Example 11 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project hadoop by apache.
the class KerberosAuthenticationHandler method runWithPrincipal.
private AuthenticationToken runWithPrincipal(String serverPrincipal, byte[] clientToken, Base64 base64, HttpServletResponse response) throws IOException, AuthenticationException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException {
GSSContext gssContext = null;
GSSCredential gssCreds = null;
AuthenticationToken token = null;
try {
LOG.trace("SPNEGO initiated with server principal [{}]", serverPrincipal);
gssCreds = this.gssManager.createCredential(this.gssManager.createName(serverPrincipal, KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY);
gssContext = this.gssManager.createContext(gssCreds);
byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length);
if (serverToken != null && serverToken.length > 0) {
String authenticate = base64.encodeToString(serverToken);
response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE + " " + authenticate);
}
if (!gssContext.isEstablished()) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
LOG.trace("SPNEGO in progress");
} else {
String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
String userName = kerberosName.getShortName();
token = new AuthenticationToken(userName, clientPrincipal, getType());
response.setStatus(HttpServletResponse.SC_OK);
LOG.trace("SPNEGO completed for client principal [{}]", clientPrincipal);
}
} finally {
if (gssContext != null) {
gssContext.dispose();
}
if (gssCreds != null) {
gssCreds.dispose();
}
}
return token;
}
Also used :
GSSCredential(org.ietf.jgss.GSSCredential)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
Example 12 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project cdap by caskdata.
the class RemoteUGIProvider method createUGI.
@Override
protected UGIWithPrincipal createUGI(ImpersonationRequest impersonationRequest) throws IOException {
ImpersonationRequest jsonRequest = new ImpersonationRequest(impersonationRequest.getEntityId(), impersonationRequest.getImpersonatedOpType(), impersonationRequest.getPrincipal());
PrincipalCredentials principalCredentials = GSON.fromJson(executeRequest(jsonRequest).getResponseBodyAsString(), PrincipalCredentials.class);
LOG.debug("Received response: {}", principalCredentials);
Location location = locationFactory.create(URI.create(principalCredentials.getCredentialsPath()));
try {
String user = principalCredentials.getPrincipal();
if (impersonationRequest.getImpersonatedOpType() == ImpersonatedOpType.EXPLORE) {
// For explore operations, we use the short name in UserGroupInformation, to avoid an incorrect
// check in Hive. See CDAP-12930
user = new KerberosName(user).getShortName();
}
UserGroupInformation impersonatedUGI = UserGroupInformation.createRemoteUser(user);
impersonatedUGI.addCredentials(readCredentials(location));
return new UGIWithPrincipal(principalCredentials.getPrincipal(), impersonatedUGI);
} finally {
try {
if (!location.delete()) {
LOG.warn("Failed to delete location: {}", location);
}
} catch (IOException e) {
LOG.warn("Exception raised when deleting location {}", location, e);
}
}
}
Also used :
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
IOException(java.io.IOException)
Location(org.apache.twill.filesystem.Location)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 13 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project cdap by caskdata.
the class AuthorizationUtil method getAppAuthorizingUser.
/**
* Helper function to get the authorizing user for app deployment, the authorzing user will be the app owner if it
* is present. If not, it will be the namespace owner. If that is also not present, it will be the user who is making
* the request
*/
public static String getAppAuthorizingUser(OwnerAdmin ownerAdmin, AuthenticationContext authenticationContext, ApplicationId applicationId, @Nullable KerberosPrincipalId appOwner) throws IOException {
KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, applicationId.getNamespaceId(), appOwner == null ? null : appOwner.getPrincipal());
// CDAP-13154 If impersonation is configured for either the application or namespace the effective owner will be
// a kerberos principal which can have different form
// (refer: https://docs.oracle.com/cd/E21455_01/common/tutorials/kerberos_principal.html). For example it can be
// a complete principal name (alice/somehost.net@someREALM). For authorization we need the enforcement to happen
// on the username and not the complete principal. The user name is the shortname of the principal so return the
// shortname as authorizing user.
