Example 1 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project hadoop by apache.
the class KDiag method validateShortName.
/**
* Verify whether auth_to_local rules transform a principal name
* <p>
* Having a local user name "bar@foo.com" may be harmless, so it is noted at
* info. However if what was intended is a transformation to "bar"
* it can be difficult to debug, hence this check.
*/
protected void validateShortName() {
failif(principal == null, CAT_KERBEROS, "No principal defined");
try {
KerberosName kn = new KerberosName(principal);
String result = kn.getShortName();
if (nonSimplePattern.matcher(result).find()) {
warn(CAT_KERBEROS, principal + " short name: " + result + " still contains @ or /");
}
} catch (IOException e) {
throw new KerberosDiagsFailure(CAT_KERBEROS, e, "Failed to get short name for " + principal, e);
} catch (IllegalArgumentException e) {
error(CAT_KERBEROS, "KerberosName(" + principal + ") failed: %s\n%s", e, StringUtils.stringifyException(e));
}
}
Also used :
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
IOException(java.io.IOException)
Example 2 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project hadoop by apache.
the class JspHelper method checkUsername.
/**
* Expected user name should be a short name.
*/
public static void checkUsername(final String expected, final String name) throws IOException {
if (expected == null && name != null) {
throw new IOException("Usernames not matched: expecting null but name=" + name);
}
if (name == null) {
//name is optional, null is okay
return;
}
KerberosName u = new KerberosName(name);
String shortName = u.getShortName();
if (!shortName.equals(expected)) {
throw new IOException("Usernames not matched: name=" + shortName + " != expected=" + expected);
}
}
Also used :
IOException(java.io.IOException)
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
Example 3 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project hadoop by apache.
the class TestKerberosAuthenticationHandler method testNameRules.
@Test(timeout = 60000)
public void testNameRules() throws Exception {
KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal());
Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm());
//destroy handler created in setUp()
handler.destroy();
KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT");
handler = getNewAuthenticationHandler();
Properties props = getDefaultProperties();
props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT");
try {
handler.init(props);
} catch (Exception ex) {
}
kn = new KerberosName("bar@BAR");
Assert.assertEquals("bar", kn.getShortName());
kn = new KerberosName("bar@FOO");
Assert.assertEquals("bar@FOO", kn.getShortName());
}
Also used :
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
Properties(java.util.Properties)
AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException)
ServletException(javax.servlet.ServletException)
Test(org.junit.Test)
Example 4 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project cdap by caskdata.
the class DefaultUGIProvider method createUGI.
/**
* Resolves the {@link UserGroupInformation} for a given user, performing any keytab localization, if necessary.
*
* @return a {@link UserGroupInformation}, based upon the information configured for a particular user
* @throws IOException if there was any IOException during localization of the keytab
*/
@Override
protected UGIWithPrincipal createUGI(ImpersonationRequest impersonationRequest) throws IOException {
// no need to get a UGI if the current UGI is the one we're requesting; simply return it
String configuredPrincipalShortName = new KerberosName(impersonationRequest.getPrincipal()).getShortName();
if (UserGroupInformation.getCurrentUser().getShortUserName().equals(configuredPrincipalShortName)) {
return new UGIWithPrincipal(impersonationRequest.getPrincipal(), UserGroupInformation.getCurrentUser());
}
URI keytabURI = URI.create(impersonationRequest.getKeytabURI());
boolean isKeytabLocal = keytabURI.getScheme() == null || "file".equals(keytabURI.getScheme());
File localKeytabFile = isKeytabLocal ? new File(keytabURI.getPath()) : localizeKeytab(locationFactory.create(keytabURI));
try {
String expandedPrincipal = SecurityUtil.expandPrincipal(impersonationRequest.getPrincipal());
LOG.debug("Logging in as: principal={}, keytab={}", expandedPrincipal, localKeytabFile);
// keytab file is not readable to ensure that the client gets the same exception in both the modes.
if (!Files.isReadable(localKeytabFile.toPath())) {
throw new IOException(String.format("Keytab file is not a readable file: %s", localKeytabFile));
}
UserGroupInformation loggedInUGI;
try {
loggedInUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(expandedPrincipal, localKeytabFile.getAbsolutePath());
} catch (Exception e) {
// not working
throw new IOException(String.format("Failed to login for principal=%s, keytab=%s. Check that the principal " + "was not deleted and that the keytab is still valid.", expandedPrincipal, keytabURI), e);
}
return new UGIWithPrincipal(impersonationRequest.getPrincipal(), loggedInUGI);
} finally {
if (!isKeytabLocal && !localKeytabFile.delete()) {
LOG.warn("Failed to delete file: {}", localKeytabFile);
}
}
}
Also used :
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
IOException(java.io.IOException)
URI(java.net.URI)
File(java.io.File)
IOException(java.io.IOException)
FeatureDisabledException(co.cask.cdap.common.FeatureDisabledException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 5 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project cdap by caskdata.
the class SecurityUtil method getKeytabURIforPrincipal.
/**
* @param principal The principal whose KeytabURI is being looked up
* @param cConf To lookup the configured path for the keytabs
* @return The location of the keytab
* @throws IOException If the principal is not a valid kerberos principal
*/
static String getKeytabURIforPrincipal(String principal, CConfiguration cConf) throws IOException {
String confPath = cConf.getRaw(Constants.Security.KEYTAB_PATH);
Preconditions.checkNotNull(confPath, String.format("Failed to get a valid keytab path. " + "Please ensure that you have specified %s in cdap-site.xml", Constants.Security.KEYTAB_PATH));
String name = new KerberosName(principal).getShortName();
return confPath.replace(Constants.USER_NAME_SPECIFIER, name);
}
Also used :
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
Aggregations
KerberosName (org.apache.hadoop.security.authentication.util.KerberosName)14
IOException (java.io.IOException)7
AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)3
File (java.io.File)2
PrivilegedActionException (java.security.PrivilegedActionException)2
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2
ServletException (javax.servlet.ServletException)2
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2
GSSContext (org.ietf.jgss.GSSContext)2
GSSCredential (org.ietf.jgss.GSSCredential)2
Oid (org.ietf.jgss.Oid)2
ProgramController (co.cask.cdap.app.runtime.ProgramController)1
ProgramRuntimeService (co.cask.cdap.app.runtime.ProgramRuntimeService)1
ApplicationNotFoundException (co.cask.cdap.common.ApplicationNotFoundException)1
FeatureDisabledException (co.cask.cdap.common.FeatureDisabledException)1
ProgramNotFoundException (co.cask.cdap.common.ProgramNotFoundException)1
AbstractListener (co.cask.cdap.internal.app.runtime.AbstractListener)1
KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)1
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
ByteString (com.google.protobuf.ByteString)1
