Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.accumulo.server.security.handler; import static java.nio.charset.StandardCharsets.UTF_8; import java.util.Arrays; import java.util.Base64; import java.util.HashSet; import java.util.Set; import org.apache.accumulo.core.Constants; import org.apache.accumulo.core.client.AccumuloSecurityException; import org.apache.accumulo.core.client.impl.DelegationTokenImpl; import org.apache.accumulo.core.client.impl.thrift.SecurityErrorCode; import org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException; import org.apache.accumulo.core.client.security.tokens.AuthenticationToken; import org.apache.accumulo.core.client.security.tokens.KerberosToken; import org.apache.accumulo.core.conf.AccumuloConfiguration; import org.apache.accumulo.core.conf.SiteConfiguration; import org.apache.accumulo.core.security.thrift.TCredentials; import org.apache.accumulo.fate.zookeeper.IZooReaderWriter; import org.apache.accumulo.fate.zookeeper.ZooUtil.NodeExistsPolicy; import org.apache.accumulo.fate.zookeeper.ZooUtil.NodeMissingPolicy; import org.apache.accumulo.server.rpc.UGIAssumingProcessor; import org.apache.accumulo.server.security.SystemCredentials.SystemToken; import org.apache.accumulo.server.security.UserImpersonation; import org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts; import org.apache.accumulo.server.zookeeper.ZooCache; import org.apache.accumulo.server.zookeeper.ZooReaderWriter; import org.apache.zookeeper.KeeperException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.common.collect.Sets; public class KerberosAuthenticator implements Authenticator { private static final Logger log = LoggerFactory.getLogger(KerberosAuthenticator.class); private static final Set<Class<? extends AuthenticationToken>> SUPPORTED_TOKENS = Sets.newHashSet( Arrays.<Class<? extends AuthenticationToken>>asList(KerberosToken.class, SystemToken.class)); private static final Set<String> SUPPORTED_TOKEN_NAMES = Sets.newHashSet(KerberosToken.class.getName(), SystemToken.class.getName()); private final ZKAuthenticator zkAuthenticator = new ZKAuthenticator(); private String zkUserPath; private final ZooCache zooCache; private final UserImpersonation impersonation; public KerberosAuthenticator() { this(new ZooCache(), SiteConfiguration.getInstance()); } public KerberosAuthenticator(ZooCache cache, AccumuloConfiguration conf) { this.zooCache = cache; this.impersonation = new UserImpersonation(conf); } @Override public void initialize(String instanceId, boolean initialize) { zkAuthenticator.initialize(instanceId, initialize); zkUserPath = Constants.ZROOT + "/" + instanceId + "/users"; } @Override public boolean validSecurityHandlers(Authorizor auth, PermissionHandler pm) { return true; } private void createUserNodeInZk(String principal) throws KeeperException, InterruptedException { synchronized (zooCache) { zooCache.clear(); IZooReaderWriter zoo = ZooReaderWriter.getInstance(); zoo.putPrivatePersistentData(zkUserPath + "/" + principal, new byte[0], NodeExistsPolicy.FAIL); } } @Override public void initializeSecurity(TCredentials credentials, String principal, byte[] token) throws AccumuloSecurityException, ThriftSecurityException { try { // remove old settings from zookeeper first, if any IZooReaderWriter zoo = ZooReaderWriter.getInstance(); synchronized (zooCache) { zooCache.clear(); if (zoo.exists(zkUserPath)) { zoo.recursiveDelete(zkUserPath, NodeMissingPolicy.SKIP); log.info("Removed " + zkUserPath + "/" + " from zookeeper"); } // prep parent node of users with root username // ACCUMULO-4140 The root user needs to be stored un-base64 encoded in the znode's value byte[] principalData = principal.getBytes(UTF_8); zoo.putPersistentData(zkUserPath, principalData, NodeExistsPolicy.FAIL); // Create the root user in ZK using base64 encoded name (since the name is included in the znode) createUserNodeInZk(Base64.getEncoder().encodeToString(principalData)); } } catch (KeeperException | InterruptedException e) { log.error("Failed to initialize security", e); throw new RuntimeException(e); } } @Override public boolean authenticateUser(String principal, AuthenticationToken token) throws AccumuloSecurityException { final String rpcPrincipal = UGIAssumingProcessor.rpcPrincipal(); if (!rpcPrincipal.equals(principal)) { // KerberosAuthenticator can't do perform this because KerberosToken is just a shim and doesn't contain the actual credentials // Double check that the rpc user can impersonate as the requested user. UsersWithHosts usersWithHosts = impersonation.get(rpcPrincipal); if (null == usersWithHosts) { throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED); } if (!usersWithHosts.getUsers().contains(principal)) { throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED); } log.debug("Allowing impersonation of {} by {}", principal, rpcPrincipal); } // User is authenticated at the transport layer -- nothing extra is necessary if (token instanceof KerberosToken || token instanceof DelegationTokenImpl) { return true; } return false; } @Override public Set<String> listUsers() throws AccumuloSecurityException { Set<String> base64Users = zkAuthenticator.listUsers(); Set<String> readableUsers = new HashSet<>(); for (String base64User : base64Users) { readableUsers.add(new String(Base64.getDecoder().decode(base64User), UTF_8)); } return readableUsers; } @Override public synchronized void createUser(String principal, AuthenticationToken token) throws AccumuloSecurityException { if (!(token instanceof KerberosToken)) { throw new UnsupportedOperationException( "Expected a KerberosToken but got a " + token.getClass().getSimpleName()); } try { createUserNodeInZk(Base64.getEncoder().encodeToString(principal.getBytes(UTF_8))); } catch (KeeperException e) { if (e.code().equals(KeeperException.Code.NODEEXISTS)) { throw new AccumuloSecurityException(principal, SecurityErrorCode.USER_EXISTS, e); } log.error("Failed to create user in ZooKeeper", e); throw new AccumuloSecurityException(principal, SecurityErrorCode.CONNECTION_ERROR, e); } catch (InterruptedException e) { log.error("Interrupted trying to create node for user", e); throw new RuntimeException(e); } } @Override public synchronized void dropUser(String user) throws AccumuloSecurityException { final String encodedUser = Base64.getEncoder().encodeToString(user.getBytes(UTF_8)); try { zkAuthenticator.dropUser(encodedUser); } catch (AccumuloSecurityException e) { throw new AccumuloSecurityException(user, e.asThriftException().getCode(), e.getCause()); } } @Override public void changePassword(String principal, AuthenticationToken token) throws AccumuloSecurityException { throw new UnsupportedOperationException("Cannot change password with Kerberos authenticaton"); } @Override public synchronized boolean userExists(String user) throws AccumuloSecurityException { user = Base64.getEncoder().encodeToString(user.getBytes(UTF_8)); return zkAuthenticator.userExists(user); } @Override public Set<Class<? extends AuthenticationToken>> getSupportedTokenTypes() { return SUPPORTED_TOKENS; } @Override public boolean validTokenClass(String tokenClass) { return SUPPORTED_TOKEN_NAMES.contains(tokenClass); } }