String appAuthorizingUser = effectiveOwner != null ? new KerberosName(effectiveOwner.getPrincipal()).getShortName() : authenticationContext.getPrincipal().getName();
LOG.trace("Returning {} as authorizing app user for {}", appAuthorizingUser, applicationId);
return appAuthorizingUser;
}
Also used :
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
KerberosPrincipalId(co.cask.cdap.proto.id.KerberosPrincipalId)
Example 14 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project accumulo by apache.
the class SaslConnectionParams method getProperties.
protected static Map<String, String> getProperties(AccumuloConfiguration conf) {
final Map<String, String> clientProperties = new HashMap<>();
// Servers will only have the full principal in their configuration -- parse the
// primary and realm from it.
final String serverPrincipal = conf.get(Property.GENERAL_KERBEROS_PRINCIPAL);
final KerberosName krbName;
try {
krbName = new KerberosName(serverPrincipal);
clientProperties.put(ClientProperty.KERBEROS_SERVER_PRIMARY.getKey(), krbName.getServiceName());
} catch (Exception e) {
// bad value or empty, assume we're not using kerberos
}
HashSet<String> clientKeys = new HashSet<>();
for (ClientProperty prop : ClientProperty.values()) {
clientKeys.add(prop.getKey());
}
String key;
for (Entry<String, String> entry : conf) {
key = entry.getKey();
if (clientKeys.contains(key)) {
clientProperties.put(key, entry.getValue());
}
}
return clientProperties;
}
Also used :
ClientProperty(org.apache.accumulo.core.client.ClientConfiguration.ClientProperty)
HashMap(java.util.HashMap)
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
IOException(java.io.IOException)
HashSet(java.util.HashSet)
Example 15 with KerberosName
use of org.apache.hadoop.security.authentication.util.KerberosName in project druid by druid-io.
the class DruidKerberosAuthenticationHandler method authenticate.
@Override
public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException {
AuthenticationToken token;
String authorization = request.getHeader(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.AUTHORIZATION);
if (authorization == null || !authorization.startsWith(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE)) {
return null;
} else {
authorization = authorization.substring(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE.length()).trim();
final byte[] clientToken = StringUtils.decodeBase64String(authorization);
final String serverName = request.getServerName();
try {
token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() {
@Override
public AuthenticationToken run() throws Exception {
AuthenticationToken token = null;
GSSContext gssContext = null;
GSSCredential gssCreds = null;
try {
gssCreds = gssManager.createCredential(gssManager.createName(KerberosUtil.getServicePrincipal("HTTP", serverName), KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY);
gssContext = gssManager.createContext(gssCreds);
byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length);
if (serverToken != null && serverToken.length > 0) {
String authenticate = StringUtils.encodeBase64String(serverToken);
response.setHeader(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.WWW_AUTHENTICATE, org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE + " " + authenticate);
}
if (!gssContext.isEstablished()) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
log.trace("SPNEGO in progress");
} else {
String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
String userName = kerberosName.getShortName();
token = new AuthenticationToken(userName, clientPrincipal, getType());
response.setStatus(HttpServletResponse.SC_OK);
log.trace("SPNEGO completed for principal [%s]", clientPrincipal);
}
} finally {
if (gssContext != null) {
gssContext.dispose();
}
if (gssCreds != null) {
gssCreds.dispose();
}
}
return token;
}
});
} catch (PrivilegedActionException ex) {
if (ex.getException() instanceof IOException) {
throw (IOException) ex.getException();
} else {
throw new AuthenticationException(ex.getException());
}
}
}
return token;
}
Also used :
AuthenticationToken(org.apache.hadoop.security.authentication.server.AuthenticationToken)
GSSCredential(org.ietf.jgss.GSSCredential)
PrivilegedActionException(java.security.PrivilegedActionException)
AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException)
GSSContext(org.ietf.jgss.GSSContext)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Oid(org.ietf.jgss.Oid)
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
IOException(java.io.IOException)
Aggregations
KerberosName (org.apache.hadoop.security.authentication.util.KerberosName)15
IOException (java.io.IOException)7
AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)3
File (java.io.File)2
PrivilegedActionException (java.security.PrivilegedActionException)2
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2
HashMap (java.util.HashMap)2
HashSet (java.util.HashSet)2
ServletException (javax.servlet.ServletException)2
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)2
GSSContext (org.ietf.jgss.GSSContext)2
GSSCredential (org.ietf.jgss.GSSCredential)2
Oid (org.ietf.jgss.Oid)2
ProgramController (co.cask.cdap.app.runtime.ProgramController)1
ProgramRuntimeService (co.cask.cdap.app.runtime.ProgramRuntimeService)1
ApplicationNotFoundException (co.cask.cdap.common.ApplicationNotFoundException)1
FeatureDisabledException (co.cask.cdap.common.FeatureDisabledException)1
ProgramNotFoundException (co.cask.cdap.common.ProgramNotFoundException)1
AbstractListener (co.cask.cdap.internal.app.runtime.AbstractListener)1
KerberosPrincipalId (co.cask.cdap.proto.id.KerberosPrincipalId)1
