List of usage examples for org.apache.hadoop.security.authentication.util KerberosUtil getKrb5LoginModuleName
public static String getKrb5LoginModuleName()
From source file:co.cask.cdap.common.kerberos.SecurityUtil.java
License:Apache License
/** * Enables Kerberos authentication based on configuration. * * @param cConf configuration object.//from w w w . j a va 2 s . co m */ public static void enableKerberosLogin(CConfiguration cConf) throws IOException { if (System.getProperty(Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG) != null) { LOG.warn("Environment variable '{}' was already set to {}. Not generating JAAS configuration.", Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG, System.getProperty(Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG)); return; } if (!isKerberosEnabled(cConf)) { LOG.info("Kerberos login is not enabled. To enable Kerberos login, enable {} and configure {} and {}", Constants.Security.KERBEROS_ENABLED, Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL, Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH); return; } Preconditions.checkArgument(cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL) != null, "Kerberos authentication is enabled, but " + Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL + " is not configured"); String principal = cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL); principal = SecurityUtil.expandPrincipal(principal); Preconditions.checkArgument(cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH) != null, "Kerberos authentication is enabled, but " + Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH + " is not configured"); File keyTabFile = new File(cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH)); Preconditions.checkArgument(keyTabFile.exists(), "Kerberos keytab file does not exist: " + keyTabFile.getAbsolutePath()); Preconditions.checkArgument(keyTabFile.isFile(), "Kerberos keytab file should be a file: " + keyTabFile.getAbsolutePath()); Preconditions.checkArgument(keyTabFile.canRead(), "Kerberos keytab file cannot be read: " + keyTabFile.getAbsolutePath()); LOG.info("Using Kerberos principal {} and keytab {}", principal, keyTabFile.getAbsolutePath()); System.setProperty(Constants.External.Zookeeper.ENV_AUTH_PROVIDER_1, "org.apache.zookeeper.server.auth.SASLAuthenticationProvider"); System.setProperty(Constants.External.Zookeeper.ENV_ALLOW_SASL_FAILED_CLIENTS, "true"); System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client"); final Map<String, String> properties = new HashMap<>(); properties.put("doNotPrompt", "true"); properties.put("useKeyTab", "true"); properties.put("useTicketCache", "false"); properties.put("principal", principal); properties.put("keyTab", keyTabFile.getAbsolutePath()); final AppConfigurationEntry configurationEntry = new AppConfigurationEntry( KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, properties); Configuration configuration = new Configuration() { @Override public AppConfigurationEntry[] getAppConfigurationEntry(String s) { return new AppConfigurationEntry[] { configurationEntry }; } }; // apply the configuration Configuration.setConfiguration(configuration); }
From source file:co.cask.common.security.kerberos.SecurityUtil.java
License:Apache License
/** * Enables Kerberos authentication based on configuration. * * @param conf configuration object./*from w w w . ja v a 2 s. c o m*/ */ public static void enableKerberosLogin(SecurityConfiguration conf) throws IOException { if (System.getProperty(Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG) != null) { LOG.warn("Environment variable '{}' was already set to {}. Not generating JAAS configuration.", Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG, System.getProperty(Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG)); return; } if (!isKerberosEnabled(conf)) { LOG.info("Kerberos login is not enabled. To enable Kerberos login, enable {} and configure {} and {}", Constants.KERBEROS_ENABLED, Constants.CFG_CDAP_MASTER_KRB_PRINCIPAL, Constants.CFG_CDAP_MASTER_KRB_KEYTAB_PATH); return; } Preconditions.checkArgument(conf.get(Constants.CFG_CDAP_MASTER_KRB_PRINCIPAL) != null, "Kerberos authentication is enabled, but " + Constants.CFG_CDAP_MASTER_KRB_PRINCIPAL + " is not configured"); String principal = conf.get(Constants.CFG_CDAP_MASTER_KRB_PRINCIPAL); principal = SecurityUtil.expandPrincipal(principal); Preconditions.checkArgument(conf.get(Constants.CFG_CDAP_MASTER_KRB_KEYTAB_PATH) != null, "Kerberos authentication is enabled, but " + Constants.CFG_CDAP_MASTER_KRB_KEYTAB_PATH + " is not configured"); File keyTabFile = new