Example 56 with Credentials
use of org.ow2.proactive.authentication.crypto.Credentials in project scheduling by ow2-proactive.
the class SSHInfrastructure method startNodeImpl.
/**
* Internal node acquisition method
* <p>
* Starts a PA runtime on remote host using SSH, register it manually in the
* nodesource.
*
* @param hostTracker The host on which one the node will be started
* @param nbNodes number of nodes to deploy
* @param depNodeURLs list of deploying or lost nodes urls created
* @throws RMException
* acquisition failed
*/
protected void startNodeImpl(HostTracker hostTracker, int nbNodes, final List<String> depNodeURLs) throws RMException {
String fs = getTargetOSObj().fs;
CommandLineBuilder clb = super.getDefaultCommandLineBuilder(getTargetOSObj());
// we take care of spaces in java path
clb.setJavaPath(this.javaPath);
// we set the rm.home prop
clb.setRmHome(schedulingPath);
// we set the java security policy file
StringBuilder sb = new StringBuilder();
final boolean containsSpace = schedulingPath.contains(" ");
String securitycmd = CentralPAPropertyRepository.JAVA_SECURITY_POLICY.getCmdLine();
if (!this.javaOptions.contains(securitycmd)) {
sb.append(securitycmd);
if (containsSpace) {
sb.append("\"");
}
sb.append(schedulingPath);
sb.append(fs);
sb.append("config");
sb.append(fs);
sb.append("security.java.policy-client");
if (containsSpace) {
sb.append("\"");
}
sb.append(" ");
}
// we set the log4j configuration file
String log4jcmd = CentralPAPropertyRepository.LOG4J.getCmdLine();
if (!this.javaOptions.contains(log4jcmd)) {
sb.append(log4jcmd);
if (containsSpace) {
sb.append("\"");
}
// log4j only understands urls
sb.append("file:");
if (!schedulingPath.startsWith("/")) {
sb.append("/" + schedulingPath.replace("\\", "/"));
} else {
sb.append(schedulingPath.replace("\\", "/"));
}
sb.append("/");
sb.append("config");
sb.append("/");
sb.append("log");
sb.append("/");
sb.append("node.properties");
if (containsSpace) {
sb.append("\"");
}
sb.append(" ");
}
// we add extra java/PA configuration
sb.append(this.javaOptions);
clb.setPaProperties(sb.toString());
// afterwards, node's name
// generate the node name
// current rmcore shortID should be added to ensure uniqueness
final String nodeName = nodeNameBuilder.generateNodeName(hostTracker);
clb.setNodeName(nodeName);
clb.setNumberOfNodes(nbNodes);
// finally, the credential's value
String credString = null;
try {
credString = new String(getCredentials().getBase64());
} catch (KeyException e1) {
throw new RMException("Could not get base64 credentials", e1);
}
clb.setCredentialsValueAndNullOthers(credString);
// add an expected node. every unexpected node will be discarded
String cmdLine;
String obfuscatedCmdLine;
try {
cmdLine = clb.buildCommandLine(true);
obfuscatedCmdLine = clb.buildCommandLine(false);
} catch (IOException e2) {
throw new RMException("Cannot build the " + RMNodeStarter.class.getSimpleName() + "'s command line.", e2);
}
// one escape the command to make it runnable through ssh
if (cmdLine.contains("\"")) {
cmdLine = cmdLine.replaceAll("\"", "\\\\\"");
}
// we create a new deploying node before ssh command ran
final List<String> createdNodeNames = RMNodeStarter.getWorkersNodeNames(nodeName, nbNodes);
depNodeURLs.addAll(addMultipleDeployingNodes(createdNodeNames, obfuscatedCmdLine, "Deploying nodes on host " + hostTracker.getResolvedAddress(), super.nodeTimeOut));
addTimeouts(depNodeURLs);
Process p = null;
try {
p = Utils.runSSHCommand(hostTracker.getResolvedAddress(), cmdLine, sshOptions);
} catch (IOException e1) {
multipleDeclareDeployingNodeLost(depNodeURLs, "Cannot run command: " + cmdLine + ", with ssh options: " + sshOptions + " -\n The following exception occutred:\n " + getStackTraceAsString(e1));
throw new RMException("Cannot run command: " + cmdLine + ", with ssh options: " + sshOptions, e1);
}
String lf = System.lineSeparator();
int circuitBreakerThreshold = 5;
while (!anyTimedOut(depNodeURLs) && circuitBreakerThreshold > 0) {
try {
int exitCode = p.exitValue();
if (exitCode != 0) {
logger.error("SSH subprocess at " + hostTracker.getResolvedAddress().getHostName() + " exited abnormally (" + exitCode + ").");
} else {
logger.error("Launching node process has exited normally whereas it shouldn't.");
}
String pOutPut = Utils.extractProcessOutput(p);
String pErrPut = Utils.extractProcessErrput(p);
final String description = "SSH command failed to launch node on host " + hostTracker.getResolvedAddress().getHostName() + lf + " >Error code: " + exitCode + lf + " >Errput: " + pErrPut + " >Output: " + pOutPut;
logger.error(description);
if (super.checkAllNodesAreAcquiredAndDo(createdNodeNames, null, new Runnable() {
public void run() {
SSHInfrastructure.this.multipleDeclareDeployingNodeLost(depNodeURLs, description);
}
})) {
return;
} else {
// there isn't any race regarding node registration
