Search in sources :

Example 1 with SPNegoSchemeFactory

use of org.apache.http.impl.auth.SPNegoSchemeFactory in project pentaho-kettle by pentaho.

the class SessionConfigurator method spnegoAuthenticate.

private Header spnegoAuthenticate(boolean stripPort, URI uri) throws Exception {
    SPNegoSchemeFactory spNegoSchemeFactory = new SPNegoSchemeFactory(stripPort);
    // using newInstance method instead of create method to be compatible httpclient library from 4.2 to 4.5
    // the create method was introduced at version 4.3
    SPNegoScheme spNegoScheme = (SPNegoScheme) spNegoSchemeFactory.newInstance(null);
    spNegoScheme.processChallenge(AUTHENTICATE_HEADER);
    return spNegoScheme.authenticate(credentials, new HttpGet(""), getContext(uri));
}
Also used : SPNegoScheme(org.apache.http.impl.auth.SPNegoScheme) HttpGet(org.apache.http.client.methods.HttpGet) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory)

Example 2 with SPNegoSchemeFactory

use of org.apache.http.impl.auth.SPNegoSchemeFactory in project ranger by apache.

the class ElasticSearchAuditDestination method getRestClientBuilder.

public static RestClientBuilder getRestClientBuilder(String urls, String protocol, String user, String password, int port) {
    RestClientBuilder restClientBuilder = RestClient.builder(MiscUtil.toArray(urls, ",").stream().map(x -> new HttpHost(x, port, protocol)).<HttpHost>toArray(i -> new HttpHost[i]));
    if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password) && !user.equalsIgnoreCase("NONE") && !password.equalsIgnoreCase("NONE")) {
        if (password.contains("keytab") && new File(password).exists()) {
            final KerberosCredentialsProvider credentialsProvider = CredentialsProviderUtil.getKerberosCredentials(user, password);
            Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory()).build();
            restClientBuilder.setHttpClientConfigCallback(clientBuilder -> {
                clientBuilder.setDefaultCredentialsProvider(credentialsProvider);
                clientBuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
                return clientBuilder;
            });
        } else {
            final CredentialsProvider credentialsProvider = CredentialsProviderUtil.getBasicCredentials(user, password);
            restClientBuilder.setHttpClientConfigCallback(clientBuilder -> clientBuilder.setDefaultCredentialsProvider(credentialsProvider));
        }
    } else {
        LOG.error("ElasticSearch Credentials not provided!!");
        final CredentialsProvider credentialsProvider = null;
        restClientBuilder.setHttpClientConfigCallback(clientBuilder -> clientBuilder.setDefaultCredentialsProvider(credentialsProvider));
    }
    return restClientBuilder;
}
Also used : RestClient(org.elasticsearch.client.RestClient) AuthSchemeProvider(org.apache.http.auth.AuthSchemeProvider) Arrays(java.util.Arrays) StringUtils(org.apache.commons.lang.StringUtils) RegistryBuilder(org.apache.http.config.RegistryBuilder) RestClientBuilder(org.elasticsearch.client.RestClientBuilder) Date(java.util.Date) LoggerFactory(org.slf4j.LoggerFactory) HashMap(java.util.HashMap) AuthSchemes(org.apache.http.client.config.AuthSchemes) OpenIndexRequest(org.elasticsearch.action.admin.indices.open.OpenIndexRequest) ArrayList(java.util.ArrayList) IndexRequest(org.elasticsearch.action.index.IndexRequest) KerberosCredentialsProvider(org.apache.ranger.authorization.credutils.kerberos.KerberosCredentialsProvider) Locale(java.util.Locale) Map(java.util.Map) Lookup(org.apache.http.config.Lookup) RequestOptions(org.elasticsearch.client.RequestOptions) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) AuthzAuditEvent(org.apache.ranger.audit.model.AuthzAuditEvent) PrivilegedActionException(java.security.PrivilegedActionException) Properties(java.util.Properties) Logger(org.slf4j.Logger) BulkItemResponse(org.elasticsearch.action.bulk.BulkItemResponse) Collection(java.util.Collection) BulkResponse(org.elasticsearch.action.bulk.BulkResponse) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) RestHighLevelClient(org.elasticsearch.client.RestHighLevelClient) File(java.io.File) Subject(javax.security.auth.Subject) TimeUnit(java.util.concurrent.TimeUnit) AtomicLong(java.util.concurrent.atomic.AtomicLong) MiscUtil(org.apache.ranger.audit.provider.MiscUtil) CredentialsProviderUtil(org.apache.ranger.authorization.credutils.CredentialsProviderUtil) AuditEventBase(org.apache.ranger.audit.model.AuditEventBase) CredentialsProvider(org.apache.http.client.CredentialsProvider) HttpHost(org.apache.http.HttpHost) BulkRequest(org.elasticsearch.action.bulk.BulkRequest) KerberosCredentialsProvider(org.apache.ranger.authorization.credutils.kerberos.KerberosCredentialsProvider) HttpHost(org.apache.http.HttpHost) RestClientBuilder(org.elasticsearch.client.RestClientBuilder) AuthSchemeProvider(org.apache.http.auth.AuthSchemeProvider) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) KerberosCredentialsProvider(org.apache.ranger.authorization.credutils.kerberos.KerberosCredentialsProvider) CredentialsProvider(org.apache.http.client.CredentialsProvider) File(java.io.File)

