Examples with AuthMethod org.apache.hadoop.security.SaslRpcServer.AuthMethod used on opensource projects

Example 1 with AuthMethod

use of org.apache.hadoop.security.SaslRpcServer.AuthMethod in project hadoop by apache.

the class Server method getAuthMethods.

// get the security type from the conf. implicitly include token support
// if a secret manager is provided, or fail if token is the conf value but
// there is no secret manager
private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager, Configuration conf) {
    AuthenticationMethod confAuthenticationMethod = SecurityUtil.getAuthenticationMethod(conf);
    List<AuthMethod> authMethods = new ArrayList<AuthMethod>();
    if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
        if (secretManager == null) {
            throw new IllegalArgumentException(AuthenticationMethod.TOKEN + " authentication requires a secret manager");
        }
    } else if (secretManager != null) {
        LOG.debug(AuthenticationMethod.TOKEN + " authentication enabled for secret manager");
        // most preferred, go to the front of the line!
        authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
    }
    authMethods.add(confAuthenticationMethod.getAuthMethod());
    LOG.debug("Server accepts auth methods:" + authMethods);
    return authMethods;
}

Example 2 with AuthMethod

use of org.apache.hadoop.security.SaslRpcServer.AuthMethod in project hadoop by apache.

the class SaslRpcClient method selectSaslClient.

/**
   * Instantiate a sasl client for the first supported auth type in the
   * given list.  The auth type must be defined, enabled, and the user
   * must possess the required credentials, else the next auth is tried.
   * 
   * @param authTypes to attempt in the given order
   * @return SaslAuth of instantiated client
   * @throws AccessControlException - client doesn't support any of the auths
   * @throws IOException - misc errors
   */
private SaslAuth selectSaslClient(List<SaslAuth> authTypes) throws SaslException, AccessControlException, IOException {
    SaslAuth selectedAuthType = null;
    boolean switchToSimple = false;
    for (SaslAuth authType : authTypes) {
        if (!isValidAuthType(authType)) {
            // don't know what it is, try next
            continue;
        }
        AuthMethod authMethod = AuthMethod.valueOf(authType.getMethod());
        if (authMethod == AuthMethod.SIMPLE) {
            switchToSimple = true;
        } else {
            saslClient = createSaslClient(authType);
            if (saslClient == null) {
                // client lacks credentials, try next
                continue;
            }
        }
        selectedAuthType = authType;
        break;
    }
    if (saslClient == null && !switchToSimple) {
        List<String> serverAuthMethods = new ArrayList<String>();
        for (SaslAuth authType : authTypes) {
            serverAuthMethods.add(authType.getMethod());
        }
        throw new AccessControlException("Client cannot authenticate via:" + serverAuthMethods);
    }
    if (LOG.isDebugEnabled() && selectedAuthType != null) {
        LOG.debug("Use " + selectedAuthType.getMethod() + " authentication for protocol " + protocol.getSimpleName());
    }
    return selectedAuthType;
}

Example 3 with AuthMethod

use of org.apache.hadoop.security.SaslRpcServer.AuthMethod in project hadoop by apache.

the class TestSaslRPC method internalGetAuthMethod.

private String internalGetAuthMethod(final AuthMethod clientAuth, final AuthMethod serverAuth, final UseToken tokenType) throws Exception {
    final Configuration serverConf = new Configuration(conf);
    serverConf.set(HADOOP_SECURITY_AUTHENTICATION, serverAuth.toString());
    UserGroupInformation.setConfiguration(serverConf);
    final UserGroupInformation serverUgi = (serverAuth == KERBEROS) ? UserGroupInformation.createRemoteUser("server/localhost@NONE") : UserGroupInformation.createRemoteUser("server");
    serverUgi.setAuthenticationMethod(serverAuth);
    final TestTokenSecretManager sm = new TestTokenSecretManager();
    boolean useSecretManager = (serverAuth != SIMPLE);
    if (enableSecretManager != null) {
        useSecretManager &= enableSecretManager;
    }
    if (forceSecretManager != null) {
        useSecretManager |= forceSecretManager;
    }
    final SecretManager<?> serverSm = useSecretManager ? sm : null;
    Server server = serverUgi.doAs(new PrivilegedExceptionAction<Server>() {

        @Override
        public Server run() throws IOException {
            return setupTestServer(serverConf, 5, serverSm);
        }
    });
    final Configuration clientConf = new Configuration(conf);
    clientConf.set(HADOOP_SECURITY_AUTHENTICATION, clientAuth.toString());
    clientConf.setBoolean(CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY, clientFallBackToSimpleAllowed);
    UserGroupInformation.setConfiguration(clientConf);
    final UserGroupInformation clientUgi = UserGroupInformation.createRemoteUser("client");
    clientUgi.setAuthenticationMethod(clientAuth);
    final InetSocketAddress addr = NetUtils.getConnectAddress(server);
    if (tokenType != UseToken.NONE) {
        TestTokenIdentifier tokenId = new TestTokenIdentifier(new Text(clientUgi.getUserName()));
        Token<TestTokenIdentifier> token = null;
        switch(tokenType) {
            case VALID:
                token = new Token<>(tokenId, sm);
                SecurityUtil.setTokenService(token, addr);
                break;
            case INVALID:
                token = new Token<>(tokenId.getBytes(), "bad-password!".getBytes(), tokenId.getKind(), null);
                SecurityUtil.setTokenService(token, addr);
                break;
            case OTHER:
                token = new Token<>();
                break;
            // won't get here
            case NONE:
        }
        clientUgi.addToken(token);
    }
    try {
        LOG.info("trying ugi:" + clientUgi + " tokens:" + clientUgi.getTokens());
        return clientUgi.doAs(new PrivilegedExceptionAction<String>() {

