org.apache.hadoop.security.HadoopKerberosName Java Examples

public Map<String, ?> getSaslClientProperties(final DrillbitEndpoint remoteEndpoint,
                                              final Map<String, String> overrides) throws IOException {
  final DrillProperties properties = DrillProperties.createEmpty();

  final UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  if (loginUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS) {
    final HadoopKerberosName loginPrincipal = new HadoopKerberosName(loginUser.getUserName());
    if (!useLoginPrincipal) {
      properties.setProperty(DrillProperties.SERVICE_PRINCIPAL,
          KerberosUtil.getPrincipalFromParts(loginPrincipal.getShortName(),
              remoteEndpoint.getAddress(),
              loginPrincipal.getRealm()));
    } else {
      properties.setProperty(DrillProperties.SERVICE_PRINCIPAL, loginPrincipal.toString());
    }
  }

  properties.merge(overrides);
  return properties.stringPropertiesAsMap();
}
 

@Override
public void finalizeSaslSession() throws IOException {
  final String authorizationID = getSaslServer().getAuthorizationID();
  final String remoteShortName = new HadoopKerberosName(authorizationID).getShortName();
  final String localShortName = UserGroupInformation.getLoginUser().getShortUserName();
  if (!localShortName.equals(remoteShortName)) {
    throw new SaslException(String.format("'primary' part of remote drillbit's service principal " +
        "does not match with this drillbit's. Expected: '%s' Actual: '%s'", localShortName, remoteShortName));
  }
  getLogger().debug("Authenticated connection for {}", authorizationID);
}
 

@Override
public void finalizeSaslSession() throws IOException {
  final String authorizationID = getSaslServer().getAuthorizationID();
  final String userName = new HadoopKerberosName(authorizationID).getShortName();
  logger.debug("Created session for {}", userName);
  finalizeSession(userName);
}
 

@Test
public void testParseTimelineDelegationTokenIdentifierRenewer() throws IOException {
  // Server side when generation a timeline DT
  Configuration conf = new YarnConfiguration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL,
      "RULE:[2:$1@$0]([nr]m@.*EXAMPLE.COM)s/.*/yarn/");
  HadoopKerberosName.setConfiguration(conf);
  Text owner = new Text("owner");
  Text renewer = new Text("rm/[email protected]");
  Text realUser = new Text("realUser");
  TimelineDelegationTokenIdentifier token =
      new TimelineDelegationTokenIdentifier(owner, renewer, realUser);
  Assert.assertEquals(new Text("yarn"), token.getRenewer());
}
 

@Test
public void testValidKerberosName() throws Throwable {

  new HadoopKerberosName(ZOOKEEPER).getShortName();
  new HadoopKerberosName(ZOOKEEPER_LOCALHOST).getShortName();
  new HadoopKerberosName(ZOOKEEPER_REALM).getShortName();
  // standard rules don't pick this up
  // new HadoopKerberosName(ZOOKEEPER_LOCALHOST_REALM).getShortName();
}
 

public void setRenewer(Text renewer) {
  if (renewer == null) {
    this.renewer = new Text();
  } else {
    HadoopKerberosName renewerKrbName = new HadoopKerberosName(renewer.toString());
    try {
      this.renewer = new Text(renewerKrbName.getShortName());
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
  }
}
 

@Test
public void testParseTimelineDelegationTokenIdentifierRenewer() throws IOException {
  // Server side when generation a timeline DT
  Configuration conf = new YarnConfiguration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL,
      "RULE:[2:$1@$0]([nr]m@.*EXAMPLE.COM)s/.*/yarn/");
  HadoopKerberosName.setConfiguration(conf);
  Text owner = new Text("owner");
  Text renewer = new Text("rm/[email protected]");
  Text realUser = new Text("realUser");
  TimelineDelegationTokenIdentifier token =
      new TimelineDelegationTokenIdentifier(owner, renewer, realUser);
  Assert.assertEquals(new Text("yarn"), token.getRenewer());
}
 

@Test
public void testValidKerberosName() throws Throwable {

  new HadoopKerberosName(ZOOKEEPER).getShortName();
  new HadoopKerberosName(ZOOKEEPER_LOCALHOST).getShortName();
  new HadoopKerberosName(ZOOKEEPER_REALM).getShortName();
  // standard rules don't pick this up
  // new HadoopKerberosName(ZOOKEEPER_LOCALHOST_REALM).getShortName();
}
 

public void setRenewer(Text renewer) {
  if (renewer == null) {
    this.renewer = new Text();
  } else {
    HadoopKerberosName renewerKrbName = new HadoopKerberosName(renewer.toString());
    try {
      this.renewer = new Text(renewerKrbName.getShortName());
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
  }
}
 

@Override
public String getShortName() {
  if (this.shortName == null) {
    try {
      this.shortName = new HadoopKerberosName(this.name).getShortName();
    } catch (IOException ioe) {
      throw new IllegalArgumentException(
          "Illegal principal name " + this.name + ": " + ioe.toString(), ioe);
    }
  }
  return shortName;
}
 

private UserIdentity spnegoLogin(Object credentials) {

    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();

    try {
      // Providing both OID's is required here. If we provide only one,
      // we're requiring that clients provide us the SPNEGO OID to authenticate via Kerberos.
      Oid[] knownOids = new Oid[2];
      knownOids[0] = new Oid("1.3.6.1.5.5.2"); // spnego
      knownOids[1] = new Oid("1.2.840.113554.1.2.2"); // kerberos

      GSSName gssName = manager.createName(spnegoConfig.getSpnegoPrincipal(), null);
      GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME,
          knownOids, GSSCredential.ACCEPT_ONLY);
      GSSContext gContext = manager.createContext(serverCreds);

      if (gContext == null) {
        logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
      } else {
        while (!gContext.isEstablished()) {
          authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
        }

        if (gContext.isEstablished()) {
          final String clientName = gContext.getSrcName().toString();
          final String realm = clientName.substring(clientName.indexOf(64) + 1);

          // Get the client user short name
          final String userShortName = new HadoopKerberosName(clientName).getShortName();

          logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName);
          final SystemOptionManager sysOptions = drillContext.getOptionManager();
          final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName,
              ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions),
              ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));

          final Principal user = new DrillUserPrincipal(userShortName, isAdmin);
          final Subject subject = new Subject();
          subject.getPrincipals().add(user);

          if (isAdmin) {
            return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.ADMIN_USER_ROLES);
          } else {
            return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
          }
        }
      }
    } catch (GSSException gsse) {
      logger.warn("Caught GSSException trying to authenticate the client", gsse);
    } catch (IOException ex) {
      logger.warn("Caught IOException trying to get shortName of client user", ex);
    }
    return null;
  }