Search in sources :

Example 1 with KerberosName

use of org.apache.hadoop.security.authentication.util.KerberosName in project hadoop by apache.

the class KDiag method validateShortName.

/**
   * Verify whether auth_to_local rules transform a principal name
   * <p>
   * Having a local user name "bar@foo.com" may be harmless, so it is noted at
   * info. However if what was intended is a transformation to "bar"
   * it can be difficult to debug, hence this check.
   */
protected void validateShortName() {
    failif(principal == null, CAT_KERBEROS, "No principal defined");
    try {
        KerberosName kn = new KerberosName(principal);
        String result = kn.getShortName();
        if (nonSimplePattern.matcher(result).find()) {
            warn(CAT_KERBEROS, principal + " short name: " + result + " still contains @ or /");
        }
    } catch (IOException e) {
        throw new KerberosDiagsFailure(CAT_KERBEROS, e, "Failed to get short name for " + principal, e);
    } catch (IllegalArgumentException e) {
        error(CAT_KERBEROS, "KerberosName(" + principal + ") failed: %s\n%s", e, StringUtils.stringifyException(e));
    }
}
Also used : KerberosName(org.apache.hadoop.security.authentication.util.KerberosName) IOException(java.io.IOException)

Example 2 with KerberosName

use of org.apache.hadoop.security.authentication.util.KerberosName in project hadoop by apache.

the class JspHelper method checkUsername.

/**
   * Expected user name should be a short name.
   */
public static void checkUsername(final String expected, final String name) throws IOException {
    if (expected == null && name != null) {
        throw new IOException("Usernames not matched: expecting null but name=" + name);
    }
    if (name == null) {
        //name is optional, null is okay
        return;
    }
    KerberosName u = new KerberosName(name);
    String shortName = u.getShortName();
    if (!shortName.equals(expected)) {
        throw new IOException("Usernames not matched: name=" + shortName + " != expected=" + expected);
    }
}
Also used : IOException(java.io.IOException) KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)

Example 3 with KerberosName

use of org.apache.hadoop.security.authentication.util.KerberosName in project hadoop by apache.

the class TestKerberosAuthenticationHandler method testNameRules.

@Test(timeout = 60000)
public void testNameRules() throws Exception {
    KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal());
    Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm());
    //destroy handler created in setUp()
    handler.destroy();
    KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT");
    handler = getNewAuthenticationHandler();
    Properties props = getDefaultProperties();
    props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT");
    try {
        handler.init(props);
    } catch (Exception ex) {
    }
    kn = new KerberosName("bar@BAR");
    Assert.assertEquals("bar", kn.getShortName());
    kn = new KerberosName("bar@FOO");
    Assert.assertEquals("bar@FOO", kn.getShortName());
}
Also used : KerberosName(org.apache.hadoop.security.authentication.util.KerberosName) Properties(java.util.Properties) AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException) ServletException(javax.servlet.ServletException) Test(org.junit.Test)

Example 4 with KerberosName

use of org.apache.hadoop.security.authentication.util.KerberosName in project cdap by caskdata.

the class DefaultUGIProvider method createUGI.

/**
 * Resolves the {@link UserGroupInformation} for a given user, performing any keytab localization, if necessary.
 *
 * @return a {@link UserGroupInformation}, based upon the information configured for a particular user
 * @throws IOException if there was any IOException during localization of the keytab
 */
@Override
protected UGIWithPrincipal createUGI(ImpersonationRequest impersonationRequest) throws IOException {
    // no need to get a UGI if the current UGI is the one we're requesting; simply return it
    String configuredPrincipalShortName = new KerberosName(impersonationRequest.getPrincipal()).getShortName();
    if (UserGroupInformation.getCurrentUser().getShortUserName().equals(configuredPrincipalShortName)) {
        return new UGIWithPrincipal(impersonationRequest.getPrincipal(), UserGroupInformation.getCurrentUser());
    }
    URI keytabURI = URI.create(impersonationRequest.getKeytabURI());
    boolean isKeytabLocal = keytabURI.getScheme() == null || "file".equals(keytabURI.getScheme());
    File localKeytabFile = isKeytabLocal ? new File(keytabURI.getPath()) : localizeKeytab(locationFactory.create(keytabURI));
    try {
        String expandedPrincipal = SecurityUtil.expandPrincipal(impersonationRequest.getPrincipal());
        LOG.debug("Logging in as: principal={}, keytab={}", expandedPrincipal, localKeytabFile);
        // keytab file is not readable to ensure that the client gets the same exception in both the modes.
        if (!Files.isReadable(localKeytabFile.toPath())) {
            throw new IOException(String.format("Keytab file is not a readable file: %s", localKeytabFile));
        }
        UserGroupInformation loggedInUGI;
        try {
            loggedInUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(expandedPrincipal, localKeytabFile.getAbsolutePath());
        } catch (Exception e) {
            // not working
            throw new IOException(String.format("Failed to login for principal=%s, keytab=%s. Check that the principal " + "was not deleted and that the keytab is still valid.", expandedPrincipal, keytabURI), e);
        }
        return new UGIWithPrincipal(impersonationRequest.getPrincipal(), loggedInUGI);
    } finally {
        if (!isKeytabLocal && !localKeytabFile.delete()) {
            LOG.warn("Failed to delete file: {}", localKeytabFile);
        }
    }
}
Also used : KerberosName(org.apache.hadoop.security.authentication.util.KerberosName) IOException(java.io.IOException) URI(java.net.URI) File(java.io.File) IOException(java.io.IOException) FeatureDisabledException(co.cask.cdap.common.FeatureDisabledException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 5 with KerberosName

use of org.apache.hadoop.security.authentication.util.KerberosName in project cdap by caskdata.

the class SecurityUtil method getKeytabURIforPrincipal.

/**
 * @param principal The principal whose KeytabURI is being looked up
 * @param cConf To lookup the configured path for the keytabs
 * @return The location of the keytab
 * @throws IOException If the principal is not a valid kerberos principal
 */
static String getKeytabURIforPrincipal(String principal, CConfiguration cConf) throws IOException {
    String confPath = cConf.getRaw(Constants.Security.KEYTAB_PATH);
    Preconditions.checkNotNull(confPath, String.format("Failed to get a valid keytab path. " + "Please ensure that you have specified %s in cdap-site.xml", Constants.Security.KEYTAB_PATH));
    String name = new KerberosName(principal).getShortName();
    return confPath.replace(Constants.USER_NAME_SPECIFIER, name);
}
Also used : KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)

Aggregations

KerberosName (org.apache.hadoop.security.authentication.util.KerberosName)14 IOException (java.io.IOException)7 AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)3 File (java.io.File)2 PrivilegedActionException (java.security.PrivilegedActionException)2 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2 ServletException (javax.servlet.ServletException)2 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2 GSSContext (org.ietf.jgss.GSSContext)2 GSSCredential (org.ietf.jgss.GSSCredential)2 Oid (org.ietf.jgss.Oid)2 ProgramController (co.cask.cdap.app.runtime.ProgramController)1 ProgramRuntimeService (co.cask.cdap.app.runtime.ProgramRuntimeService)1 ApplicationNotFoundException (co.cask.cdap.common.ApplicationNotFoundException)1 FeatureDisabledException (co.cask.cdap.common.FeatureDisabledException)1 ProgramNotFoundException (co.cask.cdap.common.ProgramNotFoundException)1 AbstractListener (co.cask.cdap.internal.app.runtime.AbstractListener)1 KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)1 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 ByteString (com.google.protobuf.ByteString)1