Example 3 with SPNegoSchemeFactory

use of org.apache.http.impl.auth.SPNegoSchemeFactory in project ranger by apache.

the class ElasticSearchIndexBootStrapper method getRestClientBuilder.

public static RestClientBuilder getRestClientBuilder(String urls, String protocol, String user, String password, int port) {
    RestClientBuilder restClientBuilder = RestClient.builder(EmbeddedServerUtil.toArray(urls, ",").stream().map(x -> new HttpHost(x, port, protocol)).<HttpHost>toArray(i -> new HttpHost[i]));
    if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password) && !user.equalsIgnoreCase("NONE") && !password.equalsIgnoreCase("NONE")) {
        if (password.contains("keytab") && new File(password).exists()) {
            final KerberosCredentialsProvider credentialsProvider = CredentialsProviderUtil.getKerberosCredentials(user, password);
            Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory()).build();
            restClientBuilder.setHttpClientConfigCallback(clientBuilder -> {
                clientBuilder.setDefaultCredentialsProvider(credentialsProvider);
                clientBuilder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
                return clientBuilder;
            });
        } else {
            final CredentialsProvider credentialsProvider = CredentialsProviderUtil.getBasicCredentials(user, password);
            restClientBuilder.setHttpClientConfigCallback(clientBuilder -> clientBuilder.setDefaultCredentialsProvider(credentialsProvider));
        }
    } else {
        LOG.severe("ElasticSearch Credentials not provided!!");
        final CredentialsProvider credentialsProvider = null;
        restClientBuilder.setHttpClientConfigCallback(clientBuilder -> clientBuilder.setDefaultCredentialsProvider(credentialsProvider));
    }
    return restClientBuilder;
}
Also used : RestClient(org.elasticsearch.client.RestClient) AuthSchemeProvider(org.apache.http.auth.AuthSchemeProvider) StringUtils(org.apache.commons.lang.StringUtils) RegistryBuilder(org.apache.http.config.RegistryBuilder) RestClientBuilder(org.elasticsearch.client.RestClientBuilder) XContentType(org.elasticsearch.common.xcontent.XContentType) AuthSchemes(org.apache.http.client.config.AuthSchemes) OpenIndexRequest(org.elasticsearch.action.admin.indices.open.OpenIndexRequest) Settings(org.elasticsearch.common.settings.Settings) KerberosCredentialsProvider(org.apache.ranger.authorization.credutils.kerberos.KerberosCredentialsProvider) Locale(java.util.Locale) CredentialReader(org.apache.ranger.credentialapi.CredentialReader) TimeValue(org.elasticsearch.common.unit.TimeValue) Lookup(org.apache.http.config.Lookup) RequestOptions(org.elasticsearch.client.RequestOptions) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) Path(java.nio.file.Path) CreateIndexRequest(org.elasticsearch.client.indices.CreateIndexRequest) Files(java.nio.file.Files) IOException(java.io.IOException) KeyStore(java.security.KeyStore) Logger(java.util.logging.Logger) RestHighLevelClient(org.elasticsearch.client.RestHighLevelClient) File(java.io.File) StandardCharsets(java.nio.charset.StandardCharsets) TimeUnit(java.util.concurrent.TimeUnit) AtomicLong(java.util.concurrent.atomic.AtomicLong) Paths(java.nio.file.Paths) CredentialsProviderUtil(org.apache.ranger.authorization.credutils.CredentialsProviderUtil) CreateIndexResponse(org.elasticsearch.client.indices.CreateIndexResponse) CredentialsProvider(org.apache.http.client.CredentialsProvider) HttpHost(org.apache.http.HttpHost) KerberosCredentialsProvider(org.apache.ranger.authorization.credutils.kerberos.KerberosCredentialsProvider) HttpHost(org.apache.http.HttpHost) RestClientBuilder(org.elasticsearch.client.RestClientBuilder) AuthSchemeProvider(org.apache.http.auth.AuthSchemeProvider) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) KerberosCredentialsProvider(org.apache.ranger.authorization.credutils.kerberos.KerberosCredentialsProvider) CredentialsProvider(org.apache.http.client.CredentialsProvider) File(java.io.File)

Example 4 with SPNegoSchemeFactory

use of org.apache.http.impl.auth.SPNegoSchemeFactory in project registry by hortonworks.

