Example 1 with TSaslClientTransport
use of org.apache.storm.thrift.transport.TSaslClientTransport in project storm by apache.
the class KerberosSaslTransportPlugin method kerberosConnect.
private TTransport kerberosConnect(TTransport transport, String serverHost, String asUser) throws IOException {
// login our user
SortedMap<String, ?> authConf = ClientAuthUtils.pullConfig(conf, ClientAuthUtils.LOGIN_CONTEXT_CLIENT);
if (authConf == null) {
throw new RuntimeException("Error in parsing the kerberos login Configuration, returned null");
}
boolean disableLoginCache = false;
if (authConf.containsKey(DISABLE_LOGIN_CACHE)) {
disableLoginCache = Boolean.valueOf((String) authConf.get(DISABLE_LOGIN_CACHE));
}
Login login;
LoginCacheKey key = new LoginCacheKey(authConf);
if (disableLoginCache) {
LOG.debug("Kerberos Login Cache is disabled, attempting to contact the Kerberos Server");
login = mkLogin();
// this is to prevent the potential bug that
// if the Login Cache is (1) enabled, and then (2) disabled and then (3) enabled again,
// and if the LoginCacheKey remains unchanged, (3) will use the Login cache from (1), which could be wrong,
// because the TGT cache (as well as the principle) could have been changed during (2)
loginCache.remove(key);
} else {
LOG.debug("Trying to get the Kerberos Login from the Login Cache");
login = loginCache.get(key);
if (login == null) {
synchronized (loginCache) {
login = loginCache.get(key);
if (login == null) {
LOG.debug("Kerberos Login was not found in the Login Cache, attempting to contact the Kerberos Server");
login = mkLogin();
loginCache.put(key, login);
}
}
}
}
final Subject subject = login.getSubject();
if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
// error
throw new RuntimeException("Fail to verify user principal with section \"" + ClientAuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + ClientAuthUtils.getJaasConf(conf));
}
final String principal = StringUtils.isBlank(asUser) ? getPrincipal(subject) : asUser;
String serviceName = ClientAuthUtils.get(conf, ClientAuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName");
if (serviceName == null) {
serviceName = ClientAuthUtils.SERVICE;
}
Map<String, String> props = new TreeMap<>();
props.put(Sasl.QOP, "auth");
props.put(Sasl.SERVER_AUTH, "false");
LOG.debug("SASL GSSAPI client transport is being established");
final TTransport sasalTransport = new TSaslClientTransport(KERBEROS, principal, serviceName, serverHost, props, null, transport);
// open Sasl transport with the login credential
try {
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
@Override
public Void run() {
try {
LOG.debug("do as:" + principal);
sasalTransport.open();
} catch (Exception e) {
LOG.error("Client failed to open SaslClientTransport to interact with a server during " + "session initiation: " + e, e);
}
return null;
}
});
} catch (PrivilegedActionException e) {
throw new RuntimeException(e);
}
return sasalTransport;
}
Also used :
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
PrivilegedActionException(java.security.PrivilegedActionException)
TSaslClientTransport(org.apache.storm.thrift.transport.TSaslClientTransport)
Login(org.apache.storm.messaging.netty.Login)
TreeMap(java.util.TreeMap)
Subject(javax.security.auth.Subject)
LoginException(javax.security.auth.login.LoginException)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
TTransportException(org.apache.storm.thrift.transport.TTransportException)
TTransport(org.apache.storm.thrift.transport.TTransport)
Example 2 with TSaslClientTransport
use of org.apache.storm.thrift.transport.TSaslClientTransport in project storm by apache.
the class PlainSaslTransportPlugin method connect.
@Override
public TTransport connect(TTransport transport, String serverHost, String asUser) throws IOException, TTransportException {
PlainClientCallbackHandler clientCallbackHandler = new PlainClientCallbackHandler();
TSaslClientTransport wrapperTransport = new TSaslClientTransport(PLAIN, null, ClientAuthUtils.SERVICE, serverHost, null, clientCallbackHandler, transport);
wrapperTransport.open();
LOG.error("SASL PLAIN client transport has been established. This is totally insecure. Please do not use this.");
return wrapperTransport;
}
Also used :
TSaslClientTransport(org.apache.storm.thrift.transport.TSaslClientTransport)
Example 3 with TSaslClientTransport
use of org.apache.storm.thrift.transport.TSaslClientTransport in project storm by apache.
the class KerberosSaslTransportPlugin method connect.
