Java Code Examples for org.apache.hadoop.security.SaslRpcServer#splitKerberosName()

The following examples show how to use org.apache.hadoop.security.SaslRpcServer#splitKerberosName() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: GSSCallback.java    From incubator-sentry with Apache License 2.0 6 votes vote down vote up
boolean comparePrincipals(String principal1, String principal2) {
  String[] principalParts1 = SaslRpcServer.splitKerberosName(principal1);
  String[] principalParts2 = SaslRpcServer.splitKerberosName(principal2);
  if (principalParts1.length == 0 || principalParts2.length == 0) {
    return false;
  }
  if (principalParts1.length == principalParts2.length) {
    for (int i=0; i < principalParts1.length; i++) {
      if (!principalParts1[i].equals(principalParts2[i])) {
        return false;
      }
    }
    return true;
  } else {
    return false;
  }
}
 
Example 2
Source File: GSSCallback.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
private String getShortName(String principal) {
  String parts[] = SaslRpcServer.splitKerberosName(principal);
  return parts[0];
}
 
Example 3
Source File: SentryService.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public SentryService(Configuration conf) {
  this.conf = conf;
  int port = conf
      .getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT);
  if (port == 0) {
    port = findFreePort();
    conf.setInt(ServerConfig.RPC_PORT, port);
  }
  this.address = NetUtils.createSocketAddr(
      conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT),
      port);
  LOGGER.info("Configured on address " + address);
  kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
      conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
  maxThreads = conf.getInt(ServerConfig.RPC_MAX_THREADS,
      ServerConfig.RPC_MAX_THREADS_DEFAULT);
  minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS,
      ServerConfig.RPC_MIN_THREADS_DEFAULT);
  maxMessageSize = conf.getLong(ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE,
      ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
  if (kerberos) {
    // Use Hadoop libraries to translate the _HOST placeholder with actual hostname
    try {
      String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
      principal = SecurityUtil.getServerPrincipal(rawPrincipal, address.getAddress());
    } catch(IOException io) {
      throw new RuntimeException("Can't translate kerberos principal'", io);
    }
    LOGGER.info("Using kerberos principal: " + principal);

    principalParts = SaslRpcServer.splitKerberosName(principal);
    Preconditions.checkArgument(principalParts.length == 3,
        "Kerberos principal should have 3 parts: " + principal);
    keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB),
        ServerConfig.KEY_TAB + " is required");
    File keytabFile = new File(keytab);
    Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
        "Keytab " + keytab + " does not exist or is not readable.");
  } else {
    principal = null;
    principalParts = null;
    keytab = null;
  }
  serviceExecutor = Executors.newSingleThreadExecutor(new ThreadFactory() {
    private int count = 0;

    @Override
    public Thread newThread(Runnable r) {
      return new Thread(r, SentryService.class.getSimpleName() + "-"
          + (count++));
    }
  });
  webServerPort = conf.getInt(ServerConfig.SENTRY_WEB_PORT, ServerConfig.SENTRY_WEB_PORT_DEFAULT);
  status = Status.NOT_STARTED;
}
 
Example 4
Source File: SentryGenericServiceClientDefaultImpl.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public SentryGenericServiceClientDefaultImpl(Configuration conf) throws IOException {
  // copy the configuration because we may make modifications to it.
  this.conf = new Configuration(conf);
  Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
  this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
                         conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
                         + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(
                         ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT));
  this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT,
                                       ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT);
  kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
      conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
  transport = new TSocket(serverAddress.getHostName(),
      serverAddress.getPort(), connectionTimeout);
  if (kerberos) {
    String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
    // since the client uses hadoop-auth, we need to set kerberos in
    // hadoop-auth if we plan to use kerberos
    conf.set(HADOOP_SECURITY_AUTHENTICATION, ServerConfig.SECURITY_MODE_KERBEROS);

    // Resolve server host in the same way as we are doing on server side
    serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
    LOGGER.debug("Using server kerberos principal: " + serverPrincipal);

    serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
    Preconditions.checkArgument(serverPrincipalParts.length == 3,
         "Kerberos principal should have 3 parts: " + serverPrincipal);
    boolean wrapUgi = "true".equalsIgnoreCase(conf
        .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"));
    transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
        null, serverPrincipalParts[0], serverPrincipalParts[1],
        ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi, conf);
  } else {
    serverPrincipalParts = null;
  }
  try {
    transport.open();
  } catch (TTransportException e) {
    throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
  }
  LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress);
  long maxMessageSize = conf.getLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE,
      ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
  TMultiplexedProtocol protocol = new TMultiplexedProtocol(
      new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
      SentryGenericPolicyProcessor.SENTRY_GENERIC_SERVICE_NAME);
  client = new SentryGenericPolicyService.Client(protocol);
  LOGGER.debug("Successfully created client");
}
 
Example 5
Source File: SentryPolicyServiceClientDefaultImpl.java    From incubator-sentry with Apache License 2.0 4 votes vote down vote up
public SentryPolicyServiceClientDefaultImpl(Configuration conf) throws IOException {
  this.conf = conf;
  Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
  this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
                         conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
                         + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(
                         ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT));
  this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT,
                                       ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT);
  kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
      conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
  transport = new TSocket(serverAddress.getHostName(),
      serverAddress.getPort(), connectionTimeout);
  if (kerberos) {
    String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");

    // Resolve server host in the same way as we are doing on server side
    serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
    LOGGER.debug("Using server kerberos principal: " + serverPrincipal);

    serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
    Preconditions.checkArgument(serverPrincipalParts.length == 3,
         "Kerberos principal should have 3 parts: " + serverPrincipal);
    boolean wrapUgi = "true".equalsIgnoreCase(conf
        .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"));
    transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
        null, serverPrincipalParts[0], serverPrincipalParts[1],
        ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi);
  } else {
    serverPrincipalParts = null;
  }
  try {
    transport.open();
  } catch (TTransportException e) {
    throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
  }
  LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress);
  long maxMessageSize = conf.getLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE,
      ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
  TMultiplexedProtocol protocol = new TMultiplexedProtocol(
      new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
      SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME);
  client = new SentryPolicyService.Client(protocol);
  LOGGER.debug("Successfully created client");
}