@Override public String getShortName() throws IOException { return kerberosName.getShortName(); } }
/** * Verify whether auth_to_local rules transform a principal name * <p> * Having a local user name "bar@foo.com" may be harmless, so it is noted at * info. However if what was intended is a transformation to "bar" * it can be difficult to debug, hence this check. */ protected void validateShortName() { failif(principal == null, CAT_KERBEROS, "No principal defined"); try { KerberosName kn = new KerberosName(principal); String result = kn.getShortName(); if (nonSimplePattern.matcher(result).find()) { warn(CAT_KERBEROS, principal + " short name: " + result + " still contains @ or /"); } } catch (IOException e) { throw new KerberosDiagsFailure(CAT_KERBEROS, e, "Failed to get short name for " + principal, e); } catch (IllegalArgumentException e) { error(CAT_KERBEROS, "KerberosName(" + principal + ") failed: %s\n%s", e, StringUtils.stringifyException(e)); } }
String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, getType()); response.setStatus(HttpServletResponse.SC_OK);
/** * Expected user name should be a short name. */ public static void checkUsername(final String expected, final String name ) throws IOException { if (expected == null && name != null) { throw new IOException("Usernames not matched: expecting null but name=" + name); } if (name == null) { //name is optional, null is okay return; } KerberosName u = new KerberosName(name); String shortName = u.getShortName(); if (!shortName.equals(expected)) { throw new IOException("Usernames not matched: name=" + shortName + " != expected=" + expected); } }
@Override public String getShortName() throws IOException { return kerberosName.getShortName(); } }
@Override public String getShortName() throws IOException { return kerberosName.getShortName(); } }
@Override public String getShortName() throws IOException { return kerberosName.getShortName(); } }
@Override public String getShortName() throws IOException { return kerberosName.getShortName(); } }
/** * Expected user name should be a short name. */ public static void checkUsername(final String expected, final String name ) throws IOException { if (expected == null && name != null) { throw new IOException("Usernames not matched: expecting null but name=" + name); } if (name == null) { //name is optional, null is okay return; } KerberosName u = new KerberosName(name); String shortName = u.getShortName(); if (!shortName.equals(expected)) { throw new IOException("Usernames not matched: name=" + shortName + " != expected=" + expected); } }
/** * Expected user name should be a short name. */ public static void checkUsername(final String expected, final String name ) throws IOException { if (expected == null && name != null) { throw new IOException("Usernames not matched: expecting null but name=" + name); } if (name == null) { //name is optional, null is okay return; } KerberosName u = new KerberosName(name); String shortName = u.getShortName(); if (!shortName.equals(expected)) { throw new IOException("Usernames not matched: name=" + shortName + " != expected=" + expected); } }
/** * @param principal The principal whose KeytabURI is being looked up * @param cConf To lookup the configured path for the keytabs * @return The location of the keytab * @throws IOException If the principal is not a valid kerberos principal */ static String getKeytabURIforPrincipal(String principal, CConfiguration cConf) throws IOException { String confPath = cConf.getRaw(Constants.Security.KEYTAB_PATH); Preconditions.checkNotNull(confPath, String.format("Failed to get a valid keytab path. " + "Please ensure that you have specified %s in cdap-site.xml", Constants.Security.KEYTAB_PATH)); String name = new KerberosName(principal).getShortName(); return confPath.replace(Constants.USER_NAME_SPECIFIER, name); }
@Inject @VisibleForTesting public DefaultImpersonator(CConfiguration cConf, UGIProvider ugiProvider) { this.ugiProvider = ugiProvider; this.kerberosEnabled = SecurityUtil.isKerberosEnabled(cConf); // on kerberos disabled cluster the master principal will be null String masterPrincipal = SecurityUtil.getMasterPrincipal(cConf); try { masterShortUsername = masterPrincipal == null ? null : new KerberosName(masterPrincipal).getShortName(); } catch (IOException e) { Throwables.propagate(e); } }
