private UserGroupInformation getAuthorizedUgi(String authorizedId) throws InvalidToken, AccessControlException { if (authMethod == AuthMethod.TOKEN) { TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId, secretManager); UserGroupInformation ugi = tokenId.getUser(); if (ugi == null) { throw new AccessControlException( "Can't retrieve username from tokenIdentifier."); } ugi.addTokenIdentifier(tokenId); return ugi; } else { return UserGroupInformation.createRemoteUser(authorizedId, authMethod); } }
/** * Process the Sasl's Negotiate request, including the optimization of * accelerating token negotiation. * @return the response to Negotiate request - the list of enabled * authMethods and challenge if the TOKENS are supported. * @throws SaslException - if attempt to generate challenge fails. * @throws IOException - if it fails to create the SASL server for Tokens */ private RpcSaslProto buildSaslNegotiateResponse() throws InterruptedException, SaslException, IOException { RpcSaslProto negotiateMessage = negotiateResponse; // accelerate token negotiation by sending initial challenge // in the negotiation response if (enabledAuthMethods.contains(AuthMethod.TOKEN)) { saslServer = createSaslServer(AuthMethod.TOKEN); byte[] challenge = saslServer.evaluateResponse(new byte[0]); RpcSaslProto.Builder negotiateBuilder = RpcSaslProto.newBuilder(negotiateResponse); negotiateBuilder.getAuthsBuilder(0) // TOKEN is always first .setChallenge(ByteString.copyFrom(challenge)); negotiateMessage = negotiateBuilder.build(); } sentNegotiate = true; return negotiateMessage; }
/** * Authorize proxy users to access this server * @throws WrappedRpcServerException - user is not allowed to proxy */ private void authorizeConnection() throws WrappedRpcServerException { try { // If auth method is TOKEN, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (user != null && user.getRealUser() != null && (authMethod != AuthMethod.TOKEN)) { ProxyUsers.authorize(user, this.getHostAddress()); } authorize(user, protocolName, getHostInetAddress()); if (LOG.isDebugEnabled()) { LOG.debug("Successfully authorized " + connectionContext); } rpcMetrics.incrAuthorizationSuccesses(); } catch (AuthorizationException ae) { LOG.info("Connection from " + this + " for protocol " + connectionContext.getProtocol() + " is unauthorized for user " + user); rpcMetrics.incrAuthorizationFailures(); throw new WrappedRpcServerException( RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae); } }
private RpcSaslProto buildNegotiateResponse(List<AuthMethod> authMethods) throws IOException { RpcSaslProto.Builder negotiateBuilder = RpcSaslProto.newBuilder(); if (authMethods.contains(AuthMethod.SIMPLE) && authMethods.size() == 1) { // SIMPLE-only servers return success in response to negotiate negotiateBuilder.setState(SaslState.SUCCESS); } else { negotiateBuilder.setState(SaslState.NEGOTIATE); for (AuthMethod authMethod : authMethods) { SaslRpcServer saslRpcServer = new SaslRpcServer(authMethod); SaslAuth.Builder builder = negotiateBuilder.addAuthsBuilder() .setMethod(authMethod.toString()) .setMechanism(saslRpcServer.mechanism); if (saslRpcServer.protocol != null) { builder.setProtocol(saslRpcServer.protocol); } if (saslRpcServer.serverId != null) { builder.setServerId(saslRpcServer.serverId); } } } return negotiateBuilder.build(); }
private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager, Configuration conf) { AuthenticationMethod confAuthenticationMethod = SecurityUtil.getAuthenticationMethod(conf); List<AuthMethod> authMethods = new ArrayList<AuthMethod>(); if (confAuthenticationMethod == AuthenticationMethod.TOKEN) { if (secretManager == null) { throw new IllegalArgumentException(AuthenticationMethod.TOKEN + " authentication requires a secret manager"); } } else if (secretManager != null) { LOG.debug(AuthenticationMethod.TOKEN + " authentication enabled for secret manager"); // most preferred, go to the front of the line! authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod()); } authMethods.add(confAuthenticationMethod.getAuthMethod()); LOG.debug("Server accepts auth methods:" + authMethods); return authMethods; }
