List of usage examples for org.apache.hadoop.security.authentication.util KerberosName setRules
public static void setRules(String ruleString)
From source file:io.druid.security.kerberos.DruidKerberosAuthenticationHandler.java
License:Apache License
@Override public void init(Properties config) throws ServletException { try {//from w w w. jav a 2 s .c o m String principal = config.getProperty(PRINCIPAL); if (principal == null || principal.trim().length() == 0) { throw new ServletException("Principal not defined in configuration"); } keytab = config.getProperty(KEYTAB, keytab); if (keytab == null || keytab.trim().length() == 0) { throw new ServletException("Keytab not defined in configuration"); } if (!new File(keytab).exists()) { throw new ServletException("Keytab does not exist: " + keytab); } // use all SPNEGO principals in the keytab if a principal isn't // specifically configured final String[] spnegoPrincipals; if (principal.equals("*")) { spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*")); if (spnegoPrincipals.length == 0) { throw new ServletException("Principals do not exist in the keytab"); } } else { spnegoPrincipals = new String[] { principal }; } String nameRules = config.getProperty(NAME_RULES, null); if (nameRules != null) { KerberosName.setRules(nameRules); } for (String spnegoPrincipal : spnegoPrincipals) { log.info("Login using keytab %s, for principal %s", keytab, spnegoPrincipal); final KerberosAuthenticator.DruidKerberosConfiguration kerberosConfiguration = new KerberosAuthenticator.DruidKerberosConfiguration( keytab, spnegoPrincipal); final LoginContext loginContext = new LoginContext("", serverSubject, null, kerberosConfiguration); try { loginContext.login(); } catch (LoginException le) { log.warn(le, "Failed to login as [%s]", spnegoPrincipal); throw new AuthenticationException(le); } loginContexts.add(loginContext); } try { gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction<GSSManager>() { @Override public GSSManager run() throws Exception { return GSSManager.getInstance(); } }); } catch (PrivilegedActionException ex) { throw ex.getException(); } } catch (Exception ex) { throw new ServletException(ex); } }
From source file:org.apache.ambari.server.view.ViewContextImpl.java
License:Apache License
@Override public String getUsername() { String shortName = getLoggedinUser(); try {// ww w .j a v a 2s.c o m String authToLocalRules = getAuthToLocalRules(); //Getting ambari server realm. Ideally this should come from user String defaultRealm = KerberosUtil.getDefaultRealm(); if (Strings.isNotEmpty(authToLocalRules) && Strings.isNotEmpty(defaultRealm)) { synchronized (KerberosName.class) { KerberosName.setRules(authToLocalRules); shortName = new KerberosName(shortName + "@" + defaultRealm).getShortName(); } } } catch (InvocationTargetException e) { LOG.debug("Failed to get default realm", e); } catch (Exception e) { LOG.warn("Failed to apply auth_to_local rules. " + e.getMessage()); LOG.debug("Failed to apply auth_to_local rules", e); } return shortName; }
From source file:org.apache.druid.security.kerberos.DruidKerberosAuthenticationHandler.java
License:Apache License
@Override public void init(Properties config) throws ServletException { try {//from w w w . ja v a 2 s .c o m String principal = config.getProperty(PRINCIPAL); if (principal == null || principal.trim().length() == 0) { throw new ServletException("Principal not defined in configuration"); } keytab = config.getProperty(KEYTAB, keytab); if (keytab == null || keytab.trim().length() == 0) { throw new ServletException("Keytab not defined in configuration"); } if (!new File(keytab).exists()) { throw new ServletException("Keytab does not exist: " + keytab); } // use all SPNEGO principals in the keytab if a principal isn't // specifically configured final String[] spnegoPrincipals; if ("*".equals(principal)) { spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*")); if (spnegoPrincipals.length == 0) { throw new ServletException("Principals do not exist in the keytab"); } } else { spnegoPrincipals = new String[] { principal }; } String nameRules = config.getProperty(NAME_RULES, null); if (nameRules != null) { KerberosName.setRules(nameRules); } for (String spnegoPrincipal : spnegoPrincipals) { log.info("Login using keytab %s, for principal %s", keytab, spnegoPrincipal); final