org.apache.hadoop.security.SaslRpcServer.AuthMethod Java Examples

private RpcSaslProto buildNegotiateResponse(List<AuthMethod> authMethods)
    throws IOException {
  RpcSaslProto.Builder negotiateBuilder = RpcSaslProto.newBuilder();
  if (authMethods.contains(AuthMethod.SIMPLE) && authMethods.size() == 1) {
    // SIMPLE-only servers return success in response to negotiate
    negotiateBuilder.setState(SaslState.SUCCESS);
  } else {
    negotiateBuilder.setState(SaslState.NEGOTIATE);
    for (AuthMethod authMethod : authMethods) {
      SaslRpcServer saslRpcServer = new SaslRpcServer(authMethod);      
      SaslAuth.Builder builder = negotiateBuilder.addAuthsBuilder()
          .setMethod(authMethod.toString())
          .setMechanism(saslRpcServer.mechanism);
      if (saslRpcServer.protocol != null) {
        builder.setProtocol(saslRpcServer.protocol);
      }
      if (saslRpcServer.serverId != null) {
        builder.setServerId(saslRpcServer.serverId);
      }
    }
  }
  return negotiateBuilder.build();
}
 

private RpcSaslProto buildNegotiateResponse(List<AuthMethod> authMethods)
    throws IOException {
  RpcSaslProto.Builder negotiateBuilder = RpcSaslProto.newBuilder();
  if (authMethods.contains(AuthMethod.SIMPLE) && authMethods.size() == 1) {
    // SIMPLE-only servers return success in response to negotiate
    negotiateBuilder.setState(SaslState.SUCCESS);
  } else {
    negotiateBuilder.setState(SaslState.NEGOTIATE);
    for (AuthMethod authMethod : authMethods) {
      SaslRpcServer saslRpcServer = new SaslRpcServer(authMethod);      
      SaslAuth.Builder builder = negotiateBuilder.addAuthsBuilder()
          .setMethod(authMethod.toString())
          .setMechanism(saslRpcServer.mechanism);
      if (saslRpcServer.protocol != null) {
        builder.setProtocol(saslRpcServer.protocol);
      }
      if (saslRpcServer.serverId != null) {
        builder.setServerId(saslRpcServer.serverId);
      }
    }
  }
  return negotiateBuilder.build();
}
 

/**
 * Authorize proxy users to access this server
 * @throws WrappedRpcServerException - user is not allowed to proxy
 */
private void authorizeConnection() throws WrappedRpcServerException {
  try {
    // If auth method is TOKEN, the token was obtained by the
    // real user for the effective user, therefore not required to
    // authorize real user. doAs is allowed only for simple or kerberos
    // authentication
    if (user != null && user.getRealUser() != null
        && (authMethod != AuthMethod.TOKEN)) {
      ProxyUsers.authorize(user, this.getHostAddress());
    }
    authorize(user, protocolName, getHostInetAddress());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Successfully authorized " + connectionContext);
    }
    rpcMetrics.incrAuthorizationSuccesses();
  } catch (AuthorizationException ae) {
    LOG.info("Connection from " + this
        + " for protocol " + connectionContext.getProtocol()
        + " is unauthorized for user " + user);
    rpcMetrics.incrAuthorizationFailures();
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae);
  }
}
 

private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
                                           Configuration conf) {
  AuthenticationMethod confAuthenticationMethod =
      SecurityUtil.getAuthenticationMethod(conf);        
  List<AuthMethod> authMethods = new ArrayList<AuthMethod>();
  if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
    if (secretManager == null) {
      throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
          " authentication requires a secret manager");
    } 
  } else if (secretManager != null) {
    LOG.debug(AuthenticationMethod.TOKEN +
        " authentication enabled for secret manager");
    // most preferred, go to the front of the line!
    authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
  }
  authMethods.add(confAuthenticationMethod.getAuthMethod());        
  