throw new RMException("SSH Node " + nodeName + " is not expected anymore because of an error.");
}
} catch (IllegalThreadStateException e) {
logger.trace("IllegalThreadStateException while waiting for " + nodeName + " registration");
}
if (super.checkNodeIsAcquiredAndDo(nodeName, null, null)) {
// registration is ok, we destroy the process
p.destroy();
return;
}
try {
Thread.sleep(1000);
} catch (Exception e) {
circuitBreakerThreshold--;
logger.trace("An exception occurred while monitoring ssh subprocess", e);
}
}
// if we exit because of a timeout
if (anyTimedOut(depNodeURLs)) {
// we remove it
removeTimeouts(depNodeURLs);
// we destroy the process
p.destroy();
throw new RMException("Deploying Node " + nodeName + " not expected any more");
}
if (circuitBreakerThreshold <= 0) {
logger.error("Circuit breaker threshold reached while monitoring ssh subprocess.");
throw new RMException("Several exceptions occurred while monitoring ssh subprocess.");
}
}
Also used :
Throwables.getStackTraceAsString(com.google.common.base.Throwables.getStackTraceAsString)
CommandLineBuilder(org.ow2.proactive.resourcemanager.utils.CommandLineBuilder)
IOException(java.io.IOException)
KeyException(java.security.KeyException)
RMException(org.ow2.proactive.resourcemanager.exception.RMException)
KeyException(java.security.KeyException)
IOException(java.io.IOException)
RMException(org.ow2.proactive.resourcemanager.exception.RMException)
Example 57 with Credentials
use of org.ow2.proactive.authentication.crypto.Credentials in project scheduling by ow2-proactive.
the class SchedulerFactory method createScheduler.
/**
* Create a new scheduler on the local host plugged on the given resource manager.<br>
* This constructor also requires the credentials of the client to connect.<br><br>
* It will return a client scheduler able to managed the scheduler.<br><br>
* <font color="red">WARNING :</font> this method provides a way to connect to the scheduler after its creation,
* BUT if the scheduler is restarting after failure, this method will create the scheduler
* but will throw a SchedulerException due to the failure of client connection.<br>
* In fact, while the scheduler is restarting after a crash, no one can connect it during the whole restore process.<br><br>
* In any other case, the method will block until connection is allowed or error occurred.
*
* @param rmURL the resource manager URL on which the scheduler will connect
* @param policyFullClassName the full policy class name for the scheduler.
* @return a scheduler interface to manage the scheduler.
* @throws SchedulerException if the scheduler cannot be created.
* @throws AdminSchedulerException if a client connection exception occurs.
* @throws LoginException if a user login/password exception occurs.
*/
public static Scheduler createScheduler(Credentials creds, URI rmURL, String policyFullClassName) throws AdminSchedulerException, SchedulerException, LoginException {
createScheduler(rmURL, policyFullClassName, SchedulerStatus.STARTED);
SchedulerAuthenticationInterface auth = SchedulerConnection.waitAndJoin(null);
return auth.login(creds);
}
Also used :
SchedulerAuthenticationInterface(org.ow2.proactive.scheduler.common.SchedulerAuthenticationInterface)
Example 58 with Credentials
use of org.ow2.proactive.authentication.crypto.Credentials in project scheduling by ow2-proactive.
the class SchedulerAuthentication method login.
/**
* {@inheritDoc}
*/
public Scheduler login(Credentials cred) throws LoginException, AlreadyConnectedException {
Subject subject = authenticate(cred);
UserNamePrincipal unPrincipal = subject.getPrincipals(UserNamePrincipal.class).iterator().next();
String user = unPrincipal.getName();
logger.info("user : " + user);
// add this user to the scheduler front-end
UserIdentificationImpl ident = new UserIdentificationImpl(user, subject);
ident.setHostName(getSenderHostName());
this.frontend.connect(PAActiveObject.getContext().getCurrentRequest().getSourceBodyID(), ident, cred);
try {
// return the stub on Scheduler interface to keep avoid using server class on client side
return PAActiveObject.lookupActive(Scheduler.class, PAActiveObject.getUrl(frontend));
} catch (ActiveObjectCreationException e) {
rethrowSchedulerStubException(e);
} catch (IOException e) {
rethrowSchedulerStubException(e);
}
return null;
}
Also used :
UserNamePrincipal(org.ow2.proactive.authentication.principals.UserNamePrincipal)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
UserIdentificationImpl(org.ow2.proactive.scheduler.job.UserIdentificationImpl)
ActiveObjectCreationException(org.objectweb.proactive.ActiveObjectCreationException)
Example 59 with Credentials
use of org.ow2.proactive.authentication.crypto.Credentials in project scheduling by ow2-proactive.
the class JMXAuthenticatorImpl method authenticate.
