startSaslHandshake(connectionHandler, config.getSaslClientProperties(endpoint, saslProperties), ugi, factory, saslRpcType);
} catch (final IOException e) {
logger.error("Failed while doing setup for starting sasl handshake for connection", connection.getName());
final Exception ex = new RpcException(String.format("Failed to initiate authentication to %s", endpoint.getAddress()), e);
connectionHandler.connectionFailed(RpcConnectionHandler.FailureType.AUTHENTICATION, ex);
}
}
Aggregations