File(conf.get(Constants.CFG_CDAP_MASTER_KRB_KEYTAB_PATH)); Preconditions.checkArgument(keyTabFile.exists(), "Kerberos keytab file does not exist: " + keyTabFile.getAbsolutePath()); Preconditions.checkArgument(keyTabFile.isFile(), "Kerberos keytab file should be a file: " + keyTabFile.getAbsolutePath()); Preconditions.checkArgument(keyTabFile.canRead(), "Kerberos keytab file cannot be read: " + keyTabFile.getAbsolutePath()); LOG.info("Using Kerberos principal {} and keytab {}", principal, keyTabFile.getAbsolutePath()); System.setProperty(Constants.External.Zookeeper.ENV_AUTH_PROVIDER_1, "org.apache.zookeeper.server.auth.SASLAuthenticationProvider"); System.setProperty(Constants.External.Zookeeper.ENV_ALLOW_SASL_FAILED_CLIENTS, "true"); System.setProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client"); final Map<String, String> properties = new HashMap<String, String>(); properties.put("doNotPrompt", "true"); properties.put("useKeyTab", "true"); properties.put("useTicketCache", "false"); properties.put("doNotPrompt", "true"); properties.put("principal", principal); properties.put("keyTab", keyTabFile.getAbsolutePath()); final AppConfigurationEntry configurationEntry = new AppConfigurationEntry( KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, properties); javax.security.auth.login.Configuration configuration = new javax.security.auth.login.Configuration() { @Override public AppConfigurationEntry[] getAppConfigurationEntry(String s) { return new AppConfigurationEntry[] { configurationEntry }; } }; // apply the configuration javax.security.auth.login.Configuration.setConfiguration(configuration); }
From source file:org.apache.flink.runtime.security.JaasConfiguration.java
License:Apache License
protected JaasConfiguration(String keytab, String principal) { LOG.info("Initializing JAAS configuration instance. Parameters: {}, {}", keytab, principal); if (StringUtils.isBlank(keytab) && !StringUtils.isBlank(principal) || (!StringUtils.isBlank(keytab) && StringUtils.isBlank(principal))) { throw new RuntimeException("Both keytab and principal are required and cannot be empty"); }/* w ww. j a v a 2 s .c om*/ if (!StringUtils.isBlank(keytab) && !StringUtils.isBlank(principal)) { if (IBM_JAVA) { keytabKerberosOptions.put("useKeytab", prependFileUri(keytab)); keytabKerberosOptions.put("credsType", "both"); } else { keytabKerberosOptions.put("keyTab", keytab); keytabKerberosOptions.put("doNotPrompt", "true"); keytabKerberosOptions.put("useKeyTab", "true"); keytabKerberosOptions.put("storeKey", "true"); } keytabKerberosOptions.put("principal", principal); keytabKerberosOptions.put("refreshKrb5Config", "true"); keytabKerberosOptions.putAll(debugOptions); keytabKerberosAce = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, keytabKerberosOptions); } }
From source file:org.apache.flink.runtime.security.JaasConfigurationTest.java
License:Apache License
@Test public void testDefaultAceEntry() { JaasConfiguration conf = new JaasConfiguration(null, null); javax.security.auth.login.Configuration.setConfiguration(conf); final AppConfigurationEntry[] entry = conf.getAppConfigurationEntry("test"); AppConfigurationEntry ace = entry[0]; assertEquals(ace.getLoginModuleName(), KerberosUtil.getKrb5LoginModuleName()); }
From source file:org.apache.flink.runtime.security.KerberosUtils.java
License:Apache License
public static AppConfigurationEntry keytabEntry(String keytab, String principal) { checkNotNull(keytab, "keytab"); checkNotNull(principal, "principal"); Map<String, String> keytabKerberosOptions = new HashMap<>(); if (IBM_JAVA) { keytabKerberosOptions.put("useKeytab", prependFileUri(keytab)); keytabKerberosOptions.put("credsType", "both"); } else {//from w w w.j a v a 2 s .c o m keytabKerberosOptions.put("keyTab", keytab); keytabKerberosOptions.put("doNotPrompt", "true"); keytabKerberosOptions.put("useKeyTab", "true"); keytabKerberosOptions.put("storeKey", "true"); } keytabKerberosOptions.put("principal", principal); keytabKerberosOptions.put("refreshKrb5Config", "true"); keytabKerberosOptions.putAll(debugOptions); AppConfigurationEntry keytabKerberosAce = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, keytabKerberosOptions); return keytabKerberosAce; }
From source file:org.apache.flink.test.util.TestingJaasConfiguration.java
License:Apache License
