@Override public int hashCode() { return getPrincipal() == null ? 0 : getPrincipal().hashCode(); }
@Override public boolean equals(Object obj) { if (obj == null || !(obj instanceof Credentials)) return false; Credentials other = Credentials.class.cast(obj); boolean pEq = getPrincipal() == null ? (other.getPrincipal() == null) : (getPrincipal().equals(other.getPrincipal())); if (!pEq) return false; return getToken() == null ? (other.getToken() == null) : (getToken().equals(other.getToken())); }
@Override public String getPrincipal() { return getCredentials().getPrincipal(); }
@Override public void createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations) throws ThriftSecurityException { try { super.createUser(credentials, newUser, authorizations); audit(credentials, CREATE_USER_AUDIT_TEMPLATE, newUser.getPrincipal(), authorizations); } catch (ThriftSecurityException ex) { audit(credentials, ex, CREATE_USER_AUDIT_TEMPLATE, newUser.getPrincipal(), authorizations); throw ex; } }
@Override public String toString() { return getClass().getName() + ":" + getPrincipal() + ":" + (getToken() == null ? null : getToken().getClass().getName()) + ":<hidden>"; } }
protected void _createUser(TCredentials credentials, Credentials newUser) throws ThriftSecurityException { try { AuthenticationToken token = newUser.getToken(); authenticator.createUser(newUser.getPrincipal(), token); authorizor.initUser(newUser.getPrincipal()); permHandle.initUser(newUser.getPrincipal()); log.info("Created user {} at the request of user {}", newUser.getPrincipal(), credentials.getPrincipal()); } catch (AccumuloSecurityException ase) { throw ase.asThriftException(); } }
@Override public void changePassword(TCredentials credentials, Credentials newInfo) throws ThriftSecurityException { try { super.changePassword(credentials, newInfo); audit(credentials, CHANGE_PASSWORD_AUDIT_TEMPLATE, newInfo.getPrincipal()); } catch (ThriftSecurityException ex) { audit(credentials, ex, CHANGE_PASSWORD_AUDIT_TEMPLATE, newInfo.getPrincipal()); throw ex; } }
/** * Converts the current object to a serialized form. The object returned from this contains a * non-destroyable version of the {@link AuthenticationToken}, so references to it should be * tightly controlled. * * @return serialized form of these credentials */ public final String serialize() { return (getPrincipal() == null ? "-" : Base64.getEncoder().encodeToString(getPrincipal().getBytes(UTF_8))) + ":" + (getToken() == null ? "-" : Base64.getEncoder().encodeToString(getToken().getClass().getName().getBytes(UTF_8))) + ":" + (getToken() == null ? "-" : Base64.getEncoder() .encodeToString(AuthenticationTokenSerializer.serialize(getToken()))); }
@Override public String whoami() { ensureOpen(); return getCredentials().getPrincipal(); }
public String getPrincipal() { ensureOpen(); return getCredentials().getPrincipal(); }
public void createUser(TCredentials credentials, Credentials newUser, Authorizations authorizations) throws ThriftSecurityException { if (!canCreateUser(credentials, newUser.getPrincipal())) throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED); _createUser(credentials, newUser); if (canChangeAuthorizations(credentials, newUser.getPrincipal())) { try { authorizor.changeAuthorizations(newUser.getPrincipal(), authorizations); } catch (AccumuloSecurityException ase) { throw ase.asThriftException(); } } }
public void changePassword(TCredentials credentials, Credentials toChange) throws ThriftSecurityException { if (!canChangePassword(credentials, toChange.getPrincipal())) throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED); try { AuthenticationToken token = toChange.getToken(); authenticator.changePassword(toChange.getPrincipal(), token); log.info("Changed password for user {} at the request of user {}", toChange.getPrincipal(), credentials.getPrincipal()); } catch (AccumuloSecurityException e) { throw e.asThriftException(); } }
while (fileScanner.hasNextLine()) { Credentials creds = Credentials.deserialize(fileScanner.nextLine()); if (principal.equals(creds.getPrincipal())) { return creds.getToken();
