List of usage examples for org.apache.hadoop.security.authentication.util KerberosName getShortName
public String getShortName() throws IOException
From source file:io.druid.security.kerberos.DruidKerberosAuthenticationHandler.java
License:Apache License
@Override public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException { AuthenticationToken token = null;//from w ww . j a va 2 s . c om String authorization = request .getHeader(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.AUTHORIZATION); if (authorization == null || !authorization .startsWith(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE)) { return null; } else { authorization = authorization.substring( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE.length()) .trim(); final Base64 base64 = new Base64(0); final byte[] clientToken = base64.decode(authorization); final String serverName = request.getServerName(); try { token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { AuthenticationToken token = null; GSSContext gssContext = null; GSSCredential gssCreds = null; try { gssCreds = gssManager.createCredential( gssManager.createName(KerberosUtil.getServicePrincipal("HTTP", serverName), KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY); gssContext = gssManager.createContext(gssCreds); byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length); if (serverToken != null && serverToken.length > 0) { String authenticate = base64.encodeToString(serverToken); response.setHeader( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.WWW_AUTHENTICATE, org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE + " " + authenticate); } if (!gssContext.isEstablished()) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); log.trace("SPNEGO in progress"); } else { String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, getType()); response.setStatus(HttpServletResponse.SC_OK); log.trace("SPNEGO completed for principal [%s]", clientPrincipal); } } finally { if (gssContext != null) { gssContext.dispose(); } if (gssCreds != null) { gssCreds.dispose(); } } return token; } }); } catch (PrivilegedActionException ex) { if (ex.getException() instanceof IOException) { throw (IOException) ex.getException(); } else { throw new AuthenticationException(ex.getException()); } } } return token; }
From source file:org.apache.druid.security.kerberos.DruidKerberosAuthenticationHandler.java
License:Apache License
@Override public AuthenticationToken authenticate(HttpServletRequest request, final HttpServletResponse response) throws IOException, AuthenticationException { AuthenticationToken token;//ww w .ja v a 2 s . c o m String authorization = request .getHeader(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.AUTHORIZATION); if (authorization == null || !authorization .startsWith(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE)) { return null; } else { authorization = authorization.substring( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE.length()) .trim(); final byte[] clientToken = StringUtils.decodeBase64String(authorization); final String serverName = request.getServerName(); try { token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { AuthenticationToken token = null; GSSContext gssContext = null; GSSCredential gssCreds = null; try { gssCreds = gssManager.createCredential( gssManager.createName(KerberosUtil.getServicePrincipal("HTTP", serverName), KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY); gssContext = gssManager.createContext(gssCreds); byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length); if (serverToken != null && serverToken.length > 0) { String authenticate = StringUtils.encodeBase64String(serverToken); response.setHeader( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.WWW_AUTHENTICATE, org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE + " " + authenticate); } if (!gssContext.isEstablished()) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); log.trace("SPNEGO in progress"); } else { String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, getType()); response.setStatus(HttpServletResponse.SC_OK); log.trace("SPNEGO completed for principal [%s]", clientPrincipal); } } finally { if (gssContext != null) { gssContext.dispose(); } if (gssCreds != null) { gssCreds.dispose(); } } return token; } }); } catch (PrivilegedActionException ex) { if (ex.getException() instanceof IOException) { throw (IOException) ex.getException(); } else { throw new AuthenticationException(ex.getException()); } } } return token; }
From source file:org.apache.ranger.audit.provider.MiscUtil.java
License:Apache License
/** * /*from w w w .j a v a 2s . c o m*/ * @param principal * This could be in the format abc/host@domain.com * @return */ static public String getShortNameFromPrincipalName(String principal) { if (principal == null) { return null; } try { // Assuming it is kerberos name for now KerberosName kerbrosName = new KerberosName(principal); String userName = kerbrosName.getShortName(); userName = StringUtils.substringBefore(userName, "/"); userName = StringUtils.substringBefore(userName, "@"); return userName; } catch (Throwable t) { logger.error("Error converting kerberos name. principal=" + principal + ", KerberosName.rules=" + KerberosName.getRules()); } return principal; }
From source file:org.apache.ranger.biz.ServiceDBStore.java
License:Apache License
