Search in sources :

Example 1 with ConfigurableSpnegoAuthenticator

use of org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator in project calcite-avatica by apache.

the class HttpServer method configureSpnego.

/**
 * Configures the <code>connector</code> given the <code>config</code> for using SPNEGO.
 *
 * @param config The configuration
 */
protected ConstraintSecurityHandler configureSpnego(Server server, AvaticaServerConfiguration config) {
    final String realm = Objects.requireNonNull(config.getKerberosRealm());
    // DefaultSessionIdManager uses SecureRandom, but we can be explicit about that.
    server.setSessionIdManager(new DefaultSessionIdManager(server, new SecureRandom()));
    // We rely on SPNEGO to authenticate the users with valid Kerberos identities. We
    // do not require a _specific_ Kerberos identity in order to authenticate with
    // Avatica. AvaticaUserStore will assign the role "avatica-user" to every SPNEGO-authenticated
    // user, and then ConfigurableSpnegoAuthenticator will check that role.
    // 
    // This setup adds nothing but complexity to Avatica, but Jetty removed the
    // functionality to not have this layer of indirection. It paves the way for
    // flexibility in having "user" centric HTTP endpoints and "admin" centric
    // HTTP endpoints which Avatica can authorize appropriately.
    final AvaticaUserStore userStore = new AvaticaUserStore();
    LOG.info("Instantiating HashLoginService with {}", realm);
    // Passing the Kerberos Realm here was previously important, but is not critical any longer.
    final HashLoginService authz = new HashLoginService(realm);
    authz.setUserStore(userStore);
    // A customization of SpnegoLoginService to explicitly set the server's principal, otherwise
    // we would have to require a custom file to set the server's principal.
    ConfigurableSpnegoLoginService spnegoLoginService = new ConfigurableSpnegoLoginService(realm, AuthorizationService.from(authz, ""));
    // Why? The Jetty unit test does it.
    spnegoLoginService.addBean(authz);
    spnegoLoginService.setServiceName(config.getKerberosServiceName());
    spnegoLoginService.setHostName(config.getKerberosHostName());
    spnegoLoginService.setKeyTabPath(config.getKerberosKeytab().toPath());
    // The Authenticator independently validates what role(s) the authenticated
    // user has and authorizes them to access the HTTP resources. We use "avatica-user"
    // as the role to check.
    final String[] allowedRealms = new String[] { AvaticaUserStore.AVATICA_USER_ROLE };
    final ConfigurableSpnegoAuthenticator spnegoAuthn = new ConfigurableSpnegoAuthenticator();
    spnegoAuthn.setAuthenticationDuration(Duration.ofMinutes(5));
    return configureCommonAuthentication(Constraint.__SPNEGO_AUTH, allowedRealms, spnegoAuthn, realm, spnegoLoginService);
}
Also used : DefaultSessionIdManager(org.eclipse.jetty.server.session.DefaultSessionIdManager) HashLoginService(org.eclipse.jetty.security.HashLoginService) ConfigurableSpnegoLoginService(org.eclipse.jetty.security.ConfigurableSpnegoLoginService) SecureRandom(java.security.SecureRandom) ConfigurableSpnegoAuthenticator(org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator)

Aggregations

SecureRandom (java.security.SecureRandom)1 ConfigurableSpnegoLoginService (org.eclipse.jetty.security.ConfigurableSpnegoLoginService)1 HashLoginService (org.eclipse.jetty.security.HashLoginService)1 ConfigurableSpnegoAuthenticator (org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator)1 DefaultSessionIdManager (org.eclipse.jetty.server.session.DefaultSessionIdManager)1