Example 1 with HadoopKerberosName
use of org.apache.hadoop.security.HadoopKerberosName in project hadoop by apache.
the class AbstractDelegationTokenSecretManager method cancelToken.
/**
* Cancel a token by removing it from cache.
* @return Identifier of the canceled token
* @throws InvalidToken for invalid token
* @throws AccessControlException if the user isn't allowed to cancel
*/
public synchronized TokenIdent cancelToken(Token<TokenIdent> token, String canceller) throws IOException {
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
TokenIdent id = createIdentifier();
id.readFields(in);
LOG.info("Token cancellation requested for identifier: " + formatTokenId(id));
if (id.getUser() == null) {
throw new InvalidToken("Token with no owner " + formatTokenId(id));
}
String owner = id.getUser().getUserName();
Text renewer = id.getRenewer();
HadoopKerberosName cancelerKrbName = new HadoopKerberosName(canceller);
String cancelerShortName = cancelerKrbName.getShortName();
if (!canceller.equals(owner) && (renewer == null || renewer.toString().isEmpty() || !cancelerShortName.equals(renewer.toString()))) {
throw new AccessControlException(canceller + " is not authorized to cancel the token " + formatTokenId(id));
}
DelegationTokenInformation info = currentTokens.remove(id);
if (info == null) {
throw new InvalidToken("Token not found " + formatTokenId(id));
}
removeStoredToken(id);
return id;
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
HadoopKerberosName(org.apache.hadoop.security.HadoopKerberosName)
AccessControlException(org.apache.hadoop.security.AccessControlException)
Text(org.apache.hadoop.io.Text)
DataInputStream(java.io.DataInputStream)
Example 2 with HadoopKerberosName
use of org.apache.hadoop.security.HadoopKerberosName in project drill by axbaretto.
the class KerberosFactory method createSaslServer.
@Override
public SaslServer createSaslServer(final UserGroupInformation ugi, final Map<String, ?> properties) throws SaslException {
final String qopValue = properties.containsKey(Sasl.QOP) ? properties.get(Sasl.QOP).toString() : "auth";
try {
final String primaryName = ugi.getShortUserName();
final String instanceName = new HadoopKerberosName(ugi.getUserName()).getHostName();
final SaslServer saslServer = ugi.doAs(new PrivilegedExceptionAction<SaslServer>() {
@Override
public SaslServer run() throws Exception {
return FastSaslServerFactory.getInstance().createSaslServer(KerberosUtil.KERBEROS_SASL_NAME, primaryName, instanceName, properties, new KerberosServerCallbackHandler());
}
});
logger.trace("GSSAPI SaslServer created with QOP {}.", qopValue);
return saslServer;
} catch (final UndeclaredThrowableException e) {
final Throwable cause = e.getCause();
logger.debug("Authentication failed.", cause);
if (cause instanceof SaslException) {
throw (SaslException) cause;
} else {
throw new SaslException(String.format("Unexpected failure trying to authenticate using Kerberos with QOP %s", qopValue), cause);
}
} catch (final IOException | InterruptedException e) {
logger.debug("Authentication failed.", e);
throw new SaslException(String.format("Unexpected failure trying to authenticate using Kerberos with QOP %s", qopValue), e);
}
}
Also used :
HadoopKerberosName(org.apache.hadoop.security.HadoopKerberosName)
SaslServer(javax.security.sasl.SaslServer)
IOException(java.io.IOException)
SaslException(javax.security.sasl.SaslException)
LoginException(javax.security.auth.login.LoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
SaslException(javax.security.sasl.SaslException)
IOException(java.io.IOException)
UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)
Example 3 with HadoopKerberosName
use of org.apache.hadoop.security.HadoopKerberosName in project drill by axbaretto.
the class BitConnectionConfig method getSaslClientProperties.
