Search in sources :

Example 6 with TSaslClientTransport

use of org.apache.thrift.transport.TSaslClientTransport in project presto by prestodb.

the class KerberosHiveMetastoreAuthentication method authenticateWithToken.

private TTransport authenticateWithToken(TTransport rawTransport, String tokenString) {
    try {
        Token<DelegationTokenIdentifier> token = new Token<>();
        token.decodeFromUrlString(tokenString);
        TTransport saslTransport = new TSaslClientTransport(TOKEN.getMechanismName(), null, null, SASL_DEFAULT_REALM, SASL_PROPERTIES, new SaslClientCallbackHandler(token), rawTransport);
        return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
    } catch (IOException ex) {
        throw new UncheckedIOException(ex);
    }
}
Also used : DelegationTokenIdentifier(org.apache.hadoop.hive.metastore.security.DelegationTokenIdentifier) TUGIAssumingTransport(org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport) Token(org.apache.hadoop.security.token.Token) TSaslClientTransport(org.apache.thrift.transport.TSaslClientTransport) UncheckedIOException(java.io.UncheckedIOException) TTransport(org.apache.thrift.transport.TTransport) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException)

Example 7 with TSaslClientTransport

use of org.apache.thrift.transport.TSaslClientTransport in project presto by prestodb.

the class KerberosHiveMetastoreAuthentication method authenticateWithHost.

private TTransport authenticateWithHost(TTransport rawTransport, String hiveMetastoreHost) {
    try {
        String serverPrincipal = getServerPrincipal(hiveMetastoreServicePrincipal, hiveMetastoreHost);
        String[] names = SaslRpcServer.splitKerberosName(serverPrincipal);
        checkState(names.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal);
        Map<String, String> saslProps = ImmutableMap.of(QOP, hdfsWireEncryptionEnabled ? "auth-conf" : "auth", SERVER_AUTH, "true");
        TTransport saslTransport = new TSaslClientTransport(KERBEROS.getMechanismName(), null, names[0], names[1], saslProps, null, rawTransport);
        return new TUGIAssumingTransport(saslTransport, authentication.getUserGroupInformation());
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    }
}
Also used : TUGIAssumingTransport(org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport) TSaslClientTransport(org.apache.thrift.transport.TSaslClientTransport) UncheckedIOException(java.io.UncheckedIOException) TTransport(org.apache.thrift.transport.TTransport) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException)

Example 8 with TSaslClientTransport

use of org.apache.thrift.transport.TSaslClientTransport in project hive by apache.

the class KerberosSaslHelper method createSubjectAssumedTransport.

/**
 * Helper to wrap the {@code underlyingTransport} into an assumed kerberos principal.
 * The function is used for kerberos based authentication, where {@code kerberosAuthType}
 * is set to {@code fromSubject}. If also performs a substitution of {@code _HOST} to the
 * local host name, if required.
 *
 * @param principal The kerberos principal to assume
 * @param host Host, used to replace the {@code _HOST} with
 * @param underlyingTransport The I/O transport to wrap
 * @param saslProps SASL property map
 * @return The wrapped transport
 * @throws IOException
 */
public static TTransport createSubjectAssumedTransport(String principal, String host, TTransport underlyingTransport, Map<String, String> saslProps) throws IOException {
    String resolvedPrincipal = SecurityUtil.getServerPrincipal(principal, host);
    String[] names = resolvedPrincipal.split("[/@]");
    try {
        TTransport saslTransport = new TSaslClientTransport("GSSAPI", null, names[0], names[1], saslProps, null, underlyingTransport);
        return new TSubjectAssumingTransport(saslTransport);
    } catch (SaslException | TTransportException se) {
        throw new IOException("Could not instantiate transport", se);
    }
}
Also used : TTransportException(org.apache.thrift.transport.TTransportException) TSaslClientTransport(org.apache.thrift.transport.TSaslClientTransport) TTransport(org.apache.thrift.transport.TTransport) IOException(java.io.IOException) SaslException(javax.security.sasl.SaslException)

Example 9 with TSaslClientTransport

use of org.apache.thrift.transport.TSaslClientTransport in project jstorm by alibaba.

the class KerberosSaslTransportPlugin method connect.