private void writeConnectionContext(ConnectionId remoteId, AuthMethod authMethod) throws IOException { // Write out the ConnectionHeader IpcConnectionContextProto message = ProtoUtil.makeIpcConnectionContext( RPC.getProtocolName(remoteId.getProtocol()), remoteId.getTicket(), authMethod); RpcRequestHeaderProto connectionContextHeader = ProtoUtil .makeRpcRequestHeader(RpcKind.RPC_PROTOCOL_BUFFER, OperationProto.RPC_FINAL_PACKET, CONNECTION_CONTEXT_CALL_ID, RpcConstants.INVALID_RETRY_COUNT, clientId); RpcRequestMessageWrapper request = new RpcRequestMessageWrapper(connectionContextHeader, message); // Write out the packet length out.writeInt(request.getLength()); request.write(out); }
private void doDigestRpc(Server server, TestTokenSecretManager sm) throws Exception { final UserGroupInformation current = UserGroupInformation.getCurrentUser(); addr = NetUtils.getConnectAddress(server); TestTokenIdentifier tokenId = new TestTokenIdentifier(new Text(current .getUserName())); Token<TestTokenIdentifier> token = new Token<TestTokenIdentifier>(tokenId, sm); SecurityUtil.setTokenService(token, addr); current.addToken(token); TestRpcService proxy = null; try { proxy = getClient(addr, conf); AuthMethod authMethod = convert( proxy.getAuthMethod(null, newEmptyRequest())); assertEquals(TOKEN, authMethod); //QOP must be auth assertEquals(expectedQop.saslQop, RPC.getConnectionIdForProxy(proxy).getSaslQop()); proxy.ping(null, newEmptyRequest()); } finally { stop(server, proxy); } }
private void runNegotiation(CallbackHandler clientCbh, CallbackHandler serverCbh) throws SaslException { String mechanism = AuthMethod.PLAIN.getMechanismName(); SaslClient saslClient = Sasl.createSaslClient( new String[]{ mechanism }, null, null, null, null, clientCbh); assertNotNull(saslClient); SaslServer saslServer = Sasl.createSaslServer( mechanism, null, "localhost", null, serverCbh); assertNotNull("failed to find PLAIN server", saslServer); byte[] response = saslClient.evaluateChallenge(new byte[0]); assertNotNull(response); assertTrue(saslClient.isComplete()); response = saslServer.evaluateResponse(response); assertNull(response); assertTrue(saslServer.isComplete()); assertNotNull(saslServer.getAuthorizationID()); }
@Override public TestProtos.AuthMethodResponseProto getAuthMethod( RpcController controller, TestProtos.EmptyRequestProto request) throws ServiceException { AuthMethod authMethod = null; try { authMethod = UserGroupInformation.getCurrentUser() .getAuthenticationMethod().getAuthMethod(); } catch (IOException e) { throw new ServiceException(e); } return TestProtos.AuthMethodResponseProto.newBuilder() .setCode(authMethod.code) .setMechanismName(authMethod.getMechanismName()) .build(); }
private RpcSaslProto buildSaslNegotiateResponse() throws IOException, InterruptedException { RpcSaslProto negotiateMessage = negotiateResponse; // accelerate token negotiation by sending initial challenge // in the negotiation response if (enabledAuthMethods.contains(AuthMethod.TOKEN)) { saslServer = createSaslServer(AuthMethod.TOKEN); byte[] challenge = saslServer.evaluateResponse(new byte[0]); RpcSaslProto.Builder negotiateBuilder = RpcSaslProto.newBuilder(negotiateResponse); negotiateBuilder.getAuthsBuilder(0) // TOKEN is always first .setChallenge(ByteString.copyFrom(challenge)); negotiateMessage = negotiateBuilder.build(); } sentNegotiate = true; return negotiateMessage; }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws InvalidToken, AccessControlException { if (authMethod == AuthMethod.TOKEN) { TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId, secretManager); UserGroupInformation ugi = tokenId.getUser(); if (ugi == null) { throw new AccessControlException( "Can't retrieve username from tokenIdentifier."); } ugi.addTokenIdentifier(tokenId); return ugi; } else { return UserGroupInformation.createRemoteUser(authorizedId); } }
/** * Authorize proxy users to access this server * @throws WrappedRpcServerException - user is not allowed to proxy */ private void authorizeConnection() throws WrappedRpcServerException { try { // If auth method is TOKEN, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (user != null && user.getRealUser() != null && (authMethod != AuthMethod.TOKEN)) { ProxyUsers.authorize(user, this.getHostAddress(), conf); } authorize(user, protocolName, getHostInetAddress()); if (LOG.isDebugEnabled()) { LOG.debug("Successfully authorized " + connectionContext); } rpcMetrics.incrAuthorizationSuccesses(); } catch (AuthorizationException ae) { LOG.info("Connection from " + this + " for protocol " + connectionContext.getProtocol() + " is unauthorized for user " + user); rpcMetrics.incrAuthorizationFailures(); throw new WrappedRpcServerException( RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae); } }