@Override public void delete(String namespace) throws AccumuloException, AccumuloSecurityException, NamespaceNotFoundException, NamespaceNotEmptyException { checkArgument(namespace != null, "namespace is null"); Namespace.ID namespaceId = Namespaces.getNamespaceId(context, namespace); if (namespaceId.equals(Namespace.ID.ACCUMULO) || namespaceId.equals(Namespace.ID.DEFAULT)) { Credentials credentials = context.getCredentials(); log.debug("{} attempted to delete the {} namespace", credentials.getPrincipal(), namespaceId); throw new AccumuloSecurityException(credentials.getPrincipal(), SecurityErrorCode.UNSUPPORTED_OPERATION); } if (Namespaces.getTableIds(context, namespaceId).size() > 0) { throw new NamespaceNotEmptyException(namespaceId.canonicalID(), namespace, null); } List<ByteBuffer> args = Arrays.asList(ByteBuffer.wrap(namespace.getBytes(UTF_8))); Map<String,String> opts = new HashMap<>(); try { doNamespaceFateOperation(FateOperation.NAMESPACE_DELETE, args, opts, namespace); } catch (NamespaceExistsException e) { // should not happen throw new AssertionError(e); } }
/** * Converts the current object to the relevant thrift type. The object returned from this contains * a non-destroyable version of the {@link AuthenticationToken}, so this should be used just * before placing on the wire, and references to it should be tightly controlled. * * @param instanceID * Accumulo instance ID * @return Thrift credentials * @throws RuntimeException * if the authentication token has been destroyed (expired) */ public TCredentials toThrift(String instanceID) { TCredentials tCreds = new TCredentials(getPrincipal(), getToken().getClass().getName(), ByteBuffer.wrap(AuthenticationTokenSerializer.serialize(getToken())), instanceID); if (getToken().isDestroyed()) throw new RuntimeException("Token has been destroyed", new AccumuloSecurityException(getPrincipal(), SecurityErrorCode.TOKEN_EXPIRED)); return tCreds; }
@Override public void changeLocalUserPassword(final String principal, final PasswordToken token) throws AccumuloException, AccumuloSecurityException { checkArgument(principal != null, "principal is null"); checkArgument(token != null, "token is null"); final Credentials toChange = new Credentials(principal, token); executeVoid(client -> client.changeLocalUserPassword(Tracer.traceInfo(), context.rpcCreds(), principal, ByteBuffer.wrap(token.getPassword()))); if (context.getCredentials().getPrincipal().equals(principal)) { context.setCredentials(toChange); } }
public boolean authenticateUser(TCredentials credentials, TCredentials toAuth) throws ThriftSecurityException { canAskAboutUser(credentials, toAuth.getPrincipal()); // User is already authenticated from canAskAboutUser if (credentials.equals(toAuth)) return true; try { Credentials toCreds = Credentials.fromThrift(toAuth); if (isKerberos) { // If we have kerberos credentials for a user from the network but no account // in the system, we need to make one before proceeding if (!authenticator.userExists(toCreds.getPrincipal())) { createUser(credentials, toCreds, Authorizations.EMPTY); } // Likely that the KerberosAuthenticator will fail as we don't have the credentials for the // other user, // we only have our own Kerberos credentials. } return authenticator.authenticateUser(toCreds.getPrincipal(), toCreds.getToken()); } catch (AccumuloSecurityException e) { throw e.asThriftException(); } }
public ConnectorImpl(ClientContext context) throws AccumuloSecurityException, AccumuloException { this.context = context; SingletonManager.setMode(Mode.CONNECTOR); if (context.getCredentials().getToken().isDestroyed()) throw new AccumuloSecurityException(context.getCredentials().getPrincipal(), SecurityErrorCode.TOKEN_EXPIRED); // Skip fail fast for system services; string literal for class name, to avoid dependency on // server jar final String tokenClassName = context.getCredentials().getToken().getClass().getName(); if (!SYSTEM_TOKEN_NAME.equals(tokenClassName)) { ServerClient.executeVoid(context, iface -> { if (!iface.authenticate(Tracer.traceInfo(), context.rpcCreds())) throw new AccumuloSecurityException("Authentication failed, access denied", SecurityErrorCode.BAD_CREDENTIALS); }); } }
@Override public Repo<Master> call(long tid, Master env) throws Exception { // give all table permissions to the creator SecurityOperation security = AuditedSecurityOperation.getInstance(env.getContext()); if (!tableInfo.getUser().equals(env.getContext().getCredentials().getPrincipal())) { for (TablePermission permission : TablePermission.values()) { try { security.grantTablePermission(env.getContext().rpcCreds(), tableInfo.getUser(), tableInfo.getTableId(), permission, tableInfo.getNamespaceId()); } catch (ThriftSecurityException e) { LoggerFactory.getLogger(SetupPermissions.class).error("{}", e.getMessage(), e); throw e; } } } // setup permissions in zookeeper before table info in zookeeper // this way concurrent users will not get a spurious permission denied // error return new PopulateZookeeper(tableInfo); }
context.getCredentials().getPrincipal(), tse.getCode(), Tables.getPrintableTableInfoFromId(context, tableId), tse); queueException(location, cmidToCm, ase);