public Map<String, ?> getSaslClientProperties(final DrillbitEndpoint remoteEndpoint, final Map<String, String> overrides) throws IOException {
final DrillProperties properties = DrillProperties.createEmpty();
final UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
if (loginUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS) {
final HadoopKerberosName loginPrincipal = new HadoopKerberosName(loginUser.getUserName());
if (!useLoginPrincipal) {
properties.setProperty(DrillProperties.SERVICE_PRINCIPAL, KerberosUtil.getPrincipalFromParts(loginPrincipal.getShortName(), remoteEndpoint.getAddress(), loginPrincipal.getRealm()));
} else {
properties.setProperty(DrillProperties.SERVICE_PRINCIPAL, loginPrincipal.toString());
}
}
properties.merge(overrides);
return properties.stringPropertiesAsMap();
}
Also used :
HadoopKerberosName(org.apache.hadoop.security.HadoopKerberosName)
DrillProperties(org.apache.drill.common.config.DrillProperties)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 4 with HadoopKerberosName
use of org.apache.hadoop.security.HadoopKerberosName in project drill by axbaretto.
the class DrillSpnegoLoginService method spnegoLogin.
private UserIdentity spnegoLogin(Object credentials) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// Providing both OID's is required here. If we provide only one,
// we're requiring that clients provide us the SPNEGO OID to authenticate via Kerberos.
Oid[] knownOids = new Oid[2];
// spnego
knownOids[0] = new Oid("1.3.6.1.5.5.2");
// kerberos
knownOids[1] = new Oid("1.2.840.113554.1.2.2");
GSSName gssName = manager.createName(spnegoConfig.getSpnegoPrincipal(), null);
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, knownOids, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
final String clientName = gContext.getSrcName().toString();
final String realm = clientName.substring(clientName.indexOf(64) + 1);
// Get the client user short name
final String userShortName = new HadoopKerberosName(clientName).getShortName();
logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName);
final SystemOptionManager sysOptions = drillContext.getOptionManager();
final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName, ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions), ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));
final Principal user = new DrillUserPrincipal(userShortName, isAdmin);
final Subject subject = new Subject();
subject.getPrincipals().add(user);
if (isAdmin) {
return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.ADMIN_USER_ROLES);
} else {
return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
}
}
}
} catch (GSSException gsse) {
logger.warn("Caught GSSException trying to authenticate the client", gsse);
} catch (IOException ex) {
logger.warn("Caught IOException trying to get shortName of client user", ex);
}
return null;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
HadoopKerberosName(org.apache.hadoop.security.HadoopKerberosName)
SystemOptionManager(org.apache.drill.exec.server.options.SystemOptionManager)
Oid(org.ietf.jgss.Oid)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Principal(java.security.Principal)
Example 5 with HadoopKerberosName
use of org.apache.hadoop.security.HadoopKerberosName in project drill by apache.
the class AbstractServerConnection method finalizeSaslSession.
@Override
public void finalizeSaslSession() throws IOException {
final String authorizationID = getSaslServer().getAuthorizationID();
final String remoteShortName = new HadoopKerberosName(authorizationID).getShortName();
final String localShortName = UserGroupInformation.getLoginUser().getShortUserName();
if (!localShortName.equals(remoteShortName)) {
throw new SaslException(String.format("'primary' part of remote drillbit's service principal " + "does not match with this drillbit's. Expected: '%s' Actual: '%s'", localShortName, remoteShortName));
}
getLogger().debug("Authenticated connection for {}", authorizationID);
}
Also used :
HadoopKerberosName(org.apache.hadoop.security.HadoopKerberosName)
SaslException(javax.security.sasl.SaslException)
Aggregations
HadoopKerberosName (org.apache.hadoop.security.HadoopKerberosName)12
IOException (java.io.IOException)6
SaslException (javax.security.sasl.SaslException)4
Subject (javax.security.auth.Subject)3
InvocationTargetException (java.lang.reflect.InvocationTargetException)2
UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)2
Principal (java.security.Principal)2
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2
LoginException (javax.security.auth.login.LoginException)2
SaslServer (javax.security.sasl.SaslServer)2
DrillProperties (org.apache.drill.common.config.DrillProperties)2
SystemOptionManager (org.apache.drill.exec.server.options.SystemOptionManager)2
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2
GSSContext (org.ietf.jgss.GSSContext)2
GSSCredential (org.ietf.jgss.GSSCredential)2
GSSException (org.ietf.jgss.GSSException)2
GSSManager (org.ietf.jgss.GSSManager)2
GSSName (org.ietf.jgss.GSSName)2
Oid (org.ietf.jgss.Oid)2
Gson (com.google.gson.Gson)1
