@Override public boolean equals(Object obj) { if (obj == null || !(obj instanceof Credentials)) return false; Credentials other = Credentials.class.cast(obj); boolean pEq = getPrincipal() == null ? (other.getPrincipal() == null) : (getPrincipal().equals(other.getPrincipal())); if (!pEq) return false; return getToken() == null ? (other.getToken() == null) : (getToken().equals(other.getToken())); }
@Override public AuthenticationToken getAuthenticationToken() { return getCredentials().getToken(); }
/** * Converts the current object to a serialized form. The object returned from this contains a * non-destroyable version of the {@link AuthenticationToken}, so references to it should be * tightly controlled. * * @return serialized form of these credentials */ public final String serialize() { return (getPrincipal() == null ? "-" : Base64.getEncoder().encodeToString(getPrincipal().getBytes(UTF_8))) + ":" + (getToken() == null ? "-" : Base64.getEncoder().encodeToString(getToken().getClass().getName().getBytes(UTF_8))) + ":" + (getToken() == null ? "-" : Base64.getEncoder() .encodeToString(AuthenticationTokenSerializer.serialize(getToken()))); }
public boolean isSystemUser(TCredentials credentials) { return context.getCredentials().getToken().getClass().getName() .equals(credentials.getTokenClassName()); }
private boolean shouldAudit(TCredentials credentials) { return !context.getCredentials().getToken().getClass().getName() .equals(credentials.getTokenClassName()); }
public AuthenticationToken getAuthenticationToken() { ensureOpen(); return getCredentials().getToken(); }
/** * Converts the current object to the relevant thrift type. The object returned from this contains * a non-destroyable version of the {@link AuthenticationToken}, so this should be used just * before placing on the wire, and references to it should be tightly controlled. * * @param instanceID * Accumulo instance ID * @return Thrift credentials * @throws RuntimeException * if the authentication token has been destroyed (expired) */ public TCredentials toThrift(String instanceID) { TCredentials tCreds = new TCredentials(getPrincipal(), getToken().getClass().getName(), ByteBuffer.wrap(AuthenticationTokenSerializer.serialize(getToken())), instanceID); if (getToken().isDestroyed()) throw new RuntimeException("Token has been destroyed", new AccumuloSecurityException(getPrincipal(), SecurityErrorCode.TOKEN_EXPIRED)); return tCreds; }
Credentials creds = Credentials.deserialize(fileScanner.nextLine()); if (principal.equals(creds.getPrincipal())) { return creds.getToken();
public ConnectorImpl(ClientContext context) throws AccumuloSecurityException, AccumuloException { this.context = context; SingletonManager.setMode(Mode.CONNECTOR); if (context.getCredentials().getToken().isDestroyed()) throw new AccumuloSecurityException(context.getCredentials().getPrincipal(), SecurityErrorCode.TOKEN_EXPIRED); // Skip fail fast for system services; string literal for class name, to avoid dependency on // server jar final String tokenClassName = context.getCredentials().getToken().getClass().getName(); if (!SYSTEM_TOKEN_NAME.equals(tokenClassName)) { ServerClient.executeVoid(context, iface -> { if (!iface.authenticate(Tracer.traceInfo(), context.rpcCreds())) throw new AccumuloSecurityException("Authentication failed, access denied", SecurityErrorCode.BAD_CREDENTIALS); }); } }
@Override public SaslServerConnectionParams getSaslParams() { AccumuloConfiguration conf = getServerConfFactory().getSiteConfiguration(); if (!conf.getBoolean(Property.INSTANCE_RPC_SASL_ENABLED)) { return null; } return new SaslServerConnectionParams(conf, getCredentials().getToken(), secretManager); }
/** * Serialize the credentials just before initiating the RPC call */ public synchronized TCredentials rpcCreds() { ensureOpen(); if (getCredentials().getToken().isDestroyed()) { rpcCreds = null; } if (rpcCreds == null) { rpcCreds = getCredentials().toThrift(getInstanceID()); } return rpcCreds; }
if (context.getCredentials().getToken().getClass().getName() .equals(credentials.getTokenClassName())) { log.error("Got message from a service with a mismatched configuration."
protected void _createUser(TCredentials credentials, Credentials newUser) throws ThriftSecurityException { try { AuthenticationToken token = newUser.getToken(); authenticator.createUser(newUser.getPrincipal(), token); authorizor.initUser(newUser.getPrincipal()); permHandle.initUser(newUser.getPrincipal()); log.info("Created user {} at the request of user {}", newUser.getPrincipal(), credentials.getPrincipal()); } catch (AccumuloSecurityException ase) { throw ase.asThriftException(); } }
public void changePassword(TCredentials credentials, Credentials toChange) throws ThriftSecurityException { if (!canChangePassword(credentials, toChange.getPrincipal())) throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED); try { AuthenticationToken token = toChange.getToken(); authenticator.changePassword(toChange.getPrincipal(), token); log.info("Changed password for user {} at the request of user {}", toChange.getPrincipal(), credentials.getPrincipal()); } catch (AccumuloSecurityException e) { throw e.asThriftException(); } }
if (!context.getCredentials().getToken().equals(creds.getToken())) { log.debug("With SASL enabled, System AuthenticationTokens did not match."); throw new ThriftSecurityException(creds.getPrincipal(), if (!authenticator.authenticateUser(creds.getPrincipal(), creds.getToken())) { throw new ThriftSecurityException(creds.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
public ClientContext(SingletonReservation reservation, ClientInfo info, AccumuloConfiguration serverConf) { this.info = info; this.hadoopConf = info.getHadoopConf(); zooCache = new ZooCacheFactory().getZooCache(info.getZooKeepers(), info.getZooKeepersSessionTimeOut()); this.serverConf = serverConf; timeoutSupplier = memoizeWithExpiration( () -> getConfiguration().getTimeInMillis(Property.GENERAL_RPC_TIMEOUT)); sslSupplier = memoizeWithExpiration(() -> SslConnectionParams.forClient(getConfiguration())); saslSupplier = memoizeWithExpiration( () -> SaslConnectionParams.from(getConfiguration(), getCredentials().getToken())); this.singletonReservation = Objects.requireNonNull(reservation); this.tableops = new TableOperationsImpl(this); this.namespaceops = new NamespaceOperationsImpl(this, tableops); }
public boolean authenticateUser(TCredentials credentials, TCredentials toAuth) throws ThriftSecurityException { canAskAboutUser(credentials, toAuth.getPrincipal()); // User is already authenticated from canAskAboutUser if (credentials.equals(toAuth)) return true; try { Credentials toCreds = Credentials.fromThrift(toAuth); if (isKerberos) { // If we have kerberos credentials for a user from the network but no account // in the system, we need to make one before proceeding if (!authenticator.userExists(toCreds.getPrincipal())) { createUser(credentials, toCreds, Authorizations.EMPTY); } // Likely that the KerberosAuthenticator will fail as we don't have the credentials for the // other user, // we only have our own Kerberos credentials. } return authenticator.authenticateUser(toCreds.getPrincipal(), toCreds.getToken()); } catch (AccumuloSecurityException e) { throw e.asThriftException(); } }