List of usage examples for org.apache.hadoop.security SaslRpcServer splitKerberosName
public static String[] splitKerberosName(String fullName)
From source file:com.cloudera.beeswax.Server.java
License:Apache License
/** * Start the Beeswax server./*from w w w . ja v a 2s. co m*/ */ private static void serveBeeswax(int port) throws TTransportException { TServerTransport serverTransport = new TServerSocket(port); BeeswaxService.Iface impl = new BeeswaxServiceImpl(dtHost, dtPort, dtHttps, qlifetime); Processor processor = new BeeswaxService.Processor(impl); TTransportFactory transFactory; if (useKerberos) { final String names[] = SaslRpcServer.splitKerberosName(kerberosName); if (names.length < 2) { throw new IllegalArgumentException( "Kerberos principal should have at least 2 parts: " + kerberosName); } TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory( AuthMethod.KERBEROS.getMechanismName(), names[0], names[1], // two parts of kerberos principal SaslRpcServer.SASL_PROPS, new SaslRpcServer.SaslGssCallbackHandler()); transFactory = new KbrSaslTransportFactory(saslFactory, bwUgi); } else { transFactory = new TTransportFactory(); } TThreadPoolServer.Args args = new TThreadPoolServer.Args(serverTransport).processor(processor) .protocolFactory(new TBinaryProtocol.Factory()).transportFactory(transFactory); TServer server = new TThreadPoolServer(args); if (dtPort != -1) { LOG.info("Starting beeswax server on port " + port + ", talking back to Desktop at " + dtHost + ":" + dtPort); } else { LOG.info("Starting beeswax server on port " + port); } server.serve(); }
From source file:com.facebook.presto.hive.authentication.KerberosHiveMetastoreAuthentication.java
License:Apache License
@Override public TTransport authenticate(TTransport rawTransport, String hiveMetastoreHost) throws TTransportException { try {//from ww w .ja v a2s . c om String serverPrincipal = getServerPrincipal(hiveMetastoreServicePrincipal, hiveMetastoreHost); String[] names = SaslRpcServer.splitKerberosName(serverPrincipal); checkState(names.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal); Map<String, String> saslProps = ImmutableMap.of(Sasl.QOP, "auth", Sasl.SERVER_AUTH, "true"); TTransport saslTransport = new TSaslClientTransport(KERBEROS.getMechanismName(), null, names[0], names[1], saslProps, null, rawTransport); return new TUGIAssumingTransport(saslTransport, authentication.getUserGroupInformation()); } catch (IOException e) { throw Throwables.propagate(e); } }
From source file:io.prestosql.plugin.hive.authentication.KerberosHiveMetastoreAuthentication.java
License:Apache License
@Override public TTransport authenticate(TTransport rawTransport, String hiveMetastoreHost) { try {// w ww.ja v a 2 s . com String serverPrincipal = getServerPrincipal(hiveMetastoreServicePrincipal, hiveMetastoreHost); String[] names = SaslRpcServer.splitKerberosName(serverPrincipal); checkState(names.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal); Map<String, String> saslProps = ImmutableMap.of(Sasl.QOP, hdfsWireEncryptionEnabled ? "auth-conf" : "auth", Sasl.SERVER_AUTH, "true"); TTransport saslTransport = new TSaslClientTransport(KERBEROS.getMechanismName(), null, names[0], names[1], saslProps, null, rawTransport); return new TUGIAssumingTransport(saslTransport, authentication.getUserGroupInformation()); } catch (IOException e) { throw new UncheckedIOException(e); } }
From source file:org.apache.flume.auth.FlumeAuthenticationUtil.java
License:Apache License
/** * Resolves the principal using Hadoop common's SecurityUtil and splits * the kerberos principal into three parts user name, host and kerberos realm * * @param principal/*from w w w. ja v a2 s. c o m*/ * @return String[] of username, hostname and kerberos realm * @throws IOException */ public static String[] splitKerberosName(String principal) throws IOException { String resolvedPrinc = SecurityUtil.getServerPrincipal(principal, ""); return SaslRpcServer.splitKerberosName(resolvedPrinc); }
From source file:org.apache.sentry.core.common.transport.SentryTransportFactory.java
License:Apache License
/** * Create transport given InetSocketAddress * @param serverAddress - endpoint address * @return unconnected transport/* w ww. j av a2 s . co m*/ * @throws TTransportException * @throws IOException */ @SuppressWarnings("squid:S2095") private TTransport createTransport(InetSocketAddress serverAddress) throws IOException { String hostName = serverAddress.getHostName(); int port = serverAddress.getPort(); TTransport socket = new TSocket(hostName, port, connectionTimeout); if (!isKerberosEnabled) { LOGGER.debug("created unprotected connection to {}:{} ", hostName, port); return socket; } String principal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress()); String[] serverPrincipalParts = SaslRpcServer.splitKerberosName(principal); if (serverPrincipalParts.length != 3) { throw new IOException("Kerberos principal should have 3 parts: " + principal); } UgiSaslClientTransport connection = new UgiSaslClientTransport( SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), serverPrincipalParts[0], serverPrincipalParts[1], socket, useUgi); LOGGER.debug("creating secured connection to {}:{} ", hostName, port); return connection; }
From source file:org.apache.sentry.hdfs.SentryHDFSServiceClient.java
License:Apache License
public SentryHDFSServiceClient(Configuration conf) throws IOException { this.conf = conf; Preconditions.checkNotNull(this.conf, "Configuration object cannot be null"); this.serverAddress = NetUtils.createSocketAddr( Preconditions.checkNotNull(conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key " + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT)); this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT, ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT); kerberos = ClientConfig.SECURITY_MODE_KERBEROS .equalsIgnoreCase(conf.get(ClientConfig.SECURITY_MODE, ClientConfig.SECURITY_MODE_KERBEROS).trim()); transport = new TSocket(serverAddress.getHostName(), serverAddress.getPort(), connectionTimeout); if (kerberos) { String serverPrincipal = Preconditions.checkNotNull(conf.get(ClientConfig.PRINCIPAL), ClientConfig.PRINCIPAL + " is required"); // Resolve server host in the same way as we are doing on server side serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress()); LOGGER.info("Using server kerberos principal: " + serverPrincipal); serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal); Preconditions.checkArgument(serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal); boolean wrapUgi = "true".equalsIgnoreCase(conf.get(ClientConfig.SECURITY_USE_UGI_TRANSPORT, "true")); transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(), null, serverPrincipalParts[0], serverPrincipalParts[1], ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi);/*from w ww . j a va2 s . co m*/ } else { serverPrincipalParts = null; } try { transport.open(); } catch (TTransportException e) { throw new IOException("Transport exception while opening transport: " + e.getMessage(), e); } LOGGER.info("Successfully opened transport: " + transport + " to " + serverAddress); TProtocol tProtocol = new TBinaryProtocol(transport); // if (conf.getBoolean(ClientConfig.USE_COMPACT_TRANSPORT, // ClientConfig.USE_COMPACT_TRANSPORT_DEFAULT)) { // tProtocol = new TCompactProtocol(transport); // } else { // tProtocol = new TBinaryProtocol(transport); // } TMultiplexedProtocol protocol = new TMultiplexedProtocol(tProtocol, SentryHDFSServiceClient.SENTRY_HDFS_SERVICE_NAME); client = new SentryHDFSService.Client(protocol); LOGGER.info("Successfully created client"); }
From source file:org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient.java
License:Apache License
public SentryGenericServiceClient(Configuration conf) throws IOException { this.conf = conf; Preconditions.checkNotNull(this.conf, "Configuration object cannot be null"); this.serverAddress = NetUtils.createSocketAddr( Preconditions.checkNotNull(conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key " + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT)); this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT, ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT); kerberos = ServerConfig.SECURITY_MODE_KERBEROS .equalsIgnoreCase(conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim()); transport = new TSocket(serverAddress.getHostName(), serverAddress.getPort(), connectionTimeout); if (kerberos) { String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required"); // Resolve server host in the same way as we are doing on server side serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress()); LOGGER.debug("Using server kerberos principal: " + serverPrincipal); serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal); Preconditions.checkArgument(serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal); boolean wrapUgi = "true".equalsIgnoreCase(conf.get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true")); transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(), null, serverPrincipalParts[0], serverPrincipalParts[1], ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi);/*from w w w . jav a2s .c o m*/ } else { serverPrincipalParts = null; } try { transport.open(); } catch (TTransportException e) { throw new IOException("Transport exception while opening transport: " + e.getMessage(), e); } LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress); TMultiplexedProtocol protocol = new TMultiplexedProtocol(new TBinaryProtocol(transport), SentryGenericPolicyProcessor.SENTRY_GENERIC_SERVICE_NAME); client = new SentryGenericPolicyService.Client(protocol); LOGGER.debug("Successfully created client"); }
From source file:org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient.java
License:Apache License
public SentryPolicyServiceClient(Configuration conf) throws IOException { this.conf = conf; Preconditions.checkNotNull(this.conf, "Configuration object cannot be null"); this.serverAddress = NetUtils.createSocketAddr( Preconditions.checkNotNull(conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key " + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT)); this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT, ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT); kerberos = ServerConfig.SECURITY_MODE_KERBEROS .equalsIgnoreCase(conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim()); transport = new TSocket(serverAddress.getHostName(), serverAddress.getPort(), connectionTimeout); if (kerberos) { String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required"); // Resolve server host in the same way as we are doing on server side serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress()); LOGGER.debug("Using server kerberos principal: " + serverPrincipal); serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal); Preconditions.checkArgument(serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal); boolean wrapUgi = "true".equalsIgnoreCase(conf.get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true")); transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(), null, serverPrincipalParts[0], serverPrincipalParts[1], ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi);// w w w . j a v a 2 s. co m } else { serverPrincipalParts = null; } try { transport.open(); } catch (TTransportException e) { throw new IOException("Transport exception while opening transport: " + e.getMessage(), e); } LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress); TMultiplexedProtocol protocol = new TMultiplexedProtocol(new TBinaryProtocol(transport), SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME); client = new SentryPolicyService.Client(protocol); LOGGER.debug("Successfully created client"); }
From source file:org.apache.sentry.service.thrift.GSSCallback.java
License:Apache License
boolean comparePrincipals(String principal1, String principal2) { String[] principalParts1 = SaslRpcServer.splitKerberosName(principal1); String[] principalParts2 = SaslRpcServer.splitKerberosName(principal2); if (principalParts1.length == 0 || principalParts2.length == 0) { return false; }// ww w . j ava 2 s . c o m if (principalParts1.length == principalParts2.length) { for (int i = 0; i < principalParts1.length; i++) { if (!principalParts1[i].equals(principalParts2[i])) { return false; } } return true; } else { return false; } }
From source file:org.apache.sentry.service.thrift.GSSCallback.java
License:Apache License
private String getShortName(String principal) { String parts[] = SaslRpcServer.splitKerberosName(principal); return parts[0]; }