Java Code Examples for org.apache.hadoop.security.SaslRpcServer.AuthMethod#KERBEROS

The following examples show how to use org.apache.hadoop.security.SaslRpcServer.AuthMethod#KERBEROS . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ProtoUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 
Example 2
Source File: Client.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 
Example 3
Source File: ProtoUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 
Example 4
Source File: Client.java    From big-c with Apache License 2.0 5 votes vote down vote up
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 
Example 5
Source File: SaslRpcClient.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * Try to create a SaslClient for an authentication type.  May return
 * null if the type isn't supported or the client lacks the required
 * credentials.
 * 
 * @param authType - the requested authentication method
 * @return SaslClient for the authType or null
 * @throws SaslException - error instantiating client
 * @throws IOException - misc errors
 */
private SaslClient createSaslClient(SaslAuth authType)
    throws SaslException, IOException {
  String saslUser = null;
  // SASL requires the client and server to use the same proto and serverId
  // if necessary, auth types below will verify they are valid
  final String saslProtocol = authType.getProtocol();
  final String saslServerName = authType.getServerId();
  Map<String, String> saslProperties =
    saslPropsResolver.getClientProperties(serverAddr.getAddress());  
  CallbackHandler saslCallback = null;
  
  final AuthMethod method = AuthMethod.valueOf(authType.getMethod());
  switch (method) {
    case TOKEN: {
      Token<?> token = getServerToken(authType);
      if (token == null) {
        return null; // tokens aren't supported or user doesn't have one
      }
      saslCallback = new SaslClientCallbackHandler(token);
      break;
    }
    case KERBEROS: {
      if (ugi.getRealAuthenticationMethod().getAuthMethod() !=
          AuthMethod.KERBEROS) {
        return null; // client isn't using kerberos
      }
      String serverPrincipal = getServerPrincipal(authType);
      if (serverPrincipal == null) {
        return null; // protocol doesn't use kerberos
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("RPC Server's Kerberos principal name for protocol="
            + protocol.getCanonicalName() + " is " + serverPrincipal);
      }
      break;
    }
    default:
      throw new IOException("Unknown authentication method " + method);
  }
  
  String mechanism = method.getMechanismName();
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating SASL " + mechanism + "(" + method + ") "
        + " client to authenticate to service at " + saslServerName);
  }
  return Sasl.createSaslClient(
      new String[] { mechanism }, saslUser, saslProtocol, saslServerName,
      saslProperties, saslCallback);
}
 
Example 6
Source File: SaslRpcClient.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * Try to create a SaslClient for an authentication type.  May return
 * null if the type isn't supported or the client lacks the required
 * credentials.
 * 
 * @param authType - the requested authentication method
 * @return SaslClient for the authType or null
 * @throws SaslException - error instantiating client
 * @throws IOException - misc errors
 */
private SaslClient createSaslClient(SaslAuth authType)
    throws SaslException, IOException {
  String saslUser = null;
  // SASL requires the client and server to use the same proto and serverId
  // if necessary, auth types below will verify they are valid
  final String saslProtocol = authType.getProtocol();
  final String saslServerName = authType.getServerId();
  Map<String, String> saslProperties =
    saslPropsResolver.getClientProperties(serverAddr.getAddress());  
  CallbackHandler saslCallback = null;
  
  final AuthMethod method = AuthMethod.valueOf(authType.getMethod());
  switch (method) {
    case TOKEN: {
      Token<?> token = getServerToken(authType);
      if (token == null) {
        return null; // tokens aren't supported or user doesn't have one
      }
      saslCallback = new SaslClientCallbackHandler(token);
      break;
    }
    case KERBEROS: {
      if (ugi.getRealAuthenticationMethod().getAuthMethod() !=
          AuthMethod.KERBEROS) {
        return null; // client isn't using kerberos
      }
      String serverPrincipal = getServerPrincipal(authType);
      if (serverPrincipal == null) {
        return null; // protocol doesn't use kerberos
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("RPC Server's Kerberos principal name for protocol="
            + protocol.getCanonicalName() + " is " + serverPrincipal);
      }
      break;
    }
    default:
      throw new IOException("Unknown authentication method " + method);
  }
  
  String mechanism = method.getMechanismName();
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating SASL " + mechanism + "(" + method + ") "
        + " client to authenticate to service at " + saslServerName);
  }
  return Sasl.createSaslClient(
      new String[] { mechanism }, saslUser, saslProtocol, saslServerName,
      saslProperties, saslCallback);
}