Search in sources :

Example 1 with KerberosName

use of org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName in project storm by apache.

the class KerberosSaslTransportPlugin method getServerTransportFactory.

@Override
public TTransportFactory getServerTransportFactory(boolean impersonationAllowed) throws IOException {
    if (workerTokenAuthorizer == null) {
        workerTokenAuthorizer = new WorkerTokenAuthorizer(conf, type);
    }
    // create an authentication callback handler
    CallbackHandler serverCallbackHandler = new ServerCallbackHandler(conf, impersonationAllowed);
    String jaasConfFile = ClientAuthUtils.getJaasConf(conf);
    // login our principal
    Subject subject = null;
    try {
        // now login
        Login login = new Login(ClientAuthUtils.LOGIN_CONTEXT_SERVER, serverCallbackHandler, jaasConfFile);
        subject = login.getSubject();
        login.startThreadIfNeeded();
    } catch (LoginException ex) {
        LOG.error("Server failed to login in principal:" + ex, ex);
        throw new RuntimeException(ex);
    }
    // check the credential of our principal
    if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
        throw new RuntimeException("Fail to verify user principal with section \"" + ClientAuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + jaasConfFile);
    }
    String principal = ClientAuthUtils.get(conf, ClientAuthUtils.LOGIN_CONTEXT_SERVER, "principal");
    LOG.debug("principal:" + principal);
    KerberosName serviceKerberosName = new KerberosName(principal);
    String serviceName = serviceKerberosName.getServiceName();
    String hostName = serviceKerberosName.getHostName();
    Map<String, String> props = new TreeMap<>();
    props.put(Sasl.QOP, "auth");
    props.put(Sasl.SERVER_AUTH, "false");
    // create a transport factory that will invoke our auth callback for digest
    TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
    factory.addServerDefinition(KERBEROS, serviceName, hostName, props, serverCallbackHandler);
    // Also add in support for worker tokens
    factory.addServerDefinition(DIGEST, ClientAuthUtils.SERVICE, hostName, null, new SimpleSaslServerCallbackHandler(impersonationAllowed, workerTokenAuthorizer));
    // create a wrap transport factory so that we could apply user credential during connections
    TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
    LOG.info("SASL GSSAPI transport factory will be used");
    return wrapFactory;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler) SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler) WorkerTokenAuthorizer(org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) LoggerFactory(org.slf4j.LoggerFactory) TTransportFactory(org.apache.storm.thrift.transport.TTransportFactory) Login(org.apache.storm.messaging.netty.Login) KerberosName(org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName) TreeMap(java.util.TreeMap) SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler) Subject(javax.security.auth.Subject) TSaslServerTransport(org.apache.storm.thrift.transport.TSaslServerTransport) LoginException(javax.security.auth.login.LoginException) SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)

Aggregations

TreeMap (java.util.TreeMap)1 Subject (javax.security.auth.Subject)1 CallbackHandler (javax.security.auth.callback.CallbackHandler)1 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)1 LoginException (javax.security.auth.login.LoginException)1 Login (org.apache.storm.messaging.netty.Login)1 SimpleSaslServerCallbackHandler (org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)1 WorkerTokenAuthorizer (org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer)1 WorkerTokenClientCallbackHandler (org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)1 KerberosName (org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName)1 TSaslServerTransport (org.apache.storm.thrift.transport.TSaslServerTransport)1 TTransportFactory (org.apache.storm.thrift.transport.TTransportFactory)1 LoggerFactory (org.slf4j.LoggerFactory)1