Examples with KerberosInfo org.apache.hadoop.security.KerberosInfo used on opensource projects

Search in sources :

Example 1 with KerberosInfo

use of org.apache.hadoop.security.KerberosInfo in project hadoop by apache.

the class ServiceAuthorizationManager method authorize.

/**
   * Authorize the user to access the protocol being used.
   * 
   * @param user user accessing the service 
   * @param protocol service being accessed
   * @param conf configuration to use
   * @param addr InetAddress of the client
   * @throws AuthorizationException on authorization failure
   */
public void authorize(UserGroupInformation user, Class<?> protocol, Configuration conf, InetAddress addr) throws AuthorizationException {
    AccessControlList[] acls = protocolToAcls.get(protocol);
    MachineList[] hosts = protocolToMachineLists.get(protocol);
    if (acls == null || hosts == null) {
        throw new AuthorizationException("Protocol " + protocol + " is not known.");
    }
    // get client principal key to verify (if available)
    KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
    String clientPrincipal = null;
    if (krbInfo != null) {
        String clientKey = krbInfo.clientPrincipal();
        if (clientKey != null && !clientKey.isEmpty()) {
            try {
                clientPrincipal = SecurityUtil.getServerPrincipal(conf.get(clientKey), addr);
            } catch (IOException e) {
                throw (AuthorizationException) new AuthorizationException("Can't figure out Kerberos principal name for connection from " + addr + " for user=" + user + " protocol=" + protocol).initCause(e);
            }
        }
    }
    if ((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
        String cause = clientPrincipal != null ? ": this service is only accessible by " + clientPrincipal : ": denied by configured ACL";
        AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol + cause);
        throw new AuthorizationException("User " + user + " is not authorized for protocol " + protocol + cause);
    }
    if (addr != null) {
        String hostAddress = addr.getHostAddress();
        if (hosts.length != 2 || !hosts[0].includes(hostAddress) || hosts[1].includes(hostAddress)) {
            AUDITLOG.warn(AUTHZ_FAILED_FOR + " for protocol=" + protocol + " from host = " + hostAddress);
            throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + protocol);
        }
    }
    AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol=" + protocol);
}
Also used : MachineList(org.apache.hadoop.util.MachineList) KerberosInfo(org.apache.hadoop.security.KerberosInfo) IOException(java.io.IOException)

Aggregations

IOException (java.io.IOException)1 KerberosInfo (org.apache.hadoop.security.KerberosInfo)1 MachineList (org.apache.hadoop.util.MachineList)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial