/** * @return the map specified as argument only if Kerberos authentication is enabled and map !=null && !map.isEmpty() */ private Map<String, List<Principal>> getMapIfSecureIfNotEmpty(Map<String, List<Principal>> map) { return SecurityUtil.isKerberosAuthenticated(securityContext) && map != null && !map.isEmpty() ? map : null; }
private Map<String, String> getStringsMapIfSecureIfNotEmpty(Map<String, String> map) { return SecurityUtil.isKerberosAuthenticated(securityContext) && map != null && !map.isEmpty() ? map : null; }
public Authentication(SecurityContext securityContext) { if (SecurityUtil.isKerberosAuthenticated(securityContext)) { enabled = true; scheme = securityContext.getAuthenticationScheme(); } else { enabled = false; } }
/** * Executes the supplied action. If {@link SecurityUtil#isKerberosAuthenticated(javax.ws.rs.core.SecurityContext)} returns * true, it wraps the action execution with Subject.doAs(subject, action) with the provided subject */ public static <T, E extends Exception> T execute(SupplierException<T, E> action, SecurityContext securityContext, Subject subject) throws E, PrivilegedActionException { if (subject != null && isKerberosAuthenticated(securityContext)) { LOG.debug("Executing action [{}] for subject [{}] with security context [{}] using Kerberos authentication", action, securityContext, subject); return Subject.doAs(subject, (PrivilegedExceptionAction<T>) action::get); } else { LOG.debug("Executing action [{}] for subject [{}] with security context [{}] without Kerberos authentication", action, securityContext, subject); return action.get(); } }
public static <T, E extends Exception> T execute(SupplierException<T, E> action, SecurityContext securityContext, User user) throws E, PrivilegedActionException, IOException, InterruptedException { if (user != null && SecurityUtil.isKerberosAuthenticated(securityContext)) { LOG.debug("Executing action [{}] for user [{}] with security context [{}] using Kerberos authentication", action, securityContext, user); return user.runAs((PrivilegedExceptionAction<T>) action::get); } else { LOG.debug("Executing action [{}] for user [{}] with security context [{}] without Kerberos authentication", action, securityContext, user); return action.get(); } }
private String getTopologySummaryRestUrl() throws ServiceNotFoundException, ServiceComponentNotFoundException { final HostPort hostPort = getHostPort(); String url = "http://" + hostPort.toString() + (urlRelativePath.startsWith("/") ? urlRelativePath : "/" + urlRelativePath); if (SecurityUtil.isKerberosAuthenticated(securityContext)) { url += "?" + STORM_REST_API_DO_AS_USER_QUERY_PARAM + "=" + securityContext.getUserPrincipal().getName(); } return url; }
/** * Creates secure {@link HBaseMetadataService} which delegates to {@link Admin} * instantiated with with the {@link Configuration} provided using the first parameter */ public static HBaseMetadataService newInstance(Configuration hbaseConfig, SecurityContext securityContext, Subject subject, Component hbaseMaster, Collection<ComponentProcess> hbaseMasterProcesses) throws IOException, EntityNotFoundException { if (SecurityUtil.isKerberosAuthenticated(securityContext)) { UserGroupInformation.setConfiguration(hbaseConfig); // Sets Kerberos rules final UserGroupInformation ugiFromSubject = UserGroupInformation.getUGIFromSubject(subject); // Adds User principal to the subject final UserGroupInformation proxyUserForImpersonation = UserGroupInformation .createProxyUser(securityContext.getUserPrincipal().getName(), ugiFromSubject); final User user = User.create(proxyUserForImpersonation); return new HBaseMetadataService(ConnectionFactory.createConnection(hbaseConfig, user) .getAdmin(), securityContext, subject, user, hbaseMaster, hbaseMasterProcesses); } else { return new HBaseMetadataService(ConnectionFactory.createConnection(hbaseConfig).getAdmin(), securityContext, subject, null, hbaseMaster, hbaseMasterProcesses); } }
/** * Creates secure {@link HiveMetadataService}, which delegates to {@link HiveMetaStoreClient} * instantiated with the {@link HiveConf} provided using the first parameter */ public static HiveMetadataService newInstance(HiveConf hiveConf, SecurityContext securityContext, Subject subject, Component hiveMetastore, Collection<ComponentProcess> hiveMetastoreProcesses) throws MetaException, IOException, EntityNotFoundException, PrivilegedActionException { if (SecurityUtil.isKerberosAuthenticated(securityContext)) { UserGroupInformation.setConfiguration(hiveConf); // Sets Kerberos rules UserGroupInformation.getUGIFromSubject(subject); // Adds User principal to this subject return new HiveMetadataService( SecurityUtil.execute(() -> new HiveMetaStoreClient(hiveConf), securityContext, subject), hiveConf, securityContext, subject, hiveMetastore, hiveMetastoreProcesses); } else { return new HiveMetadataService(new HiveMetaStoreClient(hiveConf), hiveConf, securityContext, subject, hiveMetastore, hiveMetastoreProcesses); } }