org.apache.hadoop.security.HadoopKerberosName Java Examples

The following examples show how to use org.apache.hadoop.security.HadoopKerberosName. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: BitConnectionConfig.java    From Bats with Apache License 2.0 6 votes vote down vote up
public Map<String, ?> getSaslClientProperties(final DrillbitEndpoint remoteEndpoint,
                                              final Map<String, String> overrides) throws IOException {
  final DrillProperties properties = DrillProperties.createEmpty();

  final UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  if (loginUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS) {
    final HadoopKerberosName loginPrincipal = new HadoopKerberosName(loginUser.getUserName());
    if (!useLoginPrincipal) {
      properties.setProperty(DrillProperties.SERVICE_PRINCIPAL,
          KerberosUtil.getPrincipalFromParts(loginPrincipal.getShortName(),
              remoteEndpoint.getAddress(),
              loginPrincipal.getRealm()));
    } else {
      properties.setProperty(DrillProperties.SERVICE_PRINCIPAL, loginPrincipal.toString());
    }
  }

  properties.merge(overrides);
  return properties.stringPropertiesAsMap();
}
 
Example #2
Source File: AbstractServerConnection.java    From Bats with Apache License 2.0 5 votes vote down vote up
@Override
public void finalizeSaslSession() throws IOException {
  final String authorizationID = getSaslServer().getAuthorizationID();
  final String remoteShortName = new HadoopKerberosName(authorizationID).getShortName();
  final String localShortName = UserGroupInformation.getLoginUser().getShortUserName();
  if (!localShortName.equals(remoteShortName)) {
    throw new SaslException(String.format("'primary' part of remote drillbit's service principal " +
        "does not match with this drillbit's. Expected: '%s' Actual: '%s'", localShortName, remoteShortName));
  }
  getLogger().debug("Authenticated connection for {}", authorizationID);
}
 
Example #3
Source File: UserServer.java    From Bats with Apache License 2.0 5 votes vote down vote up
@Override
public void finalizeSaslSession() throws IOException {
  final String authorizationID = getSaslServer().getAuthorizationID();
  final String userName = new HadoopKerberosName(authorizationID).getShortName();
  logger.debug("Created session for {}", userName);
  finalizeSession(userName);
}
 
Example #4
Source File: TestYARNTokenIdentifier.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testParseTimelineDelegationTokenIdentifierRenewer() throws IOException {
  // Server side when generation a timeline DT
  Configuration conf = new YarnConfiguration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL,
      "RULE:[2:$1@$0]([nr]m@.*EXAMPLE.COM)s/.*/yarn/");
  HadoopKerberosName.setConfiguration(conf);
  Text owner = new Text("owner");
  Text renewer = new Text("rm/[email protected]");
  Text realUser = new Text("realUser");
  TimelineDelegationTokenIdentifier token =
      new TimelineDelegationTokenIdentifier(owner, renewer, realUser);
  Assert.assertEquals(new Text("yarn"), token.getRenewer());
}
 
Example #5
Source File: TestSecureLogins.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testValidKerberosName() throws Throwable {

  new HadoopKerberosName(ZOOKEEPER).getShortName();
  new HadoopKerberosName(ZOOKEEPER_LOCALHOST).getShortName();
  new HadoopKerberosName(ZOOKEEPER_REALM).getShortName();
  // standard rules don't pick this up
  // new HadoopKerberosName(ZOOKEEPER_LOCALHOST_REALM).getShortName();
}
 
Example #6
Source File: AbstractDelegationTokenIdentifier.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public void setRenewer(Text renewer) {
  if (renewer == null) {
    this.renewer = new Text();
  } else {
    HadoopKerberosName renewerKrbName = new HadoopKerberosName(renewer.toString());
    try {
      this.renewer = new Text(renewerKrbName.getShortName());
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
  }
}
 
