@Override public void init(FilterConfig filterConfig) throws ServletException { super.init(filterConfig); AuthenticationHandler handler = getAuthenticationHandler(); AbstractDelegationTokenSecretManager dtSecretManager = (AbstractDelegationTokenSecretManager) filterConfig.getServletContext(). getAttribute(DELEGATION_TOKEN_SECRET_MANAGER_ATTR); if (dtSecretManager != null && handler instanceof DelegationTokenAuthenticationHandler) { DelegationTokenAuthenticationHandler dtHandler = (DelegationTokenAuthenticationHandler) getAuthenticationHandler(); dtHandler.setExternalDelegationTokenSecretManager(dtSecretManager); } if (handler instanceof PseudoAuthenticationHandler || handler instanceof PseudoDelegationTokenAuthenticationHandler) { setHandlerAuthMethod(SaslRpcServer.AuthMethod.SIMPLE); } if (handler instanceof KerberosAuthenticationHandler || handler instanceof KerberosDelegationTokenAuthenticationHandler) { setHandlerAuthMethod(SaslRpcServer.AuthMethod.KERBEROS); } // proxyuser configuration Configuration conf = getProxyuserConfiguration(filterConfig); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX); }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws InvalidToken, AccessControlException { if (authMethod == AuthMethod.TOKEN) { TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId, secretManager); UserGroupInformation ugi = tokenId.getUser(); if (ugi == null) { throw new AccessControlException( "Can't retrieve username from tokenIdentifier."); } ugi.addTokenIdentifier(tokenId); return ugi; } else { return UserGroupInformation.createRemoteUser(authorizedId, authMethod); } }
private RpcSaslProto buildNegotiateResponse(List<AuthMethod> authMethods) throws IOException { RpcSaslProto.Builder negotiateBuilder = RpcSaslProto.newBuilder(); if (authMethods.contains(AuthMethod.SIMPLE) && authMethods.size() == 1) { // SIMPLE-only servers return success in response to negotiate negotiateBuilder.setState(SaslState.SUCCESS); } else { negotiateBuilder.setState(SaslState.NEGOTIATE); for (AuthMethod authMethod : authMethods) { SaslRpcServer saslRpcServer = new SaslRpcServer(authMethod); SaslAuth.Builder builder = negotiateBuilder.addAuthsBuilder() .setMethod(authMethod.toString()) .setMechanism(saslRpcServer.mechanism); if (saslRpcServer.protocol != null) { builder.setProtocol(saslRpcServer.protocol); } if (saslRpcServer.serverId != null) { builder.setServerId(saslRpcServer.serverId); } } } return negotiateBuilder.build(); }
/** * Get a protocol proxy that contains a proxy connection to a remote server * and a set of methods that are supported by the server * * @param protocol protocol * @param clientVersion client's version * @param addr server address * @param ticket security ticket * @param conf configuration * @param factory socket factory * @param rpcTimeout max time for each rpc; 0 means no timeout * @param connectionRetryPolicy retry policy * @param fallbackToSimpleAuth set to true or false during calls to indicate if * a secure client falls back to simple auth * @return the proxy * @throws IOException if any error occurs */ public static <T> ProtocolProxy<T> getProtocolProxy(Class<T> protocol, long clientVersion, InetSocketAddress addr, UserGroupInformation ticket, Configuration conf, SocketFactory factory, int rpcTimeout, RetryPolicy connectionRetryPolicy, AtomicBoolean fallbackToSimpleAuth) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { SaslRpcServer.init(conf); } return getProtocolEngine(protocol, conf).getProxy(protocol, clientVersion, addr, ticket, conf, factory, rpcTimeout, connectionRetryPolicy, fallbackToSimpleAuth); }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws InvalidToken, AccessControlException { if (authMethod == AuthMethod.TOKEN) { TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId, secretManager); UserGroupInformation ugi = tokenId.getUser(); if (ugi == null) { throw new AccessControlException( "Can't retrieve username from tokenIdentifier."); } ugi.addTokenIdentifier(tokenId); return ugi; } else { return UserGroupInformation.createRemoteUser(authorizedId); } }
private final UserGroupInformation getUgi() { // If the UGI has not been created, create it from the credentials, and don't inherit from the current or // login user. if (ugi == null) { // If the UGI has not been initialized, then create a new one with the credentials. try (DataInputStream in = new DataInputStream(new ByteArrayInputStream(credentials))) { Credentials cred = new Credentials(); cred.readFields(in); ugi = UserGroupInformation.createRemoteUser(principal, SaslRpcServer.AuthMethod.KERBEROS); ugi.addCredentials(cred); } catch (IOException e) { throw TalendRuntimeException.createUnexpectedException(e); } } return ugi; }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws IOException { if (authMethod == SaslRpcServer.AuthMethod.DIGEST) { TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId, secretManager); UserGroupInformation ugi = tokenId.getUser(); if (ugi == null) { throw new AccessControlException( "Can't retrieve username from tokenIdentifier."); } ugi.addTokenIdentifier(tokenId); return ugi; } else { return UserGroupInformation.createRemoteUser(authorizedId); } }
/** Construct a client-side proxy object that implements the named protocol, * talking to a server at the named address. */ public static VersionedProtocol getProxy( Class<? extends VersionedProtocol> protocol, long clientVersion, InetSocketAddress addr, UserGroupInformation ticket, Configuration conf, SocketFactory factory, int rpcTimeout, RetryPolicy connectionRetryPolicy) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { SaslRpcServer.init(conf); } final Invoker invoker = new Invoker(protocol, addr, ticket, conf, factory, rpcTimeout, connectionRetryPolicy); VersionedProtocol proxy = (VersionedProtocol)Proxy.newProxyInstance( protocol.getClassLoader(), new Class[]{protocol}, invoker); long serverVersion = proxy.getProtocolVersion(protocol.getName(), clientVersion); if (serverVersion == clientVersion) { return proxy; } else { throw new VersionMismatch(protocol.getName(), clientVersion, serverVersion); } }
boolean comparePrincipals(String principal1, String principal2) { String[] principalParts1 = SaslRpcServer.splitKerberosName(principal1); String[] principalParts2 = SaslRpcServer.splitKerberosName(principal2); if (principalParts1.length == 0 || principalParts2.length == 0) { return false; } if (principalParts1.length == principalParts2.length) { for (int i=0; i < principalParts1.length; i++) { if (!principalParts1[i].equals(principalParts2[i])) { return false; } } return true; } else { return false; } }
/** * Create a SaslNettyClient for authentication with BSP servers. */ public SaslNettyClient() { try { Token<? extends TokenIdentifier> token = createJobToken(new Configuration()); if (LOG.isDebugEnabled()) { LOG.debug("SaslNettyClient: Creating SASL " + AuthMethod.DIGEST.getMechanismName() + " client to authenticate to service at " + token.getService()); } saslClient = Sasl.createSaslClient(new String[] { AuthMethod.DIGEST .getMechanismName() }, null, null, SaslRpcServer.SASL_DEFAULT_REALM, SaslRpcServer.SASL_PROPS, new SaslClientCallbackHandler(token)); } catch (IOException e) { LOG.error("SaslNettyClient: Could not obtain job token for Netty " + "Client to use to authenticate with a Netty Server."); saslClient = null; } }
