Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * <p> * http://www.apache.org/licenses/LICENSE-2.0 * <p> * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.drill.exec.rpc.security.kerberos; import org.apache.drill.common.KerberosUtil; import org.apache.drill.common.config.DrillProperties; import org.apache.drill.exec.rpc.security.AuthenticatorFactory; import org.apache.drill.exec.rpc.security.FastSaslClientFactory; import org.apache.drill.exec.rpc.security.FastSaslServerFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.security.HadoopKerberosName; import org.apache.hadoop.security.UserGroupInformation; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.LoginException; import javax.security.sasl.AuthorizeCallback; import javax.security.sasl.SaslClient; import javax.security.sasl.SaslException; import javax.security.sasl.SaslServer; import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.UndeclaredThrowableException; import java.security.AccessController; import java.security.PrivilegedExceptionAction; import java.util.Map; public class KerberosFactory implements AuthenticatorFactory { private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(KerberosFactory.class); private static final String DRILL_SERVICE_NAME = System.getProperty("drill.principal.primary", "drill"); @Override public String getSimpleName() { return KerberosUtil.KERBEROS_SIMPLE_NAME; } @Override public UserGroupInformation createAndLoginUser(final Map<String, ?> properties) throws IOException { final Configuration conf = new Configuration(); conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, UserGroupInformation.AuthenticationMethod.KERBEROS.toString()); UserGroupInformation.setConfiguration(conf); final String keytab = (String) properties.get(DrillProperties.KEYTAB); final boolean assumeSubject = properties.containsKey(DrillProperties.KERBEROS_FROM_SUBJECT) && Boolean.parseBoolean((String) properties.get(DrillProperties.KERBEROS_FROM_SUBJECT)); try { final UserGroupInformation ugi; if (assumeSubject) { ugi = UserGroupInformation.getUGIFromSubject(Subject.getSubject(AccessController.getContext())); logger.debug("Assuming subject for {}.", ugi.getShortUserName()); } else { if (keytab != null) { ugi = UserGroupInformation .loginUserFromKeytabAndReturnUGI((String) properties.get(DrillProperties.USER), keytab); logger.debug("Logged in {} using keytab.", ugi.getShortUserName()); } else { // includes Kerberos ticket login ugi = UserGroupInformation.getCurrentUser(); logger.debug("Logged in {} using ticket.", ugi.getShortUserName()); } } return ugi; } catch (final IOException e) { logger.debug("Login failed.", e); final Throwable cause = e.getCause(); if (cause instanceof LoginException) { throw new SaslException("Failed to login.", cause); } throw new SaslException("Unexpected failure trying to login.", cause); } } @Override public SaslServer createSaslServer(final UserGroupInformation ugi, final Map<String, ?> properties) throws SaslException { try { final String primaryName = ugi.getShortUserName(); final String instanceName = new HadoopKerberosName(ugi.getUserName()).getHostName(); final SaslServer saslServer = ugi.doAs(new PrivilegedExceptionAction<SaslServer>() { @Override public SaslServer run() throws Exception { return FastSaslServerFactory.getInstance().createSaslServer(KerberosUtil.KERBEROS_SASL_NAME, primaryName, instanceName, properties, new KerberosServerCallbackHandler()); } }); logger.trace("GSSAPI SaslServer created."); return saslServer; } catch (final UndeclaredThrowableException e) { final Throwable cause = e.getCause(); logger.debug("Authentication failed.", cause); if (cause instanceof SaslException) { throw (SaslException) cause; } else { throw new SaslException("Unexpected failure trying to authenticate using Kerberos", cause); } } catch (final IOException | InterruptedException e) { logger.debug("Authentication failed.", e); throw new SaslException("Unexpected failure trying to authenticate using Kerberos", e); } } @Override public SaslClient createSaslClient(final UserGroupInformation ugi, final Map<String, ?> properties) throws SaslException { final String servicePrincipal = getServicePrincipal(properties); final String parts[] = KerberosUtil.splitPrincipalIntoParts(servicePrincipal); final String serviceName = parts[0]; final String serviceHostName = parts[1]; // ignore parts[2]; GSSAPI gets the realm info from the ticket try { final SaslClient saslClient = ugi.doAs(new PrivilegedExceptionAction<SaslClient>() { @Override public SaslClient run() throws Exception { return FastSaslClientFactory.getInstance().createSaslClient( new String[] { KerberosUtil.KERBEROS_SASL_NAME }, null /** authorization ID */ , serviceName, serviceHostName, properties, new CallbackHandler() { @Override public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException { throw new UnsupportedCallbackException(callbacks[0]); } }); } }); logger.debug("GSSAPI SaslClient created to authenticate to {} running on {}", serviceName, serviceHostName); return saslClient; } catch (final UndeclaredThrowableException e) { logger.debug("Authentication failed.", e); throw new SaslException( String.format("Unexpected failure trying to authenticate to %s using GSSAPI", serviceHostName), e.getCause()); } catch (final IOException | InterruptedException e) { logger.debug("Authentication failed.", e); if (e instanceof SaslException) { throw (SaslException) e; } throw new SaslException( String.format("Unexpected failure trying to authenticate to %s using GSSAPI", serviceHostName), e); } } @Override public void close() throws Exception { // no-op } private static class KerberosServerCallbackHandler implements CallbackHandler { @Override public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (final Callback callback : callbacks) { if (callback instanceof AuthorizeCallback) { final AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback; if (!authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID())) { throw new SaslException("Drill expects authorization ID and authentication ID to match. " + "Use inbound impersonation feature so one entity can act on behalf of another."); } else { authorizeCallback.setAuthorized(true); } } else { throw new UnsupportedCallbackException(callback); } } } } private static String getServicePrincipal(final Map<String, ?> properties) throws SaslException { final String principal = (String) properties.get(DrillProperties.SERVICE_PRINCIPAL); if (principal != null) { return principal; } final String serviceHostname = (String) properties.get(DrillProperties.SERVICE_HOST); if (serviceHostname == null) { throw new SaslException("Unknown Drillbit hostname. Check connection parameters?"); } final String serviceName = (String) properties.get(DrillProperties.SERVICE_NAME); final String realm = (String) properties.get(DrillProperties.REALM); try { return KerberosUtil.getPrincipalFromParts(serviceName == null ? DRILL_SERVICE_NAME : serviceName, serviceHostname.toLowerCase(), // see HADOOP-7988 realm == null ? KerberosUtil.getDefaultRealm() : realm); } catch (final ClassNotFoundException | NoSuchMethodException | IllegalAccessException | InvocationTargetException e) { throw new SaslException( "Could not resolve realm information. Please set explicitly in connection parameters."); } } }