Example #7
Source File: TestYARNTokenIdentifier.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testParseTimelineDelegationTokenIdentifierRenewer() throws IOException {
  // Server side when generation a timeline DT
  Configuration conf = new YarnConfiguration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL,
      "RULE:[2:$1@$0]([nr]m@.*EXAMPLE.COM)s/.*/yarn/");
  HadoopKerberosName.setConfiguration(conf);
  Text owner = new Text("owner");
  Text renewer = new Text("rm/[email protected]");
  Text realUser = new Text("realUser");
  TimelineDelegationTokenIdentifier token =
      new TimelineDelegationTokenIdentifier(owner, renewer, realUser);
  Assert.assertEquals(new Text("yarn"), token.getRenewer());
}
 
Example #8
Source File: TestSecureLogins.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testValidKerberosName() throws Throwable {

  new HadoopKerberosName(ZOOKEEPER).getShortName();
  new HadoopKerberosName(ZOOKEEPER_LOCALHOST).getShortName();
  new HadoopKerberosName(ZOOKEEPER_REALM).getShortName();
  // standard rules don't pick this up
  // new HadoopKerberosName(ZOOKEEPER_LOCALHOST_REALM).getShortName();
}
 
Example #9
Source File: AbstractDelegationTokenIdentifier.java    From big-c with Apache License 2.0 5 votes vote down vote up
public void setRenewer(Text renewer) {
  if (renewer == null) {
    this.renewer = new Text();
  } else {
    HadoopKerberosName renewerKrbName = new HadoopKerberosName(renewer.toString());
    try {
      this.renewer = new Text(renewerKrbName.getShortName());
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
  }
}
 
Example #10
Source File: AccessChecker.java    From hbase with Apache License 2.0 5 votes vote down vote up
@Override
public String getShortName() {
  if (this.shortName == null) {
    try {
      this.shortName = new HadoopKerberosName(this.name).getShortName();
    } catch (IOException ioe) {
      throw new IllegalArgumentException(
          "Illegal principal name " + this.name + ": " + ioe.toString(), ioe);
    }
  }
  return shortName;
}
 
Example #11
Source File: DrillSpnegoLoginService.java    From Bats with Apache License 2.0 4 votes vote down vote up
private UserIdentity spnegoLogin(Object credentials) {

    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();

    try {
      // Providing both OID's is required here. If we provide only one,
      // we're requiring that clients provide us the SPNEGO OID to authenticate via Kerberos.
      Oid[] knownOids = new Oid[2];
      knownOids[0] = new Oid("1.3.6.1.5.5.2"); // spnego
      knownOids[1] = new Oid("1.2.840.113554.1.2.2"); // kerberos

      GSSName gssName = manager.createName(spnegoConfig.getSpnegoPrincipal(), null);
      GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME,
          knownOids, GSSCredential.ACCEPT_ONLY);
      GSSContext gContext = manager.createContext(serverCreds);

      if (gContext == null) {
        logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
      } else {
        while (!gContext.isEstablished()) {
          authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
        }

        if (gContext.isEstablished()) {
          final String clientName = gContext.getSrcName().toString();
          final String realm = clientName.substring(clientName.indexOf(64) + 1);

          // Get the client user short name
          final String userShortName = new HadoopKerberosName(clientName).getShortName();

          logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName);
          final SystemOptionManager sysOptions = drillContext.getOptionManager();
          final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName,
              ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions),
              ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));

          final Principal user = new DrillUserPrincipal(userShortName, isAdmin);
          final Subject subject = new Subject();
          subject.getPrincipals().add(user);

          if (isAdmin) {
            return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.ADMIN_USER_ROLES);
          } else {
            return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
          }
        }
      }
    } catch (GSSException gsse) {
      logger.warn("Caught GSSException trying to authenticate the client", gsse);
    } catch (IOException ex) {
      logger.warn("Caught IOException trying to get shortName of client user", ex);
    }
    return null;
  }