/**
* This method is automatically called when a JMX client tries to connect to the MBean Server referred
* by the connector.
* <p>
* The only allowed credentials structure provided by the client is Object[] that contains
* username/password (String/String) or username/{@link org.ow2.proactive.authentication.crypto.Credentials}
*
* @return a subject with the username as JMXPrincipal and the role as pubCredentials {@link javax.security.auth.Subject}
* @param rawCredentials the credentials provided by the client
*/
public Subject authenticate(final Object rawCredentials) {
// If not an array of object do not give any clues just throw exception
if (rawCredentials == null || !(rawCredentials instanceof Object[])) {
throw new SecurityException("Invalid credentials");
}
final Object[] arr = (Object[]) rawCredentials;
if (arr[0] == null || arr[1] == null) {
throw new SecurityException("Invalid credentials");
}
final String username = arr[0].toString();
Credentials internalCredentials = null;
// If username/Credentials
if (arr[1] instanceof Credentials) {
internalCredentials = (Credentials) arr[1];
// If username/password (ex: JConsole)
} else if (arr[1] instanceof String) {
try {
internalCredentials = Credentials.createCredentials(new CredData(CredData.parseLogin(username), CredData.parseDomain(username), (String) arr[1]), authentication.getPublicKey());
} catch (Exception e) {
throw new SecurityException("Invalid credentials", e);
}
} else {
throw new SecurityException("Invalid credentials");
}
try {
Subject s = this.authentication.authenticate(internalCredentials);
if (permissionChecker != null) {
boolean allowed = permissionChecker.checkPermission(internalCredentials);
if (!allowed) {
throw new SecurityException("Permission denied");
}
}
return s;
} catch (LoginException e) {
throw new SecurityException("Unable to authenticate " + username);
}
}
Also used :
CredData(org.ow2.proactive.authentication.crypto.CredData)
LoginException(javax.security.auth.login.LoginException)
Credentials(org.ow2.proactive.authentication.crypto.Credentials)
LoginException(javax.security.auth.login.LoginException)
Subject(javax.security.auth.Subject)
Example 60 with Credentials
use of org.ow2.proactive.authentication.crypto.Credentials in project scheduling by ow2-proactive.
the class SchedulerUsageTest method testSchedulerUsage.
@Test
public void testSchedulerUsage() throws Exception {
SchedulerAuthenticationInterface auth = schedulerHelper.getSchedulerAuth();
PublicKey pubKey = auth.getPublicKey();
Credentials cred = Credentials.createCredentials(new CredData(TestUsers.USER.username, TestUsers.USER.password), pubKey);
Scheduler scheduler = auth.login(cred);
fallbackToMyAccountUsage(scheduler);
scheduler.disconnect();
}
Also used :
PublicKey(java.security.PublicKey)
Scheduler(org.ow2.proactive.scheduler.common.Scheduler)
CredData(org.ow2.proactive.authentication.crypto.CredData)
SchedulerAuthenticationInterface(org.ow2.proactive.scheduler.common.SchedulerAuthenticationInterface)
Credentials(org.ow2.proactive.authentication.crypto.Credentials)
Test(org.junit.Test)
Aggregations
Credentials (org.ow2.proactive.authentication.crypto.Credentials)52
CredData (org.ow2.proactive.authentication.crypto.CredData)45
KeyException (java.security.KeyException)20
ResourceManager (org.ow2.proactive.resourcemanager.frontend.ResourceManager)18
LoginException (javax.security.auth.login.LoginException)17
PublicKey (java.security.PublicKey)15
Test (org.junit.Test)15
RMAuthentication (org.ow2.proactive.resourcemanager.authentication.RMAuthentication)14
HashMap (java.util.HashMap)13
IOException (java.io.IOException)12
SchedulerAuthenticationInterface (org.ow2.proactive.scheduler.common.SchedulerAuthenticationInterface)12
File (java.io.File)9
NotConnectedException (org.ow2.proactive.scheduler.common.exception.NotConnectedException)8
RMFunctionalTest (functionaltests.utils.RMFunctionalTest)6
JMXServiceURL (javax.management.remote.JMXServiceURL)6
ActiveObjectCreationException (org.objectweb.proactive.ActiveObjectCreationException)6
Node (org.objectweb.proactive.core.node.Node)6
RMException (org.ow2.proactive.resourcemanager.exception.RMException)6
PermissionException (org.ow2.proactive.scheduler.common.exception.PermissionException)6
JMXConnector (javax.management.remote.JMXConnector)5