@Override
public TTransport connect(TTransport transport, String serverHost, String asUser) throws TTransportException, IOException {
    // create an authentication callback handler
    ClientCallbackHandler client_callback_handler = new ClientCallbackHandler(login_conf);
    // login our user
    Login login = null;
    try {
        // specify a configuration object to be used
        Configuration.setConfiguration(login_conf);
        // now login
        login = new Login(AuthUtils.LOGIN_CONTEXT_CLIENT, client_callback_handler);
    } catch (LoginException ex) {
        LOG.error("Server failed to login in principal:" + ex, ex);
        throw new RuntimeException(ex);
    }
    final Subject subject = login.getSubject();
    if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
        // error
        throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + login_conf);
    }
    final String principal = StringUtils.isBlank(asUser) ? getPrincipal(subject) : asUser;
    String serviceName = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName");
    if (serviceName == null) {
        serviceName = AuthUtils.SERVICE;
    }
    Map<String, String> props = new TreeMap<String, String>();
    props.put(Sasl.QOP, "auth");
    props.put(Sasl.SERVER_AUTH, "false");
    LOG.debug("SASL GSSAPI client transport is being established");
    final TTransport sasalTransport = new TSaslClientTransport(KERBEROS, principal, serviceName, serverHost, props, null, transport);
    // open Sasl transport with the login credential
    try {
        Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {

            public Void run() {
                try {
                    LOG.debug("do as:" + principal);
                    sasalTransport.open();
                } catch (Exception e) {
                    LOG.error("Client failed to open SaslClientTransport to interact with a server during session initiation: " + e, e);
                }
                return null;
            }
        });
    } catch (PrivilegedActionException e) {
        throw new RuntimeException(e);
    }
    return sasalTransport;
}
Also used : KerberosTicket(javax.security.auth.kerberos.KerberosTicket) PrivilegedActionException(java.security.PrivilegedActionException) TSaslClientTransport(org.apache.thrift.transport.TSaslClientTransport) Login(org.apache.zookeeper.Login) TreeMap(java.util.TreeMap) Subject(javax.security.auth.Subject) LoginException(javax.security.auth.login.LoginException) TTransportException(org.apache.thrift.transport.TTransportException) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) LoginException(javax.security.auth.login.LoginException) TTransport(org.apache.thrift.transport.TTransport)

Example 10 with TSaslClientTransport

use of org.apache.thrift.transport.TSaslClientTransport in project presto by prestodb.

the class KerberosHiveMetastoreAuthentication method authenticate.

@Override
public TTransport authenticate(TTransport rawTransport, String hiveMetastoreHost) throws TTransportException {
    try {
        String serverPrincipal = getServerPrincipal(hiveMetastoreServicePrincipal, hiveMetastoreHost);
        String[] names = SaslRpcServer.splitKerberosName(serverPrincipal);
        checkState(names.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal);
        Map<String, String> saslProps = ImmutableMap.of(Sasl.QOP, "auth", Sasl.SERVER_AUTH, "true");
        TTransport saslTransport = new TSaslClientTransport(KERBEROS.getMechanismName(), null, names[0], names[1], saslProps, null, rawTransport);
        return new TUGIAssumingTransport(saslTransport, authentication.getUserGroupInformation());
    } catch (IOException e) {
        throw Throwables.propagate(e);
    }
}
Also used : TUGIAssumingTransport(org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport) TSaslClientTransport(org.apache.thrift.transport.TSaslClientTransport) TTransport(org.apache.thrift.transport.TTransport) IOException(java.io.IOException)

Aggregations

TSaslClientTransport (org.apache.thrift.transport.TSaslClientTransport)13 TTransport (org.apache.thrift.transport.TTransport)8 IOException (java.io.IOException)7 TSocket (org.apache.thrift.transport.TSocket)7 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)5 UGIAssumingTransport (org.apache.accumulo.core.rpc.UGIAssumingTransport)4 TTransportException (org.apache.thrift.transport.TTransportException)4 ByteBuffer (java.nio.ByteBuffer)3 HashMap (java.util.HashMap)3 ClusterUser (org.apache.accumulo.cluster.ClusterUser)3 AccumuloProxy (org.apache.accumulo.proxy.thrift.AccumuloProxy)3 Client (org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)3 TUGIAssumingTransport (org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport)3 TCompactProtocol (org.apache.thrift.protocol.TCompactProtocol)3 Test (org.junit.Test)3 LoggerFactory (org.slf4j.LoggerFactory)3 File (java.io.File)2 UncheckedIOException (java.io.UncheckedIOException)2 ArrayList (java.util.ArrayList)2 Map (java.util.Map)2