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String applicationName) { LOG.debug("In TestingJaasConfiguration - Application Requested: {}", applicationName); AppConfigurationEntry[] appConfigurationEntry = super.getAppConfigurationEntry(applicationName); if (clientSecurityConfigurationMap != null && clientSecurityConfigurationMap.size() > 0) { if (clientSecurityConfigurationMap.containsKey(applicationName)) { LOG.debug("In TestingJaasConfiguration - Application: {} found in the supplied context", applicationName);/*from w w w. ja va 2 s . co m*/ TestingSecurityContext.ClientSecurityConfiguration conf = clientSecurityConfigurationMap .get(applicationName); if (appConfigurationEntry != null && appConfigurationEntry.length > 0) { for (int count = 0; count < appConfigurationEntry.length; count++) { AppConfigurationEntry ace = appConfigurationEntry[count]; if (ace.getOptions().containsKey("keyTab")) { String keyTab = conf.getKeytab(); String principal = conf.getPrincipal(); LOG.debug( "In TestingJaasConfiguration - Application: {} from the supplied context will " + "use Client Specific Keytab: {} and Principal: {}", applicationName, keyTab, principal); Map<String, String> newKeytabKerberosOptions = new HashMap<>(); newKeytabKerberosOptions.putAll(getKeytabKerberosOptions()); newKeytabKerberosOptions.put("keyTab", keyTab); newKeytabKerberosOptions.put("principal", principal); AppConfigurationEntry keytabKerberosAce = new AppConfigurationEntry( KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, newKeytabKerberosOptions); appConfigurationEntry = new AppConfigurationEntry[] { keytabKerberosAce }; LOG.debug("---->Login Module is using Keytab based configuration<------"); LOG.debug("Login Module Name: " + keytabKerberosAce.getLoginModuleName()); LOG.debug("Control Flag: " + keytabKerberosAce.getControlFlag()); LOG.debug("Options: " + keytabKerberosAce.getOptions()); } } } } } return appConfigurationEntry; }
From source file:org.apache.ranger.services.storm.client.StormClient.java
License:Apache License
public static <T> T executeUnderKerberos(String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules, PrivilegedAction<T> action) throws IOException { final String errMsg = errMessage; class MySecureClientLoginConfiguration extends javax.security.auth.login.Configuration { private String userName; private String password; MySecureClientLoginConfiguration(String aUserName, String password) { this.userName = aUserName; this.password = password; }/* w ww .j a va2 s . c o m*/ @Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { Map<String, String> kerberosOptions = new HashMap<String, String>(); kerberosOptions.put("principal", this.userName); kerberosOptions.put("debug", "true"); kerberosOptions.put("useKeyTab", "false"); kerberosOptions.put(KrbPasswordSaverLoginModule.USERNAME_PARAM, this.userName); kerberosOptions.put(KrbPasswordSaverLoginModule.PASSWORD_PARAM, this.password); kerberosOptions.put("doNotPrompt", "false"); kerberosOptions.put("useFirstPass", "true"); kerberosOptions.put("tryFirstPass", "false"); kerberosOptions.put("storeKey", "true"); kerberosOptions.put("refreshKrb5Config", "true"); AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = null; AppConfigurationEntry KERBEROS_PWD_SAVER = null; try { KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, kerberosOptions); KERBEROS_PWD_SAVER = new AppConfigurationEntry(KrbPasswordSaverLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, kerberosOptions); } catch (IllegalArgumentException e) { String msgDesc = "executeUnderKerberos: Exception while getting Storm TopologyList."; HadoopException hdpException = new HadoopException(msgDesc, e); LOG.error(msgDesc, e); hdpException.generateResponseDataMap(false, BaseClient.getMessage(e), msgDesc + errMsg, null, null); throw hdpException; } LOG.debug("getAppConfigurationEntry():" + kerberosOptions.get("principal")); return new AppConfigurationEntry[] { KERBEROS_PWD_SAVER, KEYTAB_KERBEROS_LOGIN }; } } ; T ret = null; Subject subject = null; LoginContext loginContext = null; try { Subject loginSubj = null; if (!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab)) { LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab"); if (StringUtils.isEmpty(nameRules)) { nameRules = "DEFAULT"; } loginSubj = SecureClientLogin.loginUserFromKeytab(lookupPrincipal, lookupKeytab, nameRules); } else { subject = new Subject(); LOG.debug("executeUnderKerberos():user=" + userName + ",pass="); LOG.debug("executeUnderKerberos():Creating config.."); MySecureClientLoginConfiguration loginConf = new MySecureClientLoginConfiguration(userName, password); LOG.debug("executeUnderKerberos():Creating Context.."); loginContext = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf); LOG.debug("executeUnderKerberos():Logging in.."); loginContext.login(); LOG.info("Init Login: using username/password"); loginSubj = loginContext.getSubject(); } if (loginSubj != null) { ret = Subject.doAs(loginSubj, action); } } catch (LoginException le) { String msgDesc = "executeUnderKerberos: Login failure using given" + " configuration parameters, username : `" + userName + "`."; HadoopException hdpException = new HadoopException(msgDesc, le); LOG.error(msgDesc, le); hdpException.generateResponseDataMap(false, BaseClient.getMessage(le), msgDesc + errMsg, null, null); throw hdpException; } catch (SecurityException se) { String msgDesc = "executeUnderKerberos: Exception while getting Storm TopologyList."; HadoopException hdpException = new HadoopException(msgDesc, se); LOG.error(msgDesc, se); hdpException.generateResponseDataMap(false, BaseClient.getMessage(se), msgDesc + errMsg, null, null); throw hdpException; } finally { if (loginContext != null) { if (subject != null) { try { loginContext.logout(); } catch (LoginException e) { throw new IOException("logout failure", e); } } } } return ret; }
From source file:org.apache.ranger.storm.client.StormClient.java
License:Apache License
public static <T> T executeUnderKerberos(String userName, String password, PrivilegedAction<T> action) throws IOException { final String errMsg = " You can still save the repository and start creating " + "policies, but you would not be able to use autocomplete for " + "resource names. Check xa_portal.log for more info."; class MySecureClientLoginConfiguration extends javax.security.auth.login.Configuration { private String userName; private String password; MySecureClientLoginConfiguration(String aUserName, String password) { this.userName = aUserName; this.password = password; }/* w ww .j a v a 2s . c o m*/ @Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { Map<String, String> kerberosOptions = new HashMap<String, String>(); kerberosOptions.put("principal", this.userName); kerberosOptions.put("debug", "true"); kerberosOptions.put("useKeyTab", "false"); kerberosOptions.put(KrbPasswordSaverLoginModule.USERNAME_PARAM, this.userName); kerberosOptions.put(KrbPasswordSaverLoginModule.PASSWORD_PARAM, this.password); kerberosOptions.put("doNotPrompt", "false"); kerberosOptions.put("useFirstPass", "true"); kerberosOptions.put("tryFirstPass", "false"); kerberosOptions.put("storeKey", "true"); kerberosOptions.put("refreshKrb5Config", "true"); AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = null; AppConfigurationEntry KERBEROS_PWD_SAVER = null; try { KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, kerberosOptions); KERBEROS_PWD_SAVER = new AppConfigurationEntry(KrbPasswordSaverLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, kerberosOptions); } catch (IllegalArgumentException e) { String msgDesc = "executeUnderKerberos: Exception while getting Storm TopologyList."; HadoopException hdpException = new HadoopException(msgDesc, e); LOG.error(msgDesc, e); hdpException.generateResponseDataMap(false, BaseClient.getMessage(e), msgDesc + errMsg, null, null); throw hdpException; } LOG.debug("getAppConfigurationEntry():" + kerberosOptions.get("principal")); return new AppConfigurationEntry[] { KERBEROS_PWD_SAVER, KEYTAB_KERBEROS_LOGIN }; } } ; T ret = null; Subject subject = null; LoginContext loginContext = null; try { subject = new Subject(); LOG.debug("executeUnderKerberos():user=" + userName + ",pass="); LOG.debug("executeUnderKerberos():Creating config.."); MySecureClientLoginConfiguration loginConf = new MySecureClientLoginConfiguration(userName, password); LOG.debug("executeUnderKerberos():Creating Context.."); loginContext = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf); LOG.debug("executeUnderKerberos():Logging in.."); loginContext.login(); Subject loginSubj = loginContext.getSubject(); if (loginSubj != null) { ret = Subject.doAs(loginSubj, action); } } catch (LoginException le) { String msgDesc = "executeUnderKerberos: Login failure using given" + " configuration parameters, username : `" + userName + "`."; HadoopException hdpException = new HadoopException(msgDesc, le); LOG.error(msgDesc, le); hdpException.generateResponseDataMap(false, BaseClient.getMessage(le), msgDesc + errMsg, null, null); throw hdpException; } catch (SecurityException se) { String msgDesc = "executeUnderKerberos: Exception while getting Storm TopologyList."; HadoopException hdpException = new HadoopException(msgDesc, se); LOG.error(msgDesc, se); hdpException.generateResponseDataMap(false, BaseClient.getMessage(se), msgDesc + errMsg, null, null); throw hdpException; } finally { if (loginContext != null) { if (subject != null) { try { loginContext.logout(); } catch (LoginException e) { throw new IOException("logout failure", e); } } } } return ret; }