the class AuthenticatorTestCase method getHttpClient.

private SystemDefaultHttpClient getHttpClient() {
    final SystemDefaultHttpClient httpClient = new SystemDefaultHttpClient();
    httpClient.getAuthSchemes().register(AuthPolicy.SPNEGO, new SPNegoSchemeFactory(true));
    Credentials use_jaas_creds = new Credentials() {

        public String getPassword() {
            return null;
        }

        public Principal getUserPrincipal() {
            return null;
        }
    };
    httpClient.getCredentialsProvider().setCredentials(AuthScope.ANY, use_jaas_creds);
    return httpClient;
}
Also used : SystemDefaultHttpClient(org.apache.http.impl.client.SystemDefaultHttpClient) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) Credentials(org.apache.http.auth.Credentials)

Example 5 with SPNegoSchemeFactory

use of org.apache.http.impl.auth.SPNegoSchemeFactory in project hbase by apache.

the class TestProxyUserSpnegoHttpServer method testProxy.

public void testProxy(String clientPrincipal, String doAs, int responseCode, String statusLine) throws Exception {
    // Create the subject for the client
    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(WHEEL_PRINCIPAL, wheelKeytab);
    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
    // Make sure the subject has a principal
    assertFalse(clientPrincipals.isEmpty());
    // Get a TGT for the subject (might have many, different encryption types). The first should
    // be the default encryption type.
    Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
    assertFalse(privateCredentials.isEmpty());
    KerberosTicket tgt = privateCredentials.iterator().next();
    assertNotNull(tgt);
    // The name of the principal
    final String principalName = clientPrincipals.iterator().next().getName();
    // Run this code, logged in as the subject (the client)
    HttpResponse resp = Subject.doAs(clientSubject, new PrivilegedExceptionAction<HttpResponse>() {

        @Override
        public HttpResponse run() throws Exception {
            // Logs in with Kerberos via GSS
            GSSManager gssManager = GSSManager.getInstance();
            // jGSS Kerberos login constant
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME);
            GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
            HttpClientContext context = HttpClientContext.create();
            Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build();
            HttpClient client = HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry).build();
            BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
            credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
            URL url = new URL(getServerURL(server), "/echo?doAs=" + doAs + "&a=b");
            context.setTargetHost(new HttpHost(url.getHost(), url.getPort()));
            context.setCredentialsProvider(credentialsProvider);
            context.setAuthSchemeRegistry(authRegistry);
            HttpGet get = new HttpGet(url.toURI());
            return client.execute(get, context);
        }
    });
    assertNotNull(resp);
    assertEquals(responseCode, resp.getStatusLine().getStatusCode());
    if (responseCode == HttpURLConnection.HTTP_OK) {
        assertTrue(EntityUtils.toString(resp.getEntity()).trim().contains("a:b"));
    } else {
        assertTrue(resp.getStatusLine().toString().contains(statusLine) || EntityUtils.toString(resp.getEntity()).contains(statusLine));
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) HttpGet(org.apache.http.client.methods.HttpGet) KerberosCredentials(org.apache.http.auth.KerberosCredentials) HttpResponse(org.apache.http.HttpResponse) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) Oid(org.ietf.jgss.Oid) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) Subject(javax.security.auth.Subject) KrbException(org.apache.kerby.kerberos.kerb.KrbException) URL(java.net.URL) GSSCredential(org.ietf.jgss.GSSCredential) HttpHost(org.apache.http.HttpHost) GSSManager(org.ietf.jgss.GSSManager) HttpClient(org.apache.http.client.HttpClient) Lookup(org.apache.http.config.Lookup) Principal(java.security.Principal)

Aggregations

SPNegoSchemeFactory (org.apache.http.impl.auth.SPNegoSchemeFactory)18 BasicCredentialsProvider (org.apache.http.impl.client.BasicCredentialsProvider)11 AuthSchemeProvider (org.apache.http.auth.AuthSchemeProvider)9 CredentialsProvider (org.apache.http.client.CredentialsProvider)7 Lookup (org.apache.http.config.Lookup)7 Subject (javax.security.auth.Subject)6 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)6 HttpHost (org.apache.http.HttpHost)6 KerberosCredentials (org.apache.http.auth.KerberosCredentials)6 Principal (java.security.Principal)5 Credentials (org.apache.http.auth.Credentials)5 AuthScope (org.apache.http.auth.AuthScope)4 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)4 GSSCredential (org.ietf.jgss.GSSCredential)4 GSSManager (org.ietf.jgss.GSSManager)4 GSSName (org.ietf.jgss.GSSName)4 Oid (org.ietf.jgss.Oid)4 File (java.io.File)3 Locale (java.util.Locale)3 StringUtils (org.apache.commons.lang.StringUtils)3