Java Code Examples for org.apache.hadoop.security.SecurityUtil#getKerberosInfo()

The following examples show how to use org.apache.hadoop.security.SecurityUtil#getKerberosInfo() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: HdfsPlugin.java    From crate with Apache License 2.0 5 votes vote down vote up 
private static Void eagerInit() {
    /*
     * Hadoop RPC wire serialization uses ProtocolBuffers. All proto classes for Hadoop
     * come annotated with configurations that denote information about if they support
     * certain security options like Kerberos, and how to send information with the
     * message to support that authentication method. SecurityUtil creates a service loader
     * in a static field during its clinit. This loader provides the implementations that
     * pull the security information for each proto class. The service loader sources its
     * services from the current thread's context class loader, which must contain the Hadoop
     * jars. Since plugins don't execute with their class loaders installed as the thread's
     * context class loader, we need to install the loader briefly, allow the util to be
     * initialized, then restore the old loader since we don't actually own this thread.
     */
    ClassLoader oldCCL = Thread.currentThread().getContextClassLoader();
    try {
        Thread.currentThread().setContextClassLoader(HdfsRepository.class.getClassLoader());
        KerberosInfo info = SecurityUtil.getKerberosInfo(ClientNamenodeProtocolPB.class, null);
        // Make sure that the correct class loader was installed.
        if (info == null) {
            throw new RuntimeException("Could not initialize SecurityUtil: " +
                "Unable to find services for [org.apache.hadoop.security.SecurityInfo]");
        }
    } finally {
        Thread.currentThread().setContextClassLoader(oldCCL);
    }
    return null;
}
Example 2
Source File: ServiceAuthorizationManager.java    From hadoop with Apache License 2.0 4 votes vote down vote up 
/**
 * Authorize the user to access the protocol being used.
 * 
 * @param user user accessing the service 
 * @param protocol service being accessed
 * @param conf configuration to use
 * @param addr InetAddress of the client
 * @throws AuthorizationException on authorization failure
 */
public void authorize(UserGroupInformation user, 
                             Class<?> protocol,
                             Configuration conf,
                             InetAddress addr
                             ) throws AuthorizationException {
  AccessControlList[] acls = protocolToAcls.get(protocol);
  MachineList[] hosts = protocolToMachineLists.get(protocol);
  if (acls == null || hosts == null) {
    throw new AuthorizationException("Protocol " + protocol + 
                                     " is not known.");
  }
  
  // get client principal key to verify (if available)
  KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
  String clientPrincipal = null; 
  if (krbInfo != null) {
    String clientKey = krbInfo.clientPrincipal();
    if (clientKey != null && !clientKey.isEmpty()) {
      try {
        clientPrincipal = SecurityUtil.getServerPrincipal(
            conf.get(clientKey), addr);
      } catch (IOException e) {
        throw (AuthorizationException) new AuthorizationException(
            "Can't figure out Kerberos principal name for connection from "
                + addr + " for user=" + user + " protocol=" + protocol)
            .initCause(e);
      }
    }
  }
  if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
     acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
    AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
        + ", expected client Kerberos principal is " + clientPrincipal);
    throw new AuthorizationException("User " + user + 
        " is not authorized for protocol " + protocol + 
        ", expected client Kerberos principal is " + clientPrincipal);
  }
  if (addr != null) {
    String hostAddress = addr.getHostAddress();
    if (hosts.length != 2 || !hosts[0].includes(hostAddress) ||
        hosts[1].includes(hostAddress)) {
      AUDITLOG.warn(AUTHZ_FAILED_FOR + " for protocol=" + protocol
          + " from host = " +  hostAddress);
      throw new AuthorizationException("Host " + hostAddress +
          " is not authorized for protocol " + protocol) ;
    }
  }
  AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
}
Example 3
Source File: ServiceAuthorizationManager.java    From big-c with Apache License 2.0 4 votes vote down vote up 
/**
 * Authorize the user to access the protocol being used.
 * 
 * @param user user accessing the service 
 * @param protocol service being accessed
 * @param conf configuration to use
 * @param addr InetAddress of the client
 * @throws AuthorizationException on authorization failure
 */
public void authorize(UserGroupInformation user, 
                             Class<?> protocol,
                             Configuration conf,
                             InetAddress addr
                             ) throws AuthorizationException {
  AccessControlList[] acls = protocolToAcls.get(protocol);
  MachineList[] hosts = protocolToMachineLists.get(protocol);
  if (acls == null || hosts == null) {
    throw new AuthorizationException("Protocol " + protocol + 
                                     " is not known.");
  }
  
  // get client principal key to verify (if available)
  KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
  String clientPrincipal = null; 
  if (krbInfo != null) {
    String clientKey = krbInfo.clientPrincipal();
    if (clientKey != null && !clientKey.isEmpty()) {
      try {
        clientPrincipal = SecurityUtil.getServerPrincipal(
            conf.get(clientKey), addr);
      } catch (IOException e) {
        throw (AuthorizationException) new AuthorizationException(
            "Can't figure out Kerberos principal name for connection from "
                + addr + " for user=" + user + " protocol=" + protocol)
            .initCause(e);
      }
    }
  }
  if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
     acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
    AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
        + ", expected client Kerberos principal is " + clientPrincipal);
    throw new AuthorizationException("User " + user + 
        " is not authorized for protocol " + protocol + 
        ", expected client Kerberos principal is " + clientPrincipal);
  }
  if (addr != null) {
    String hostAddress = addr.getHostAddress();
    if (hosts.length != 2 || !hosts[0].includes(hostAddress) ||
        hosts[1].includes(hostAddress)) {
      AUDITLOG.warn(AUTHZ_FAILED_FOR + " for protocol=" + protocol
          + " from host = " +  hostAddress);
      throw new AuthorizationException("Host " + hostAddress +
          " is not authorized for protocol " + protocol) ;
    }
  }
  AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
}