/** * Get the effective master user, if it is specified in the {@link CConfiguration}, use it. Otherwise, use the * current login user. If security is not enabled, null is returned. */ @Nullable public static String getEffectiveMasterUser(CConfiguration cConf) { String masterPrincipal = cConf.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL); try { if (isSecurityAuthorizationEnabled(cConf)) { masterPrincipal = masterPrincipal == null ? UserGroupInformation.getLoginUser().getShortUserName() : new KerberosName(masterPrincipal).getShortName(); } else { masterPrincipal = null; } } catch (IOException e) { throw new RuntimeException(String.format("Failed to translate the principal name %s to an operating system " + "user name.", masterPrincipal), e); } return masterPrincipal; } }
private void checkTranslation(String from, String to) throws Exception { System.out.println("Translate " + from); KerberosName nm = new KerberosName(from); String simple = nm.getShortName(); System.out.println("to " + simple); Assert.assertEquals("short name incorrect", to, simple); }
private void checkTranslation(String from, String to) throws Exception { System.out.println("Translate " + from); KerberosName nm = new KerberosName(from); String simple = nm.getShortName(); System.out.println("to " + simple); Assert.assertEquals("short name incorrect", to, simple); }
private void checkTranslation(String from, String to) throws Exception { System.out.println("Translate " + from); KerberosName nm = new KerberosName(from); String simple = nm.getShortName(); System.out.println("to " + simple); Assert.assertEquals("short name incorrect", to, simple); }
private void checkBadTranslation(String from) { System.out.println("Checking bad translation for " + from); KerberosName nm = new KerberosName(from); try { nm.getShortName(); Assert.fail("didn't get exception for " + from); } catch (IOException ie) { // PASS } }
/** * Helper function to get the authorizing user for app deployment, the authorzing user will be the app owner if it * is present. If not, it will be the namespace owner. If that is also not present, it will be the user who is making * the request */ public static String getAppAuthorizingUser(OwnerAdmin ownerAdmin, AuthenticationContext authenticationContext, ApplicationId applicationId, @Nullable KerberosPrincipalId appOwner) throws IOException { KerberosPrincipalId effectiveOwner = SecurityUtil.getEffectiveOwner(ownerAdmin, applicationId.getNamespaceId(), appOwner == null ? null : appOwner.getPrincipal()); // CDAP-13154 If impersonation is configured for either the application or namespace the effective owner will be // a kerberos principal which can have different form // (refer: https://docs.oracle.com/cd/E21455_01/common/tutorials/kerberos_principal.html). For example it can be // a complete principal name (alice/somehost.net@someREALM). For authorization we need the enforcement to happen // on the username and not the complete principal. The user name is the shortname of the principal so return the // shortname as authorizing user. String appAuthorizingUser = effectiveOwner != null ? new KerberosName(effectiveOwner.getPrincipal()).getShortName() : authenticationContext.getPrincipal().getName(); LOG.trace("Returning {} as authorizing app user for {}", appAuthorizingUser, applicationId); return appAuthorizingUser; }
@Test(timeout=60000) public void testNameRules() throws Exception { KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal()); Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm()); //destroy handler created in setUp() handler.destroy(); KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT"); handler = getNewAuthenticationHandler(); Properties props = getDefaultProperties(); props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"); try { handler.init(props); } catch (Exception ex) { } kn = new KerberosName("bar@BAR"); Assert.assertEquals("bar", kn.getShortName()); kn = new KerberosName("bar@FOO"); Assert.assertEquals("bar@FOO", kn.getShortName()); }
@Test(timeout=60000) public void testNameRules() throws Exception { KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal()); Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm()); //destroy handler created in setUp() handler.destroy(); KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT"); handler = getNewAuthenticationHandler(); Properties props = getDefaultProperties(); props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"); try { handler.init(props); } catch (Exception ex) { } kn = new KerberosName("bar@BAR"); Assert.assertEquals("bar", kn.getShortName()); kn = new KerberosName("bar@FOO"); Assert.assertEquals("bar@FOO", kn.getShortName()); }