  LOG.debug("Server accepts auth methods:" + authMethods);
  return authMethods;
}
 

private RpcSaslProto buildSaslNegotiateResponse()
    throws IOException, InterruptedException {
  RpcSaslProto negotiateMessage = negotiateResponse;
  // accelerate token negotiation by sending initial challenge
  // in the negotiation response
  if (enabledAuthMethods.contains(AuthMethod.TOKEN)) {
    saslServer = createSaslServer(AuthMethod.TOKEN);
    byte[] challenge = saslServer.evaluateResponse(new byte[0]);
    RpcSaslProto.Builder negotiateBuilder =
        RpcSaslProto.newBuilder(negotiateResponse);
    negotiateBuilder.getAuthsBuilder(0)  // TOKEN is always first
        .setChallenge(ByteString.copyFrom(challenge));
    negotiateMessage = negotiateBuilder.build();
  }
  sentNegotiate = true;
  return negotiateMessage;
}
 

private UserGroupInformation getAuthorizedUgi(String authorizedId)
    throws InvalidToken, AccessControlException {
  if (authMethod == AuthMethod.TOKEN) {
    TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId,
        secretManager);
    UserGroupInformation ugi = tokenId.getUser();
    if (ugi == null) {
      throw new AccessControlException(
          "Can't retrieve username from tokenIdentifier.");
    }
    ugi.addTokenIdentifier(tokenId);
    return ugi;
  } else {
    return UserGroupInformation.createRemoteUser(authorizedId, authMethod);
  }
}
 

private UserGroupInformation getAuthorizedUgi(String authorizedId)
    throws InvalidToken, AccessControlException {
  if (authMethod == AuthMethod.TOKEN) {
    TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId,
        secretManager);
    UserGroupInformation ugi = tokenId.getUser();
    if (ugi == null) {
      throw new AccessControlException(
          "Can't retrieve username from tokenIdentifier.");
    }
    ugi.addTokenIdentifier(tokenId);
    return ugi;
  } else {
    return UserGroupInformation.createRemoteUser(authorizedId, authMethod);
  }
}
 

private RpcSaslProto buildSaslNegotiateResponse()
    throws IOException, InterruptedException {
  RpcSaslProto negotiateMessage = negotiateResponse;
  // accelerate token negotiation by sending initial challenge
  // in the negotiation response
  if (enabledAuthMethods.contains(AuthMethod.TOKEN)) {
    saslServer = createSaslServer(AuthMethod.TOKEN);
    byte[] challenge = saslServer.evaluateResponse(new byte[0]);
    RpcSaslProto.Builder negotiateBuilder =
        RpcSaslProto.newBuilder(negotiateResponse);
    negotiateBuilder.getAuthsBuilder(0)  // TOKEN is always first
        .setChallenge(ByteString.copyFrom(challenge));
    negotiateMessage = negotiateBuilder.build();
  }
  sentNegotiate = true;
  return negotiateMessage;
}
 

/**
 * Authorize proxy users to access this server
 * @throws WrappedRpcServerException - user is not allowed to proxy
 */
private void authorizeConnection() throws WrappedRpcServerException {
  try {
    // If auth method is TOKEN, the token was obtained by the
    // real user for the effective user, therefore not required to
    // authorize real user. doAs is allowed only for simple or kerberos
    // authentication
    if (user != null && user.getRealUser() != null
        && (authMethod != AuthMethod.TOKEN)) {
      ProxyUsers.authorize(user, this.getHostAddress());
    }
    authorize(user, protocolName, getHostInetAddress());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Successfully authorized " + connectionContext);
    }
    rpcMetrics.incrAuthorizationSuccesses();
  } catch (AuthorizationException ae) {
    LOG.info("Connection from " + this
        + " for protocol " + connectionContext.getProtocol()
        + " is unauthorized for user " + user);
    rpcMetrics.incrAuthorizationFailures();
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_UNAUTHORIZED, ae);
  }
}
 

private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
                                           Configuration conf) {
  AuthenticationMethod confAuthenticationMethod =
      SecurityUtil.getAuthenticationMethod(conf);        
  List<AuthMethod> authMethods = new ArrayList<AuthMethod>();
  if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
    if (secretManager == null) {
      throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
          " authentication requires a secret manager");
    } 
  } else if (secretManager != null) {
    LOG.debug(AuthenticationMethod.TOKEN +
        " authentication enabled for secret manager");
    // most preferred, go to the front of the line!
    authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
  }
  authMethods.add(confAuthenticationMethod.getAuthMethod());        
  