KerberosAuthenticator.DruidKerberosConfiguration kerberosConfiguration = new KerberosAuthenticator.DruidKerberosConfiguration( keytab, spnegoPrincipal); final LoginContext loginContext = new LoginContext("", serverSubject, null, kerberosConfiguration); try { loginContext.login(); } catch (LoginException le) { log.warn(le, "Failed to login as [%s]", spnegoPrincipal); throw new AuthenticationException(le); } loginContexts.add(loginContext); } try { gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction<GSSManager>() { @Override public GSSManager run() { return GSSManager.getInstance(); } }); } catch (PrivilegedActionException ex) { throw ex.getException(); } } catch (Exception ex) { throw new ServletException(ex); } }
From source file:org.apache.impala.authorization.User.java
License:Apache License
@VisibleForTesting public String getShortNameForTesting(String rules) { Preconditions.checkNotNull(rules);/*from w ww .ja v a 2 s . c om*/ Preconditions.checkState(RuntimeEnv.INSTANCE.isTestEnv()); String currentRules = KerberosName.getRules(); KerberosName.setRules(rules); String shortName = null; try { shortName = getShortName(); } catch (InternalException e) { e.printStackTrace(); } // reset the rules KerberosName.setRules(currentRules); return shortName; }
From source file:org.apache.impala.authorization.User.java
License:Apache License
@VisibleForTesting public static void setRulesForTesting(String rules) { Preconditions.checkState(RuntimeEnv.INSTANCE.isTestEnv()); KerberosName.setRules(rules); }
From source file:org.apache.impala.service.BackendConfig.java
License:Apache License
private static void initAuthToLocal() { // If auth_to_local is enabled, we read the configuration hadoop.security.auth_to_local // from core-site.xml and use it for principal to short name conversion. If it is not, // we use the defaultRule ("RULE:[1:$1] RULE:[2:$1]"), which just extracts the user // name from any principal of form a@REALM or a/b@REALM. If auth_to_local is enabled // and hadoop.security.auth_to_local is not specified in the hadoop configs, we use // the "DEFAULT" rule that just extracts the username from any principal in the // cluster's local realm. For more details on principal to short name translation, // refer to org.apache.hadoop.security.KerberosName. final String defaultRule = "RULE:[1:$1] RULE:[2:$1]"; final Configuration conf = new Configuration(); if (INSTANCE.isAuthToLocalEnabled()) { KerberosName.setRules(conf.get(HADOOP_SECURITY_AUTH_TO_LOCAL, "DEFAULT")); } else {//w w w. ja va 2 s .c om // just extract the simple user name KerberosName.setRules(defaultRule); } }
From source file:org.apache.ranger.audit.provider.MiscUtil.java
License:Apache License
public static void authWithKerberos(String keytab, String principal, String nameRules) { if (keytab == null || principal == null) { return;/*from w w w .java 2 s . co m*/ } Subject serverSubject = new Subject(); int successLoginCount = 0; String[] spnegoPrincipals = null; try { if (principal.equals("*")) { spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*")); if (spnegoPrincipals.length == 0) { logger.error("No principals found in keytab=" + keytab); } } else { spnegoPrincipals = new String[] { principal }; } if (nameRules != null) { KerberosName.setRules(nameRules); } boolean useKeytab = true; if (!useKeytab) { logger.info("Creating UGI with subject"); List<LoginContext> loginContexts = new ArrayList<LoginContext>(); for (String spnegoPrincipal : spnegoPrincipals) { try { logger.info("Login using keytab " + keytab + ", for principal " + spnegoPrincipal); final KerberosConfiguration kerberosConfiguration = new KerberosConfiguration(keytab, spnegoPrincipal); final LoginContext loginContext = new LoginContext("", serverSubject, null, kerberosConfiguration); loginContext.login(); successLoginCount++; logger.info("Login success keytab " + keytab + ", for principal " + spnegoPrincipal); loginContexts.add(loginContext); } catch (Throwable t) { logger.error("Login failed keytab " + keytab + ", for principal " + spnegoPrincipal, t); } if (successLoginCount > 0) { logger.info("Total login success count=" + successLoginCount); try { UserGroupInformation.loginUserFromSubject(serverSubject); // UserGroupInformation ugi = // createUGIFromSubject(serverSubject); // if (ugi != null) { // setUGILoginUser(ugi, serverSubject); // } } catch (Throwable e) { logger.error("Error creating UGI from subject. subject=" + serverSubject); } } else { logger.error( "Total logins were successfull from keytab=" + keytab + ", principal=" + principal); } } } else { logger.info("Creating UGI from keytab directly. keytab=" + keytab + ", principal=" + spnegoPrincipals[0]); UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0], keytab); MiscUtil.setUGILoginUser(ugi, null); } } catch (Throwable t) { logger.error("Failed to login with given keytab and principal", t); } }
