Java Code Examples for org.apache.hadoop.security.SaslRpcServer.AuthMethod#KERBEROS
The following examples show how to use
org.apache.hadoop.security.SaslRpcServer.AuthMethod#KERBEROS .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ProtoUtil.java From hadoop with Apache License 2.0 | 5 votes |
/** * This method creates the connection context using exactly the same logic * as the old connection context as was done for writable where * the effective and real users are set based on the auth method. * */ public static IpcConnectionContextProto makeIpcConnectionContext( final String protocol, final UserGroupInformation ugi, final AuthMethod authMethod) { IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder(); if (protocol != null) { result.setProtocol(protocol); } UserInformationProto.Builder ugiProto = UserInformationProto.newBuilder(); if (ugi != null) { /* * In the connection context we send only additional user info that * is not derived from the authentication done during connection setup. */ if (authMethod == AuthMethod.KERBEROS) { // Real user was established as part of the connection. // Send effective user only. ugiProto.setEffectiveUser(ugi.getUserName()); } else if (authMethod == AuthMethod.TOKEN) { // With token, the connection itself establishes // both real and effective user. Hence send none in header. } else { // Simple authentication // No user info is established as part of the connection. // Send both effective user and real user ugiProto.setEffectiveUser(ugi.getUserName()); if (ugi.getRealUser() != null) { ugiProto.setRealUser(ugi.getRealUser().getUserName()); } } } result.setUserInfo(ugiProto); return result.build(); }
Example 2
Source File: Client.java From hadoop with Apache License 2.0 | 5 votes |
private synchronized boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); if (authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser))) { return true; } return false; }
Example 3
Source File: ProtoUtil.java From big-c with Apache License 2.0 | 5 votes |
/** * This method creates the connection context using exactly the same logic * as the old connection context as was done for writable where * the effective and real users are set based on the auth method. * */ public static IpcConnectionContextProto makeIpcConnectionContext( final String protocol, final UserGroupInformation ugi, final AuthMethod authMethod) { IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder(); if (protocol != null) { result.setProtocol(protocol); } UserInformationProto.Builder ugiProto = UserInformationProto.newBuilder(); if (ugi != null) { /* * In the connection context we send only additional user info that * is not derived from the authentication done during connection setup. */ if (authMethod == AuthMethod.KERBEROS) { // Real user was established as part of the connection. // Send effective user only. ugiProto.setEffectiveUser(ugi.getUserName()); } else if (authMethod == AuthMethod.TOKEN) { // With token, the connection itself establishes // both real and effective user. Hence send none in header. } else { // Simple authentication // No user info is established as part of the connection. // Send both effective user and real user ugiProto.setEffectiveUser(ugi.getUserName()); if (ugi.getRealUser() != null) { ugiProto.setRealUser(ugi.getRealUser().getUserName()); } } } result.setUserInfo(ugiProto); return result.build(); }
Example 4
Source File: Client.java From big-c with Apache License 2.0 | 5 votes |
private synchronized boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); if (authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser))) { return true; } return false; }
Example 5
Source File: SaslRpcClient.java From hadoop with Apache License 2.0 | 4 votes |
/** * Try to create a SaslClient for an authentication type. May return * null if the type isn't supported or the client lacks the required * credentials. * * @param authType - the requested authentication method * @return SaslClient for the authType or null * @throws SaslException - error instantiating client * @throws IOException - misc errors */ private SaslClient createSaslClient(SaslAuth authType) throws SaslException, IOException { String saslUser = null; // SASL requires the client and server to use the same proto and serverId // if necessary, auth types below will verify they are valid final String saslProtocol = authType.getProtocol(); final String saslServerName = authType.getServerId(); Map<String, String> saslProperties = saslPropsResolver.getClientProperties(serverAddr.getAddress()); CallbackHandler saslCallback = null; final AuthMethod method = AuthMethod.valueOf(authType.getMethod()); switch (method) { case TOKEN: { Token<?> token = getServerToken(authType); if (token == null) { return null; // tokens aren't supported or user doesn't have one } saslCallback = new SaslClientCallbackHandler(token); break; } case KERBEROS: { if (ugi.getRealAuthenticationMethod().getAuthMethod() != AuthMethod.KERBEROS) { return null; // client isn't using kerberos } String serverPrincipal = getServerPrincipal(authType); if (serverPrincipal == null) { return null; // protocol doesn't use kerberos } if (LOG.isDebugEnabled()) { LOG.debug("RPC Server's Kerberos principal name for protocol=" + protocol.getCanonicalName() + " is " + serverPrincipal); } break; } default: throw new IOException("Unknown authentication method " + method); } String mechanism = method.getMechanismName(); if (LOG.isDebugEnabled()) { LOG.debug("Creating SASL " + mechanism + "(" + method + ") " + " client to authenticate to service at " + saslServerName); } return Sasl.createSaslClient( new String[] { mechanism }, saslUser, saslProtocol, saslServerName, saslProperties, saslCallback); }
Example 6
Source File: SaslRpcClient.java From big-c with Apache License 2.0 | 4 votes |
/** * Try to create a SaslClient for an authentication type. May return * null if the type isn't supported or the client lacks the required * credentials. * * @param authType - the requested authentication method * @return SaslClient for the authType or null * @throws SaslException - error instantiating client * @throws IOException - misc errors */ private SaslClient createSaslClient(SaslAuth authType) throws SaslException, IOException { String saslUser = null; // SASL requires the client and server to use the same proto and serverId // if necessary, auth types below will verify they are valid final String saslProtocol = authType.getProtocol(); final String saslServerName = authType.getServerId(); Map<String, String> saslProperties = saslPropsResolver.getClientProperties(serverAddr.getAddress()); CallbackHandler saslCallback = null; final AuthMethod method = AuthMethod.valueOf(authType.getMethod()); switch (method) { case TOKEN: { Token<?> token = getServerToken(authType); if (token == null) { return null; // tokens aren't supported or user doesn't have one } saslCallback = new SaslClientCallbackHandler(token); break; } case KERBEROS: { if (ugi.getRealAuthenticationMethod().getAuthMethod() != AuthMethod.KERBEROS) { return null; // client isn't using kerberos } String serverPrincipal = getServerPrincipal(authType); if (serverPrincipal == null) { return null; // protocol doesn't use kerberos } if (LOG.isDebugEnabled()) { LOG.debug("RPC Server's Kerberos principal name for protocol=" + protocol.getCanonicalName() + " is " + serverPrincipal); } break; } default: throw new IOException("Unknown authentication method " + method); } String mechanism = method.getMechanismName(); if (LOG.isDebugEnabled()) { LOG.debug("Creating SASL " + mechanism + "(" + method + ") " + " client to authenticate to service at " + saslServerName); } return Sasl.createSaslClient( new String[] { mechanism }, saslUser, saslProtocol, saslServerName, saslProperties, saslCallback); }