  LOG.debug("Server accepts auth methods:" + authMethods);
  return authMethods;
}
 

private void writeConnectionContext(ConnectionId remoteId,
                                    AuthMethod authMethod)
                                        throws IOException {
  // Write out the ConnectionHeader
  IpcConnectionContextProto message = ProtoUtil.makeIpcConnectionContext(
      RPC.getProtocolName(remoteId.getProtocol()),
      remoteId.getTicket(),
      authMethod);
  RpcRequestHeaderProto connectionContextHeader = ProtoUtil
      .makeRpcRequestHeader(RpcKind.RPC_PROTOCOL_BUFFER,
          OperationProto.RPC_FINAL_PACKET, CONNECTION_CONTEXT_CALL_ID,
          RpcConstants.INVALID_RETRY_COUNT, clientId);
  RpcRequestMessageWrapper request =
      new RpcRequestMessageWrapper(connectionContextHeader, message);
  
  // Write out the packet length
  out.writeInt(request.getLength());
  request.write(out);
}
 

private void writeConnectionContext(ConnectionId remoteId,
                                    AuthMethod authMethod)
                                        throws IOException {
  // Write out the ConnectionHeader
  IpcConnectionContextProto message = ProtoUtil.makeIpcConnectionContext(
      RPC.getProtocolName(remoteId.getProtocol()),
      remoteId.getTicket(),
      authMethod);
  RpcRequestHeaderProto connectionContextHeader = ProtoUtil
      .makeRpcRequestHeader(RpcKind.RPC_PROTOCOL_BUFFER,
          OperationProto.RPC_FINAL_PACKET, CONNECTION_CONTEXT_CALL_ID,
          RpcConstants.INVALID_RETRY_COUNT, clientId);
  RpcRequestMessageWrapper request =
      new RpcRequestMessageWrapper(connectionContextHeader, message);
  
  // Write out the packet length
  out.writeInt(request.getLength());
  request.write(out);
}
 

private void runNegotiation(CallbackHandler clientCbh,
                            CallbackHandler serverCbh)
                                throws SaslException {
  String mechanism = AuthMethod.PLAIN.getMechanismName();

  SaslClient saslClient = Sasl.createSaslClient(
      new String[]{ mechanism }, null, null, null, null, clientCbh);
  assertNotNull(saslClient);

  SaslServer saslServer = Sasl.createSaslServer(
      mechanism, null, "localhost", null, serverCbh);
  assertNotNull("failed to find PLAIN server", saslServer);
  
  byte[] response = saslClient.evaluateChallenge(new byte[0]);
  assertNotNull(response);
  assertTrue(saslClient.isComplete());

  response = saslServer.evaluateResponse(response);
  assertNull(response);
  assertTrue(saslServer.isComplete());
  assertNotNull(saslServer.getAuthorizationID());
}
 

private void runNegotiation(CallbackHandler clientCbh,
                            CallbackHandler serverCbh)
                                throws SaslException {
  String mechanism = AuthMethod.PLAIN.getMechanismName();

  SaslClient saslClient = Sasl.createSaslClient(
      new String[]{ mechanism }, null, null, null, null, clientCbh);
  assertNotNull(saslClient);

  SaslServer saslServer = Sasl.createSaslServer(
      mechanism, null, "localhost", null, serverCbh);
  assertNotNull("failed to find PLAIN server", saslServer);
  
  byte[] response = saslClient.evaluateChallenge(new byte[0]);
  assertNotNull(response);
  assertTrue(saslClient.isComplete());

  response = saslServer.evaluateResponse(response);
  assertNull(response);
  assertTrue(saslServer.isComplete());
  assertNotNull(saslServer.getAuthorizationID());
}
 