From source file:org.apache.ranger.authorization.storm.StormRangerPlugin.java
License:Apache License
@Override synchronized public void init() { if (!initialized) { // mandatory call to base plugin super.init(); // One time call to register the audit hander with the policy engine. super.setResultProcessor(new RangerDefaultAuditHandler()); // this needed to set things right in the nimbus process if (KerberosName.getRules() == null) { KerberosName.setRules("DEFAULT"); }// ww w.j av a2s .co m initialized = true; LOG.info("StormRangerPlugin initialized!"); } }
From source file:org.apache.ranger.biz.KmsKeyMgr.java
License:Apache License
private Subject getSubjectForKerberos(String provider) throws Exception { String userName = getKMSUserName(provider); String password = getKMSPassword(provider); String nameRules = PropertiesUtil.getProperty(NAME_RULES); if (StringUtils.isEmpty(nameRules)) { KerberosName.setRules("DEFAULT"); } else {/*from www . j a v a2s.c o m*/ KerberosName.setRules(nameRules); } Subject sub = new Subject(); String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME)); if (checkKerberos()) { if (SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))) { sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules); } else { sub = SecureClientLogin.loginUserWithPassword(userName, password); } } else { sub = SecureClientLogin.login(userName); } return sub; }
From source file:org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter.java
License:Apache License
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { String authtype = PropertiesUtil.getProperty(RANGER_AUTH_TYPE); HttpServletRequest httpRequest = (HttpServletRequest) request; if (isSpnegoEnable(authtype)) { KerberosName.setRules(PropertiesUtil.getProperty(NAME_RULES, "DEFAULT")); Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication(); String userName = null;//from w ww. j a v a2 s . c om Cookie[] cookie = httpRequest.getCookies(); if (cookie != null) { for (Cookie c : cookie) { String cname = c.getName(); if (cname != null && cname.equalsIgnoreCase("u")) { int ustr = cname.indexOf("u="); if (ustr != -1) { int andStr = cname.indexOf("&", ustr); if (andStr != -1) { userName = cname.substring(ustr + 2, andStr); } } } else if (cname != null && cname.equalsIgnoreCase(AUTH_COOKIE_NAME)) { int ustr = cname.indexOf("u="); if (ustr != -1) { int andStr = cname.indexOf("&", ustr); if (andStr != -1) { userName = cname.substring(ustr + 2, andStr); } } } } } if ((existingAuth == null || !existingAuth.isAuthenticated()) && (!StringUtils.isEmpty(userName))) { //--------------------------- To Create Ranger Session -------------------------------------- String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER"); //if we get the userName from the token then log into ranger using the same user final List<GrantedAuthority> grantedAuths = new ArrayList<>(); grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); final UserDetails principal = new User(userName, "", grantedAuths); final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths); WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest); ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails); RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider(); Authentication authentication = authenticationProvider.authenticate(finalAuthentication); authentication = getGrantedAuthority(authentication); SecurityContextHolder.getContext().setAuthentication(authentication); request.setAttribute("spnegoEnabled", true); LOG.info("Logged into Ranger as = " + userName); } else { try { super.doFilter(request, response, filterChain); } catch (Exception e) { throw restErrorUtil .createRESTException("RangerKRBAuthenticationFilter Failed : " + e.getMessage()); } } } else { filterChain.doFilter(request, response); } }