private void handleAuthorizeCallback(AuthorizeCallback ac) { String authenticationID = ac.getAuthenticationID(); String authorizationID = ac.getAuthorizationID(); LOG.info("Successfully authenticated client: authenticationID=" + authenticationID + "; authorizationID=" + authorizationID + "."); ac.setAuthorized(true); // canonicalize authorization id according to system properties: // zookeeper.kerberos.removeRealmFromPrincipal(={true,false}) // zookeeper.kerberos.removeHostFromPrincipal(={true,false}) KerberosName kerberosName = new KerberosName(authenticationID); try { StringBuilder userNameBuilder = new StringBuilder(kerberosName.getShortName()); if (shouldAppendHost(kerberosName)) { userNameBuilder.append("/").append(kerberosName.getHostName()); } if (shouldAppendRealm(kerberosName)) { userNameBuilder.append("@").append(kerberosName.getRealm()); } LOG.info("Setting authorizedID: " + userNameBuilder); ac.setAuthorizedID(userNameBuilder.toString()); } catch (IOException e) { LOG.error("Failed to set name based on Kerberos authentication rules.", e); } }
/** * Set the static configuration to get the rules. * @param conf the new configuration * @throws IOException */ public static void setConfiguration() throws IOException { String ruleString = System.getProperty("zookeeper.security.auth_to_local", "DEFAULT"); rules = parseRules(ruleString); }
public static void main(String[] args) throws Exception { for(String arg: args) { KerberosName name = new KerberosName(arg); System.out.println("Name: " + name + " to " + name.getShortName()); } } }
final KerberosName clientKerberosName = new KerberosName( clientPrincipal.getName()); clientKerberosName.getRealm()); KerberosName serviceKerberosName = new KerberosName( servicePrincipal + "@" + serverRealm); final String serviceName = serviceKerberosName.getServiceName(); final String serviceHostname = serviceKerberosName.getHostName(); final String clientPrincipalName = clientKerberosName.toString(); try { saslClient = Subject.doAs(subject,
KerberosName serviceKerberosName = new KerberosName(principal); String serviceName = serviceKerberosName.getServiceName(); String hostName = serviceKerberosName.getHostName(); Map<String, String> props = new TreeMap<String, String>(); props.put(Sasl.QOP, "auth");
/** * Return the principal name if set * @param login The login object to pull the name from * @return The name if found, null if not */ private String getClientPrincipalName(final Login login) { if (login.getSubject() == null) { return null; } final Set<Principal> principals = login.getSubject().getPrincipals(); if (principals == null || principals.isEmpty()) { return null; } final Principal principal = principals.iterator().next(); final KerberosName name = new KerberosName(principal.getName()); return name.toString(); }
public boolean isValid(String id) { // Since the SASL authenticator will usually be used with Kerberos authentication, // it should enforce that these names are valid according to Kerberos's // syntax for principals. // // Use the KerberosName(id) constructor to define validity: // if KerberosName(id) throws IllegalArgumentException, then id is invalid. // otherwise, it is valid. // try { new KerberosName(id); return true; } catch (IllegalArgumentException e) { return false; } }
private boolean shouldAppendHost(KerberosName kerberosName) { return !isSystemPropertyTrue(SYSPROP_REMOVE_HOST) && kerberosName.getHostName() != null; }
/** * Get the translation of the principal name into an operating system * user name. * @return the short name * @throws IOException */ public String getShortName() throws IOException { String[] params; if (hostName == null) { // if it is already simple, just return it if (realm == null) { return serviceName; } params = new String[]{realm, serviceName}; } else { params = new String[]{realm, serviceName, hostName}; } for(Rule r: rules) { String result = r.apply(params); if (result != null) { return result; } } throw new NoMatchingRule("No rules applied to " + toString()); }
private boolean shouldAppendRealm(KerberosName kerberosName) { return !isSystemPropertyTrue(SYSPROP_REMOVE_REALM) && kerberosName.getRealm() != null; }