/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 

@Test (timeout = 60000)
public void testAppSubmissionWithOldDelegationTokenAfterRMRestart()
    throws Exception {
  conf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, 2);
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
      "kerberos");
  conf.set(YarnConfiguration.RM_ADDRESS, "localhost:8032");
  UserGroupInformation.setConfiguration(conf);
  MemoryRMStateStore memStore = new MemoryRMStateStore();
  memStore.init(conf);

  MockRM rm1 = new TestSecurityMockRM(conf, memStore);
  rm1.start();

  GetDelegationTokenRequest request1 =
      GetDelegationTokenRequest.newInstance("renewer1");
  UserGroupInformation.getCurrentUser().setAuthenticationMethod(
      AuthMethod.KERBEROS);
  GetDelegationTokenResponse response1 =
      rm1.getClientRMService().getDelegationToken(request1);
  Token<RMDelegationTokenIdentifier> token1 =
      ConverterUtils.convertFromYarn(response1.getRMDelegationToken(), rmAddr);

  // start new RM
  MockRM rm2 = new TestSecurityMockRM(conf, memStore);
  rm2.start();

  // submit an app with the old delegation token got from previous RM.
  Credentials ts = new Credentials();
  ts.addToken(token1.getService(), token1);
  RMApp app = rm2.submitApp(200, "name", "user",
      new HashMap<ApplicationAccessType, String>(), false, "default", 1, ts);
  rm2.waitForState(app.getApplicationId(), RMAppState.ACCEPTED);
}
 

private String getAuthMethod(
    final AuthMethod clientAuth,
    final AuthMethod serverAuth,
    final UseToken tokenType) throws Exception {
  try {
    return internalGetAuthMethod(clientAuth, serverAuth, tokenType);
  } catch (Exception e) {
    LOG.warn("Auth method failure", e);
    return e.toString();
  }
}
 

public TestApplicationHistoryManagerOnTimelineStore(String caller) {
  conf = new YarnConfiguration();
  if (!caller.equals("")) {
    callerUGI = UserGroupInformation.createRemoteUser(caller, AuthMethod.SIMPLE);
    conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
    conf.set(YarnConfiguration.YARN_ADMIN_ACL, "admin");
  }
}
 

private String getAuthMethod(
    final AuthMethod clientAuth,
    final AuthMethod serverAuth) throws Exception {
  try {
    return internalGetAuthMethod(clientAuth, serverAuth, UseToken.NONE);
  } catch (Exception e) {
    LOG.warn("Auth method failure", e);
    return e.toString();
  }
}
 

private boolean isValidAuthType(SaslAuth authType) {
  AuthMethod authMethod;
  try {
    authMethod = AuthMethod.valueOf(authType.getMethod());
  } catch (IllegalArgumentException iae) { // unknown auth
    authMethod = null;
  }
  // do we know what it is?  is it using our mechanism?
  return authMethod != null &&
         authMethod.getMechanismName().equals(authType.getMechanism());
}
 

/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 

/**
 * Create a user from a login name. It is intended to be used for remote
 * users in RPC, since it won't have any credentials.
 * @param user the full user principal name, must not be empty or null
 * @return the UserGroupInformation for the remote user.
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation createRemoteUser(String user, AuthMethod authMethod) {
  if (user == null || user.isEmpty()) {
    throw new IllegalArgumentException("Null user");
  }
  Subject subject = new Subject();
  subject.getPrincipals().add(new User(user));
  UserGroupInformation result = new UserGroupInformation(subject);
  result.setAuthenticationMethod(authMethod);
  return result;
}
 

public static AuthenticationMethod valueOf(AuthMethod authMethod) {
  for (AuthenticationMethod value : values()) {
    if (value.getAuthMethod() == authMethod) {
      return value;
    }
  }
  throw new IllegalArgumentException(
      "no authentication method for " + authMethod);
}
 

@Test (timeout = 60000)
public void testAppSubmissionWithOldDelegationTokenAfterRMRestart()
    throws Exception {
  conf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, 2);
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
      "kerberos");
  conf.set(YarnConfiguration.RM_ADDRESS, "localhost:8032");
  UserGroupInformation.setConfiguration(conf);
  MemoryRMStateStore memStore = new MemoryRMStateStore();
  memStore.init(conf);

