use of org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator in project calcite-avatica by apache.
the class HttpServer method configureSpnego.
/**
* Configures the <code>connector</code> given the <code>config</code> for using SPNEGO.
*
* @param config The configuration
*/
protected ConstraintSecurityHandler configureSpnego(Server server, AvaticaServerConfiguration config) {
final String realm = Objects.requireNonNull(config.getKerberosRealm());
// DefaultSessionIdManager uses SecureRandom, but we can be explicit about that.
server.setSessionIdManager(new DefaultSessionIdManager(server, new SecureRandom()));
// We rely on SPNEGO to authenticate the users with valid Kerberos identities. We
// do not require a _specific_ Kerberos identity in order to authenticate with
// Avatica. AvaticaUserStore will assign the role "avatica-user" to every SPNEGO-authenticated
// user, and then ConfigurableSpnegoAuthenticator will check that role.
//
// This setup adds nothing but complexity to Avatica, but Jetty removed the
// functionality to not have this layer of indirection. It paves the way for
// flexibility in having "user" centric HTTP endpoints and "admin" centric
// HTTP endpoints which Avatica can authorize appropriately.
final AvaticaUserStore userStore = new AvaticaUserStore();
LOG.info("Instantiating HashLoginService with {}", realm);
// Passing the Kerberos Realm here was previously important, but is not critical any longer.
final HashLoginService authz = new HashLoginService(realm);
authz.setUserStore(userStore);
// A customization of SpnegoLoginService to explicitly set the server's principal, otherwise
// we would have to require a custom file to set the server's principal.
ConfigurableSpnegoLoginService spnegoLoginService = new ConfigurableSpnegoLoginService(realm, AuthorizationService.from(authz, ""));
// Why? The Jetty unit test does it.
spnegoLoginService.addBean(authz);
spnegoLoginService.setServiceName(config.getKerberosServiceName());
spnegoLoginService.setHostName(config.getKerberosHostName());
spnegoLoginService.setKeyTabPath(config.getKerberosKeytab().toPath());
// The Authenticator independently validates what role(s) the authenticated
// user has and authorizes them to access the HTTP resources. We use "avatica-user"
// as the role to check.
final String[] allowedRealms = new String[] { AvaticaUserStore.AVATICA_USER_ROLE };
final ConfigurableSpnegoAuthenticator spnegoAuthn = new ConfigurableSpnegoAuthenticator();
spnegoAuthn.setAuthenticationDuration(Duration.ofMinutes(5));
return configureCommonAuthentication(Constraint.__SPNEGO_AUTH, allowedRealms, spnegoAuthn, realm, spnegoLoginService);
}
Aggregations