@Override public String getHostName() { return kerberosName.getHostName(); }
@Override public String getShortName() throws IOException { return kerberosName.getShortName(); } }
@Override public String getServiceName() { return kerberosName.getServiceName(); }
gssCreds = gssManager.createCredential( gssManager.createName( KerberosUtil.getServicePrincipal("HTTP", serverName), KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL") ), GSSCredential.INDEFINITE_LIFETIME, new Oid[]{ KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY } else { String clientPrincipal = gssContext.getSrcName().toString(); KerberosName kerberosName = new KerberosName(clientPrincipal); String userName = kerberosName.getShortName(); token = new AuthenticationToken(userName, clientPrincipal, getType()); response.setStatus(HttpServletResponse.SC_OK);
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { if (loginContextName.equals(appName)) { Map<String, String> krbOptions = new HashMap<String, String>(); krbOptions.put("doNotPrompt", "true"); krbOptions.put("storeKey", "true"); krbOptions.put("useKeyTab", "true"); krbOptions.put("principal", principal); krbOptions.put("keyTab", keyTabFile); krbOptions.put("refreshKrb5Config", "true"); AppConfigurationEntry zooKeeperClientEntry = new AppConfigurationEntry( KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, krbOptions); return new AppConfigurationEntry[] { zooKeeperClientEntry }; } // Try the base config if (baseConfig != null) { return baseConfig.getAppConfigurationEntry(appName); } return null; } }
/** * Verify whether auth_to_local rules transform a principal name * <p> * Having a local user name "bar@foo.com" may be harmless, so it is noted at * info. However if what was intended is a transformation to "bar" * it can be difficult to debug, hence this check. */ protected void validateShortName() { failif(principal == null, CAT_KERBEROS, "No principal defined"); try { KerberosName kn = new KerberosName(principal); String result = kn.getShortName(); if (nonSimplePattern.matcher(result).find()) { warn(CAT_KERBEROS, principal + " short name: " + result + " still contains @ or /"); } } catch (IOException e) { throw new KerberosDiagsFailure(CAT_KERBEROS, e, "Failed to get short name for " + principal, e); } catch (IllegalArgumentException e) { error(CAT_KERBEROS, "KerberosName(" + principal + ") failed: %s\n%s", e, StringUtils.stringifyException(e)); } }
public KerberosNameShim(String name) { kerberosName = new KerberosName(name); }
spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*")); if (spnegoPrincipals.length == 0) { throw new ServletException("Principals do not exist in the keytab"); KerberosName.setRules(nameRules);
private static Configuration buildSpnegoConfiguration(String serverPrincipal, File serverKeytab) { Configuration conf = new Configuration(); KerberosName.setRules("DEFAULT"); conf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS); // Enable Kerberos (pre-req) conf.set("hbase.security.authentication", "kerberos"); conf.set(HttpServer.HTTP_UI_AUTHENTICATION, "kerberos"); conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY, serverPrincipal); conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY, serverKeytab.getAbsolutePath()); return conf; }
public byte[] run() throws UnknownHostException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException { GSSManager gssManager = GSSManager.getInstance(); String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", authServer); Oid serviceOid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.createName(servicePrincipal, serviceOid); Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSContext gssContext = gssManager.createContext(serviceName, mechOid, null, 0); gssContext.requestCredDeleg(true); gssContext.requestMutualAuth(true); return gssContext.initSecContext(input, 0, input.length); }
case KERBEROS_SSL: try { KerberosUtil.getDefaultRealm(); } catch (Exception ke) { throw new IllegalArgumentException("Can't get Kerberos realm", ke);
try { Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSManager manager = GSSManager.getInstance();
secretProvider.destroy();
@Override public String getRealm() { return kerberosName.getRealm(); }
tokenStr = cookie.getValue(); try { tokenStr = mySigner.verifyAndExtract(tokenStr);
@Override public String getDefaultRealm() { return kerberosName.getDefaultRealm(); }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { if (loginContextName.equals(appName)) { Map<String, String> krbOptions = new HashMap<String, String>(); if (IBM_JAVA) { krbOptions.put("credsType", "both"); krbOptions.put("useKeytab", keyTabFile); } else { krbOptions.put("doNotPrompt", "true"); krbOptions.put("storeKey", "true"); krbOptions.put("useKeyTab", "true"); krbOptions.put("keyTab", keyTabFile); } krbOptions.put("principal", principal); krbOptions.put("refreshKrb5Config", "true"); AppConfigurationEntry hiveZooKeeperClientEntry = new AppConfigurationEntry( KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, krbOptions); return new AppConfigurationEntry[] { hiveZooKeeperClientEntry }; } // Try the base config if (baseConfig != null) { return baseConfig.getAppConfigurationEntry(appName); } return null; } }
private static void addSecurityConfigurations(Configuration conf) { KerberosName.setRules("DEFAULT"); HBaseKerberosUtils.setKeytabFileForTesting(serverKeytab.getAbsolutePath()); HBaseKerberosUtils.setSecuredConfiguration(conf, serverPrincipal, spnegoServerPrincipal); conf.setBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, true); conf.setBoolean(Constants.USE_HTTP_CONF_KEY, true); conf.set("hadoop.proxyuser.hbase.hosts", "*"); conf.set("hadoop.proxyuser.hbase.groups", "*"); conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, serverPrincipal); conf.set(Constants.THRIFT_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath()); conf.set(Constants.THRIFT_SPNEGO_PRINCIPAL_KEY, spnegoServerPrincipal); conf.set(Constants.THRIFT_SPNEGO_KEYTAB_FILE_KEY, spnegoServerKeytab.getAbsolutePath()); }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { if (loginContextName.equals(appName)) { Map<String, String> krbOptions = new HashMap<String, String>(); if (IBM_JAVA) { krbOptions.put("credsType", "both"); krbOptions.put("useKeytab", keyTabFile); } else { krbOptions.put("doNotPrompt", "true"); krbOptions.put("storeKey", "true"); krbOptions.put("useKeyTab", "true"); krbOptions.put("keyTab", keyTabFile); } krbOptions.put("principal", principal); krbOptions.put("refreshKrb5Config", "true"); AppConfigurationEntry hiveZooKeeperClientEntry = new AppConfigurationEntry( KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, krbOptions); return new AppConfigurationEntry[] { hiveZooKeeperClientEntry }; } // Try the base config if (baseConfig != null) { return baseConfig.getAppConfigurationEntry(appName); } return null; } }
KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options