            @Override
            public String run() throws IOException {
                TestRpcService proxy = null;
                try {
                    proxy = getClient(addr, clientConf);
                    proxy.ping(null, newEmptyRequest());
                    // make sure the other side thinks we are who we said we are!!!
                    assertEquals(clientUgi.getUserName(), proxy.getAuthUser(null, newEmptyRequest()).getUser());
                    AuthMethod authMethod = convert(proxy.getAuthMethod(null, newEmptyRequest()));
                    // verify sasl completed with correct QOP
                    assertEquals((authMethod != SIMPLE) ? expectedQop.saslQop : null, RPC.getConnectionIdForProxy(proxy).getSaslQop());
                    return authMethod != null ? authMethod.toString() : null;
                } catch (ServiceException se) {
                    if (se.getCause() instanceof RemoteException) {
                        throw (RemoteException) se.getCause();
                    } else if (se.getCause() instanceof IOException) {
                        throw (IOException) se.getCause();
                    } else {
                        throw new RuntimeException(se.getCause());
                    }
                } finally {
                    if (proxy != null) {
                        RPC.stopProxy(proxy);
                    }
                }
            }
        });
    } finally {
        server.stop();
    }
}

Example 4 with AuthMethod

use of org.apache.hadoop.security.SaslRpcServer.AuthMethod in project hadoop by apache.

the class TestSaslRPC method doDigestRpc.

private void doDigestRpc(Server server, TestTokenSecretManager sm) throws Exception {
    final UserGroupInformation current = UserGroupInformation.getCurrentUser();
    addr = NetUtils.getConnectAddress(server);
    TestTokenIdentifier tokenId = new TestTokenIdentifier(new Text(current.getUserName()));
    Token<TestTokenIdentifier> token = new Token<>(tokenId, sm);
    SecurityUtil.setTokenService(token, addr);
    current.addToken(token);
    TestRpcService proxy = null;
    try {
        proxy = getClient(addr, conf);
        AuthMethod authMethod = convert(proxy.getAuthMethod(null, newEmptyRequest()));
        assertEquals(TOKEN, authMethod);
        //QOP must be auth
        assertEquals(expectedQop.saslQop, RPC.getConnectionIdForProxy(proxy).getSaslQop());
        int n = 0;
        for (Connection connection : server.getConnections()) {
            // only qop auth should dispose of the sasl server
            boolean hasServer = (connection.saslServer != null);
            assertTrue("qop:" + expectedQop + " hasServer:" + hasServer, (expectedQop == QualityOfProtection.AUTHENTICATION) ^ hasServer);
            n++;
        }
        assertTrue(n > 0);
        proxy.ping(null, newEmptyRequest());
    } finally {
        stop(server, proxy);
    }
}

Example 5 with AuthMethod

use of org.apache.hadoop.security.SaslRpcServer.AuthMethod in project hadoop by apache.

the class SaslRpcClient method createSaslClient.

/**
   * Try to create a SaslClient for an authentication type.  May return
   * null if the type isn't supported or the client lacks the required
   * credentials.
   * 
   * @param authType - the requested authentication method
   * @return SaslClient for the authType or null
   * @throws SaslException - error instantiating client
   * @throws IOException - misc errors
   */
private SaslClient createSaslClient(SaslAuth authType) throws SaslException, IOException {
    String saslUser = null;
    // SASL requires the client and server to use the same proto and serverId
    // if necessary, auth types below will verify they are valid
    final String saslProtocol = authType.getProtocol();
    final String saslServerName = authType.getServerId();
    Map<String, String> saslProperties = saslPropsResolver.getClientProperties(serverAddr.getAddress());
    CallbackHandler saslCallback = null;
    final AuthMethod method = AuthMethod.valueOf(authType.getMethod());
    switch(method) {
        case TOKEN:
            {
                Token<?> token = getServerToken(authType);
                if (token == null) {
                    LOG.debug("tokens aren't supported for this protocol" + " or user doesn't have one");
                    return null;
                }
                saslCallback = new SaslClientCallbackHandler(token);
                break;
            }
        case KERBEROS:
            {
                if (ugi.getRealAuthenticationMethod().getAuthMethod() != AuthMethod.KERBEROS) {
                    LOG.debug("client isn't using kerberos");
                    return null;
                }
                String serverPrincipal = getServerPrincipal(authType);
                if (serverPrincipal == null) {
                    LOG.debug("protocol doesn't use kerberos");
                    return null;
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("RPC Server's Kerberos principal name for protocol=" + protocol.getCanonicalName() + " is " + serverPrincipal);
                }
                break;
            }
        default:
            throw new IOException("Unknown authentication method " + method);
    }
    String mechanism = method.getMechanismName();
    if (LOG.isDebugEnabled()) {
        LOG.debug("Creating SASL " + mechanism + "(" + method + ") " + " client to authenticate to service at " + saslServerName);
    }
    return Sasl.createSaslClient(new String[] { mechanism }, saslUser, saslProtocol, saslServerName, saslProperties, saslCallback);
}