use of org.apache.thrift.transport.TSaslClientTransport in project presto by prestodb.
the class KerberosHiveMetastoreAuthentication method authenticateWithToken.
private TTransport authenticateWithToken(TTransport rawTransport, String tokenString) {
try {
Token<DelegationTokenIdentifier> token = new Token<>();
token.decodeFromUrlString(tokenString);
TTransport saslTransport = new TSaslClientTransport(TOKEN.getMechanismName(), null, null, SASL_DEFAULT_REALM, SASL_PROPERTIES, new SaslClientCallbackHandler(token), rawTransport);
return new TUGIAssumingTransport(saslTransport, UserGroupInformation.getCurrentUser());
} catch (IOException ex) {
throw new UncheckedIOException(ex);
}
}
use of org.apache.thrift.transport.TSaslClientTransport in project presto by prestodb.
the class KerberosHiveMetastoreAuthentication method authenticateWithHost.
private TTransport authenticateWithHost(TTransport rawTransport, String hiveMetastoreHost) {
try {
String serverPrincipal = getServerPrincipal(hiveMetastoreServicePrincipal, hiveMetastoreHost);
String[] names = SaslRpcServer.splitKerberosName(serverPrincipal);
checkState(names.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal);
Map<String, String> saslProps = ImmutableMap.of(QOP, hdfsWireEncryptionEnabled ? "auth-conf" : "auth", SERVER_AUTH, "true");
TTransport saslTransport = new TSaslClientTransport(KERBEROS.getMechanismName(), null, names[0], names[1], saslProps, null, rawTransport);
return new TUGIAssumingTransport(saslTransport, authentication.getUserGroupInformation());
} catch (IOException e) {
throw new UncheckedIOException(e);
}
}
use of org.apache.thrift.transport.TSaslClientTransport in project hive by apache.
the class KerberosSaslHelper method createSubjectAssumedTransport.
/**
* Helper to wrap the {@code underlyingTransport} into an assumed kerberos principal.
* The function is used for kerberos based authentication, where {@code kerberosAuthType}
* is set to {@code fromSubject}. If also performs a substitution of {@code _HOST} to the
* local host name, if required.
*
* @param principal The kerberos principal to assume
* @param host Host, used to replace the {@code _HOST} with
* @param underlyingTransport The I/O transport to wrap
* @param saslProps SASL property map
* @return The wrapped transport
* @throws IOException
*/
public static TTransport createSubjectAssumedTransport(String principal, String host, TTransport underlyingTransport, Map<String, String> saslProps) throws IOException {
String resolvedPrincipal = SecurityUtil.getServerPrincipal(principal, host);
String[] names = resolvedPrincipal.split("[/@]");
try {
TTransport saslTransport = new TSaslClientTransport("GSSAPI", null, names[0], names[1], saslProps, null, underlyingTransport);
return new TSubjectAssumingTransport(saslTransport);
} catch (SaslException | TTransportException se) {
throw new IOException("Could not instantiate transport", se);
}
}
use of org.apache.thrift.transport.TSaslClientTransport in project jstorm by alibaba.
the class KerberosSaslTransportPlugin method connect.
@Override
public TTransport connect(TTransport transport, String serverHost, String asUser) throws TTransportException, IOException {
// create an authentication callback handler
ClientCallbackHandler client_callback_handler = new ClientCallbackHandler(login_conf);
// login our user
Login login = null;
try {
// specify a configuration object to be used
Configuration.setConfiguration(login_conf);
// now login
login = new Login(AuthUtils.LOGIN_CONTEXT_CLIENT, client_callback_handler);
} catch (LoginException ex) {
LOG.error("Server failed to login in principal:" + ex, ex);
throw new RuntimeException(ex);
}
final Subject subject = login.getSubject();
if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
// error
throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + login_conf);
}
final String principal = StringUtils.isBlank(asUser) ? getPrincipal(subject) : asUser;
String serviceName = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName");
if (serviceName == null) {
serviceName = AuthUtils.SERVICE;
}
Map<String, String> props = new TreeMap<String, String>();
props.put(Sasl.QOP, "auth");
props.put(Sasl.SERVER_AUTH, "false");
LOG.debug("SASL GSSAPI client transport is being established");
final TTransport sasalTransport = new TSaslClientTransport(KERBEROS, principal, serviceName, serverHost, props, null, transport);
// open Sasl transport with the login credential
try {
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
public Void run() {
try {
LOG.debug("do as:" + principal);
sasalTransport.open();
} catch (Exception e) {
LOG.error("Client failed to open SaslClientTransport to interact with a server during session initiation: " + e, e);
}
return null;
}
});
} catch (PrivilegedActionException e) {
throw new RuntimeException(e);
}
return sasalTransport;
}
use of org.apache.thrift.transport.TSaslClientTransport in project presto by prestodb.
the class KerberosHiveMetastoreAuthentication method authenticate.
@Override
public TTransport authenticate(TTransport rawTransport, String hiveMetastoreHost) throws TTransportException {
try {
String serverPrincipal = getServerPrincipal(hiveMetastoreServicePrincipal, hiveMetastoreHost);
String[] names = SaslRpcServer.splitKerberosName(serverPrincipal);
checkState(names.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal);
Map<String, String> saslProps = ImmutableMap.of(Sasl.QOP, "auth", Sasl.SERVER_AUTH, "true");
TTransport saslTransport = new TSaslClientTransport(KERBEROS.getMechanismName(), null, names[0], names[1], saslProps, null, rawTransport);
return new TUGIAssumingTransport(saslTransport, authentication.getUserGroupInformation());
} catch (IOException e) {
throw Throwables.propagate(e);
}
}
Aggregations