  MockRM rm1 = new TestSecurityMockRM(conf, memStore);
  rm1.start();

  GetDelegationTokenRequest request1 =
      GetDelegationTokenRequest.newInstance("renewer1");
  UserGroupInformation.getCurrentUser().setAuthenticationMethod(
      AuthMethod.KERBEROS);
  GetDelegationTokenResponse response1 =
      rm1.getClientRMService().getDelegationToken(request1);
  Token<RMDelegationTokenIdentifier> token1 =
      ConverterUtils.convertFromYarn(response1.getRMDelegationToken(), rmAddr);

  // start new RM
  MockRM rm2 = new TestSecurityMockRM(conf, memStore);
  rm2.start();

  // submit an app with the old delegation token got from previous RM.
  Credentials ts = new Credentials();
  ts.addToken(token1.getService(), token1);
  RMApp app = rm2.submitApp(200, "name", "user",
      new HashMap<ApplicationAccessType, String>(), false, "default", 1, ts);
  rm2.waitForState(app.getApplicationId(), RMAppState.ACCEPTED);
}
 

private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 

private synchronized AuthMethod setupSaslConnection(final InputStream in2, 
    final OutputStream out2) throws IOException {
  // Do not use Client.conf here! We must use ConnectionId.conf, since the
  // Client object is cached and shared between all RPC clients, even those
  // for separate services.
  saslRpcClient = new SaslRpcClient(remoteId.getTicket(),
      remoteId.getProtocol(), remoteId.getAddress(), remoteId.conf);
  return saslRpcClient.saslConnect(in2, out2);
}
 

@Test (timeout = 30000)
public void testCreateRemoteUser() {
  UserGroupInformation ugi = UserGroupInformation.createRemoteUser("user1");
  assertEquals(AuthenticationMethod.SIMPLE, ugi.getAuthenticationMethod());
  assertTrue (ugi.toString().contains("(auth:SIMPLE)"));
  ugi = UserGroupInformation.createRemoteUser("user1", 
      AuthMethod.KERBEROS);
  assertEquals(AuthenticationMethod.KERBEROS, ugi.getAuthenticationMethod());
  assertTrue (ugi.toString().contains("(auth:KERBEROS)"));
}
 

private void doDigestRpc(Server server, TestTokenSecretManager sm
                         ) throws Exception {
  server.start();

  final UserGroupInformation current = UserGroupInformation.getCurrentUser();
  final InetSocketAddress addr = NetUtils.getConnectAddress(server);
  TestTokenIdentifier tokenId = new TestTokenIdentifier(new Text(current
      .getUserName()));
  Token<TestTokenIdentifier> token = new Token<TestTokenIdentifier>(tokenId,
      sm);
  SecurityUtil.setTokenService(token, addr);
  current.addToken(token);

  TestSaslProtocol proxy = null;
  try {
    proxy = RPC.getProxy(TestSaslProtocol.class,
        TestSaslProtocol.versionID, addr, conf);
    AuthMethod authMethod = proxy.getAuthMethod();
    assertEquals(TOKEN, authMethod);
    //QOP must be auth
    assertEquals(expectedQop.saslQop,
                 RPC.getConnectionIdForProxy(proxy).getSaslQop());            
    proxy.ping();
  } finally {
    server.stop();
    if (proxy != null) {
      RPC.stopProxy(proxy);
    }
  }
}
 

private String getAuthMethod(
    final AuthMethod clientAuth,
    final AuthMethod serverAuth) throws Exception {
  try {
    return internalGetAuthMethod(clientAuth, serverAuth, UseToken.NONE);
  } catch (Exception e) {
    LOG.warn("Auth method failure", e);
    return e.toString();
  }
}
 

private String getAuthMethod(
    final AuthMethod clientAuth,
    final AuthMethod serverAuth,
    final UseToken tokenType) throws Exception {
  try {
    return internalGetAuthMethod(clientAuth, serverAuth, tokenType);
  } catch (Exception e) {
    LOG.warn("Auth method failure", e);
    return e.toString();
  }
}