Example 1 with SimpleSaslServerCallbackHandler
use of org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler in project storm by apache.
the class KerberosSaslTransportPlugin method getServerTransportFactory.
@Override
public TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException {
if (workerTokenAuthorizer == null) {
workerTokenAuthorizer = new WorkerTokenAuthorizer(conf, type);
}
// create an authentication callback handler
CallbackHandler serverCallbackHandler = new ServerCallbackHandler(conf, impersonationAllowed);
String jaasConfFile = ClientAuthUtils.getJaasConf(conf);
// login our principal
Subject subject = null;
try {
// now login
Login login = new Login(ClientAuthUtils.LOGIN_CONTEXT_SERVER, serverCallbackHandler, jaasConfFile);
subject = login.getSubject();
login.startThreadIfNeeded();
} catch (LoginException ex) {
LOG.error("Server failed to login in principal:" + ex, ex);
throw new RuntimeException(ex);
}
// check the credential of our principal
if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
throw new RuntimeException("Fail to verify user principal with section \"" + ClientAuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + jaasConfFile);
}
String principal = ClientAuthUtils.get(conf, ClientAuthUtils.LOGIN_CONTEXT_SERVER, "principal");
LOG.debug("principal:" + principal);
KerberosName serviceKerberosName = new KerberosName(principal);
String serviceName = serviceKerberosName.getServiceName();
String hostName = serviceKerberosName.getHostName();
Map<String, String> props = new TreeMap<>();
props.put(Sasl.QOP, "auth");
props.put(Sasl.SERVER_AUTH, "false");
// create a transport factory that will invoke our auth callback for digest
TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
factory.addServerDefinition(KERBEROS, serviceName, hostName, props, serverCallbackHandler);
// Also add in support for worker tokens
factory.addServerDefinition(DIGEST, ClientAuthUtils.SERVICE, hostName, null, new SimpleSaslServerCallbackHandler(impersonationAllowed, workerTokenAuthorizer));
// create a wrap transport factory so that we could apply user credential during connections
TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
LOG.info("SASL GSSAPI transport factory will be used");
return wrapFactory;
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
WorkerTokenAuthorizer(org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer)
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
LoggerFactory(org.slf4j.LoggerFactory)
TTransportFactory(org.apache.storm.thrift.transport.TTransportFactory)
Login(org.apache.storm.messaging.netty.Login)
KerberosName(org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName)
TreeMap(java.util.TreeMap)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
Subject(javax.security.auth.Subject)
TSaslServerTransport(org.apache.storm.thrift.transport.TSaslServerTransport)
LoginException(javax.security.auth.login.LoginException)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
Example 2 with SimpleSaslServerCallbackHandler
use of org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler in project storm by apache.
the class PlainSaslTransportPlugin method getServerTransportFactory.
@Override
protected TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException {
// create an authentication callback handler
CallbackHandler serverCallbackHandler = new SimpleSaslServerCallbackHandler(impersonationAllowed, (userName) -> Optional.of("password".toCharArray()));
if (Security.getProvider(SaslPlainServer.SecurityProvider.SASL_PLAIN_SERVER) == null) {
Security.addProvider(new SaslPlainServer.SecurityProvider());
}
// create a transport factory that will invoke our auth callback for digest
TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
factory.addServerDefinition(PLAIN, ClientAuthUtils.SERVICE, "localhost", null, serverCallbackHandler);
LOG.error("SASL PLAIN transport factory will be used. This is totally insecure. Please do not use this.");
return factory;
}
Also used :
TSaslServerTransport(org.apache.storm.thrift.transport.TSaslServerTransport)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
LoggerFactory(org.slf4j.LoggerFactory)
TTransportFactory(org.apache.storm.thrift.transport.TTransportFactory)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
Example 3 with SimpleSaslServerCallbackHandler
use of org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler in project storm by apache.
the class DigestSaslTransportPlugin method getServerTransportFactory.
@Override
protected TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException {
if (workerTokenAuthorizer == null) {
workerTokenAuthorizer = new WorkerTokenAuthorizer(conf, type);
}
// create an authentication callback handler
CallbackHandler serverCallbackHandler = new SimpleSaslServerCallbackHandler(impersonationAllowed, workerTokenAuthorizer, new JassPasswordProvider(conf));
// create a transport factory that will invoke our auth callback for digest
TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
factory.addServerDefinition(DIGEST, ClientAuthUtils.SERVICE, "localhost", null, serverCallbackHandler);
LOG.info("SASL DIGEST-MD5 transport factory will be used");
return factory;
}
Also used :
TSaslServerTransport(org.apache.storm.thrift.transport.TSaslServerTransport)
SimpleSaslClientCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslClientCallbackHandler)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)
WorkerTokenAuthorizer(org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer)
LoggerFactory(org.slf4j.LoggerFactory)
TTransportFactory(org.apache.storm.thrift.transport.TTransportFactory)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
Aggregations
CallbackHandler (javax.security.auth.callback.CallbackHandler)3
SimpleSaslServerCallbackHandler (org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)3
TSaslServerTransport (org.apache.storm.thrift.transport.TSaslServerTransport)3
TTransportFactory (org.apache.storm.thrift.transport.TTransportFactory)3
LoggerFactory (org.slf4j.LoggerFactory)3
WorkerTokenAuthorizer (org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer)2
WorkerTokenClientCallbackHandler (org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)2
TreeMap (java.util.TreeMap)1
Subject (javax.security.auth.Subject)1
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)1
LoginException (javax.security.auth.login.LoginException)1
Login (org.apache.storm.messaging.netty.Login)1
SimpleSaslClientCallbackHandler (org.apache.storm.security.auth.sasl.SimpleSaslClientCallbackHandler)1
KerberosName (org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName)1