private VXUser getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) { VXUser vXUser = null;// ww w. jav a2 s . co m if (!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)) { if (SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)) { KerberosName krbName = new KerberosName(lookupPrincipal); String lookupUser = null; try { lookupUser = krbName.getShortName(); } catch (IOException e) { throw restErrorUtil.createRESTException( "Please provide proper value of lookup user principal : " + lookupPrincipal, MessageEnums.INVALID_INPUT_DATA); } if (LOG.isDebugEnabled()) { LOG.debug("Checking for Lookup User : " + lookupUser); } if (!StringUtils.isEmpty(lookupUser)) { XXUser xxUser = daoMgr.getXXUser().findByUserName(lookupUser); if (xxUser != null) { vXUser = xUserService.populateViewBean(xxUser); } else { vXUser = xUserMgr.createServiceConfigUser(lookupUser); LOG.info("Creating Lookup User : " + vXUser.getName()); } } } } return vXUser; }
From source file:org.apache.ranger.plugin.service.RangerBaseService.java
License:Apache License
protected String getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) { String lookupUser = null;//w w w. ja v a 2 s. c o m if (!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)) { if (SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)) { KerberosName krbName = new KerberosName(lookupPrincipal); try { lookupUser = krbName.getShortName(); } catch (IOException e) { LOG.error("Unknown lookup user", e); } } } return lookupUser; }
From source file:org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl.java
License:Apache License
/** * Workaround until SOLR-10814 is fixed. This method allows extracting short user-name from * Solr provided {@linkplain Principal} instance. * * @param ctx The Solr provided authorization context * @return The short name of the authenticated user for this request *///from w ww .j a v a 2 s . co m public static String getShortUserName(Principal princ) { if (princ instanceof BasicUserPrincipal) { return princ.getName(); } KerberosName name = new KerberosName(princ.getName()); try { return name.getShortName(); } catch (IOException e) { LOG.error("Error converting kerberos name. principal = {}, KerberosName.rules = {}", princ, KerberosName.getRules()); throw new SolrException(ErrorCode.SERVER_ERROR, "Unexpected error converting a kerberos name", e); } }
From source file:org.apache.sentry.service.thrift.GSSCallback.java
License:Apache License
boolean allowConnect(String principal) { String allowedPrincipals = conf.get(ServerConfig.ALLOW_CONNECT); if (allowedPrincipals == null) { return false; }//w ww . j a v a2 s . c o m String principalShortName; if (KerberosName.hasRulesBeenSet()) { try { KerberosName krbName = new KerberosName(principal); principalShortName = krbName.getShortName(); //To accommodate HADOOP-12751 where some versions don't throw NoMatchingRule exception if (principalShortName.equals(principal)) { principalShortName = getShortName(principal); } } catch (NoMatchingRule e) { LoggerFactory.getLogger(GSSCallback.class) .debug("No matching rule found for principal " + principal, e); principalShortName = getShortName(principal); } catch (Exception e) { LoggerFactory.getLogger(GSSCallback.class).debug("Cannot derive short name from KerberosName. " + "Use principal name prefix to authenticate", e); principalShortName = getShortName(principal); } } else { principalShortName = getShortName(principal); } List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*")); for (String item : items) { if (comparePrincipals(item, principalShortName)) { return true; } } return false; }
From source file:org.apache.zeppelin.realm.kerberos.KerberosRealm.java
License:Apache License
private AuthenticationToken runWithPrincipal(String serverPrincipal, byte[] clientToken, Base64 base64, HttpServletResponse response) throws IOException, GSSException { GSSContext gssContext = null; GSSCredential gssCreds = null; AuthenticationToken token = null;//from ww w. j av a 2 s.c o m try { LOG.trace("SPNEGO initiated with server principal [{}]", serverPrincipal); gssCreds = this.gssManager.createCredential( this.gssManager.createName(serverPrincipal, KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.GSS_SPNEGO_MECH_OID, KerberosUtil.GSS_KRB5_MECH_OID }, GSSCredential.ACCEPT_ONLY); gssContext = this.gssManager.createContext(gssCreds); byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length); if (serverToken != null && serverToken.length > 0) { String authenticate = base64.encodeToString(serverToken); response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE + " " + authenticate); } if (!gssContext.isEstablished()) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); LOG.trace("SPNEGO in progress"); } else { String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, TYPE); response.setStatus(HttpServletResponse.SC_OK); LOG.trace("SPNEGO completed for client principal [{}]", clientPrincipal); } } finally { if (gssContext != null) { gssContext.dispose(); } if (gssCreds != null) { gssCreds.dispose(); } } return token; }
From source file:org.trustedanalytics.auth.gateway.configuration.kerberos.KrbAuthenticator.java
License:Apache License
@Override public String getSuperUser() throws IOException { KerberosName princName = new KerberosName( conf.getSimpleConfig().getSuperUser().concat("@").concat(conf.getRealm())); return princName.getShortName(); }