final KerberosName clientKerberosName = new KerberosName( clientPrincipal.getName()); clientKerberosName.getRealm()); KerberosName serviceKerberosName = new KerberosName( servicePrincipal + "@" + serverRealm); final String serviceName = serviceKerberosName.getServiceName(); final String serviceHostname = serviceKerberosName.getHostName(); final String clientPrincipalName = clientKerberosName.toString(); try { saslClient = Subject.doAs(subject,
final KerberosName service_kerberos_name = new KerberosName(server_principal); final String service_name = service_kerberos_name.getServiceName(); final String service_hostname = service_kerberos_name.getHostName();
public static void main(String[] args) throws Exception { for(String arg: args) { KerberosName name = new KerberosName(arg); System.out.println("Name: " + name + " to " + name.getShortName()); } } }
public boolean isValid(String id) { // Since the SASL authenticator will usually be used with Kerberos authentication, // it should enforce that these names are valid according to Kerberos's // syntax for principals. // // Use the KerberosName(id) constructor to define validity: // if KerberosName(id) throws IllegalArgumentException, then id is invalid. // otherwise, it is valid. // try { new KerberosName(id); return true; } catch (IllegalArgumentException e) { return false; } }
private boolean shouldAppendHost(KerberosName kerberosName) { return !isSystemPropertyTrue(SYSPROP_REMOVE_HOST) && kerberosName.getHostName() != null; }
/** * Get the translation of the principal name into an operating system * user name. * @return the short name * @throws IOException */ public String getShortName() throws IOException { String[] params; if (hostName == null) { // if it is already simple, just return it if (realm == null) { return serviceName; } params = new String[]{realm, serviceName}; } else { params = new String[]{realm, serviceName, hostName}; } for(Rule r: rules) { String result = r.apply(params); if (result != null) { return result; } } throw new NoMatchingRule("No rules applied to " + toString()); }
private boolean shouldAppendRealm(KerberosName kerberosName) { return !isSystemPropertyTrue(SYSPROP_REMOVE_REALM) && kerberosName.getRealm() != null; }
final KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName()); KerberosName serviceKerberosName = new KerberosName(serverPrincipal + "@" + clientKerberosName.getRealm()); final String serviceName = serviceKerberosName.getServiceName(); final String serviceHostname = serviceKerberosName.getHostName(); final String clientPrincipalName = clientKerberosName.toString(); LOG.log(Level.FINEST, "Using JAAS/SASL/GSSAPI auth to connect to server Principal " + serverPrincipal); saslClient = Subject.doAs(clientSubject, new PrivilegedExceptionAction<SaslClient>() {
private void handleAuthorizeCallback(AuthorizeCallback ac) { String authenticationID = ac.getAuthenticationID(); String authorizationID = ac.getAuthorizationID(); LOG.info("Successfully authenticated client: authenticationID=" + authenticationID + "; authorizationID=" + authorizationID + "."); ac.setAuthorized(true); // canonicalize authorization id according to system properties: // zookeeper.kerberos.removeRealmFromPrincipal(={true,false}) // zookeeper.kerberos.removeHostFromPrincipal(={true,false}) KerberosName kerberosName = new KerberosName(authenticationID); try { StringBuilder userNameBuilder = new StringBuilder(kerberosName.getShortName()); if (shouldAppendHost(kerberosName)) { userNameBuilder.append("/").append(kerberosName.getHostName()); } if (shouldAppendRealm(kerberosName)) { userNameBuilder.append("@").append(kerberosName.getRealm()); } LOG.info("Setting authorizedID: " + userNameBuilder); ac.setAuthorizedID(userNameBuilder.toString()); } catch (IOException e) { LOG.error("Failed to set name based on Kerberos authentication rules.", e); } }
private String getPrincipalName(Configuration conf, String hostname) throws Exception { // essentially running as an HBase RegionServer String principalProp = conf.get("hbase.regionserver.kerberos.principal"); if (principalProp != null) { String princ = SecurityUtil.getServerPrincipal(principalProp, hostname); KerberosName kerbName = new KerberosName(princ); return kerbName.getShortName(); } return "hbase"; }