@Override
public TTransport connect(TTransport transport, String serverHost, String asUser) throws IOException, TTransportException {
WorkerToken token = WorkerTokenClientCallbackHandler.findWorkerTokenInSubject(type);
if (token != null) {
CallbackHandler clientCallbackHandler = new WorkerTokenClientCallbackHandler(token);
TSaslClientTransport wrapperTransport = new TSaslClientTransport(DIGEST, null, ClientAuthUtils.SERVICE, serverHost, null, clientCallbackHandler, transport);
wrapperTransport.open();
LOG.debug("SASL DIGEST-MD5 WorkerToken client transport has been established");
return wrapperTransport;
}
return kerberosConnect(transport, serverHost, asUser);
}
Also used :
WorkerToken(org.apache.storm.generated.WorkerToken)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)
TSaslClientTransport(org.apache.storm.thrift.transport.TSaslClientTransport)
Example 4 with TSaslClientTransport
use of org.apache.storm.thrift.transport.TSaslClientTransport in project storm by apache.
the class DigestSaslTransportPlugin method connect.
@Override
public TTransport connect(TTransport transport, String serverHost, String asUser) throws TTransportException, IOException {
CallbackHandler clientCallbackHandler;
WorkerToken token = WorkerTokenClientCallbackHandler.findWorkerTokenInSubject(type);
if (token != null) {
clientCallbackHandler = new WorkerTokenClientCallbackHandler(token);
} else {
Configuration loginConf = ClientAuthUtils.getConfiguration(conf);
if (loginConf == null) {
throw new IOException("Could not find any way to authenticate with the server.");
}
AppConfigurationEntry[] configurationEntries = loginConf.getAppConfigurationEntry(ClientAuthUtils.LOGIN_CONTEXT_CLIENT);
if (configurationEntries == null) {
String errorMessage = "Could not find a '" + ClientAuthUtils.LOGIN_CONTEXT_CLIENT + "' entry in this configuration: Client cannot start.";
throw new IOException(errorMessage);
}
String username = "";
String password = "";
for (AppConfigurationEntry entry : configurationEntries) {
Map options = entry.getOptions();
username = (String) options.getOrDefault("username", username);
password = (String) options.getOrDefault("password", password);
}
clientCallbackHandler = new SimpleSaslClientCallbackHandler(username, password);
}
TSaslClientTransport wrapperTransport = new TSaslClientTransport(DIGEST, null, ClientAuthUtils.SERVICE, serverHost, null, clientCallbackHandler, transport);
wrapperTransport.open();
LOG.debug("SASL DIGEST-MD5 client transport has been established");
return wrapperTransport;
}
Also used :
SimpleSaslClientCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslClientCallbackHandler)
SimpleSaslServerCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)
WorkerToken(org.apache.storm.generated.WorkerToken)
AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry)
SimpleSaslClientCallbackHandler(org.apache.storm.security.auth.sasl.SimpleSaslClientCallbackHandler)
Configuration(javax.security.auth.login.Configuration)
WorkerTokenClientCallbackHandler(org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)
TSaslClientTransport(org.apache.storm.thrift.transport.TSaslClientTransport)
IOException(java.io.IOException)
Map(java.util.Map)
Aggregations
TSaslClientTransport (org.apache.storm.thrift.transport.TSaslClientTransport)4
IOException (java.io.IOException)2
CallbackHandler (javax.security.auth.callback.CallbackHandler)2
WorkerToken (org.apache.storm.generated.WorkerToken)2
SimpleSaslServerCallbackHandler (org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler)2
WorkerTokenClientCallbackHandler (org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler)2
PrivilegedActionException (java.security.PrivilegedActionException)1
Map (java.util.Map)1
TreeMap (java.util.TreeMap)1
Subject (javax.security.auth.Subject)1
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)1
AppConfigurationEntry (javax.security.auth.login.AppConfigurationEntry)1
Configuration (javax.security.auth.login.Configuration)1
LoginException (javax.security.auth.login.LoginException)1
Login (org.apache.storm.messaging.netty.Login)1
SimpleSaslClientCallbackHandler (org.apache.storm.security.auth.sasl.SimpleSaslClientCallbackHandler)1
TTransport (org.apache.storm.thrift.transport.TTransport)1
TTransportException (org.apache.storm.thrift.transport.TTransportException)1
