private synchronized void serviceLogin() throws AuthLoginException {
    debug.message("New Service Login ...");
    System.setProperty("java.security.krb5.realm", kdcRealm);
    System.setProperty("java.security.krb5.kdc", kdcServer);
    System.setProperty("java.security.auth.login.config", "/dev/null");

    try {
      Configuration config = Configuration.getConfiguration();
      WindowsDesktopSSOConfig wtc = null;
      if (config instanceof WindowsDesktopSSOConfig) {
        wtc = (WindowsDesktopSSOConfig) config;
        wtc.setRefreshConfig("true");
      } else {
        wtc = new WindowsDesktopSSOConfig(config);
      }
      wtc.setPrincipalName(servicePrincipalName);
      wtc.setKeyTab(keyTabFile);
      Configuration.setConfiguration(wtc);

      // perform service authentication using JDK Kerberos module
      LoginContext lc = new LoginContext(WindowsDesktopSSOConfig.defaultAppName);
      lc.login();

      serviceSubject = lc.getSubject();
      debug.message("Service login succeeded.");
    } catch (Exception e) {
      debug.error("Service Login Error: ");
      if (debug.messageEnabled()) {
        debug.message("Stack trace: ", e);
      }
      throw new AuthLoginException(amAuthWindowsDesktopSSO, "serviceAuth", null, e);
    }
  }
  /**
   * Set the configuration values for UGI.
   *
   * @param conf the configuration to use
   */
  private static synchronized void initialize(Configuration conf) {
    String value = conf.get(HADOOP_SECURITY_AUTHENTICATION);
    if (value == null || "simple".equals(value)) {
      useKerberos = false;
      useConfiguredFileAuth = false;
    } else if ("kerberos".equals(value)) {
      useKerberos = true;
      useConfiguredFileAuth = false;
    } else if ("configfile".equals(value)) {
      useKerberos = false;
      useConfiguredFileAuth = true;
    } else {
      throw new IllegalArgumentException(
          "Invalid attribute value for " + HADOOP_SECURITY_AUTHENTICATION + " of " + value);
    }

    // The getUserToGroupsMappingService will change the conf value, record the UGI information
    // firstly
    if (configUGIInformation == null) {
      configUGIInformation = conf.getStrings("hadoop.client.ugi");
    }

    // If we haven't set up testing groups, use the configuration to find it
    if (!(groups instanceof TestingGroups)) {
      groups = Groups.getUserToGroupsMappingService(conf);
    }
    // Set the configuration for JAAS to be the Hadoop configuration.
    // This is done here rather than a static initializer to avoid a
    // circular dependence.
    javax.security.auth.login.Configuration existingConfig = null;
    try {
      existingConfig = javax.security.auth.login.Configuration.getConfiguration();
    } catch (SecurityException se) {
      // If no security configuration is on the classpath, then
      // we catch this exception, and we don't need to delegate
      // to anyone
    }

    if (existingConfig instanceof HadoopConfiguration) {
      LOG.info("JAAS Configuration already set up for Hadoop, not re-installing.");
    } else {
      javax.security.auth.login.Configuration.setConfiguration(
          new HadoopConfiguration(existingConfig));
    }

    // We're done initializing at this point. Important not to classload
    // KerberosName before this point, or else its static initializer
    // may call back into this same method!
    isInitialized = true;
    UserGroupInformation.conf = conf;

    // give the configuration on how to translate Kerberos names
    try {
      KerberosName.setConfiguration(conf);
    } catch (IOException ioe) {
      throw new RuntimeException(
          "Problem with Kerberos auth_to_local name " + "configuration", ioe);
    }
  }
  private static void validate(
      final String username,
      final String password,
      final String krbfile,
      final String loginfile,
      final String moduleName)
      throws FileNotFoundException, NoSuchAlgorithmException {

    // confirm username was provided
    if (null == username || username.isEmpty()) {
      throw new IllegalArgumentException("Must provide a username");
    }

    // confirm password was provided
    if (null == password || password.isEmpty()) {
      throw new IllegalArgumentException("Must provide a password");
    }

    // confirm krb5.conf file exists
    if (null == krbfile || krbfile.isEmpty()) {
      throw new IllegalArgumentException("Must provide a krb5 file");
    } else {
      final File file = new File(krbfile);
      if (!file.exists()) {
        throw new FileNotFoundException(krbfile);
      }
    }

    // confirm loginfile
    if (null == loginfile || loginfile.isEmpty()) {
      throw new IllegalArgumentException("Must provide a login file");
    } else {
      final File file = new File(loginfile);
      if (!file.exists()) {
        throw new FileNotFoundException(loginfile);
      }
    }

    // confirm that runtime loaded the login file
    final Configuration config = Configuration.getConfiguration();

    // confirm that the module name exists in the file
    if (null == config.getAppConfigurationEntry(moduleName)) {
      throw new IllegalArgumentException(
          "The module name " + moduleName + " was not found in the login file");
    }
  }
  /**
   * Setup a JAAS Configuration that handles a fake app. This runs before UserGroupInformation has
   * been initialized, so UGI picks up this Configuration as the parent.
   */
  private static void setupMockJaasParent() {
    javax.security.auth.login.Configuration existing = null;
    try {
      existing = javax.security.auth.login.Configuration.getConfiguration();
      assertFalse(
          "setupMockJaasParent should run before the Hadoop "
              + "configuration provider is installed.",
          existing.getClass().getCanonicalName().startsWith("org.apache.hadoop"));
    } catch (SecurityException se) {
      // We get this if no configuration has been set. So it's OK.
    }

    mockJaasConf = mock(javax.security.auth.login.Configuration.class);
    Mockito.doReturn(new AppConfigurationEntry[] {})
        .when(mockJaasConf)
        .getAppConfigurationEntry("foobar-app");
    javax.security.auth.login.Configuration.setConfiguration(mockJaasConf);
  }
Exemple #5
0
  public static void main(String[] args) {

    Configuration config = null;
    try {
      config = Configuration.getConfiguration();
    } catch (SecurityException se) {
      System.out.println("test 1 failed");
      throw se;
    }

    AppConfigurationEntry[] entries = config.getAppConfigurationEntry("InnerClassConfig");

    System.out.println("module = " + entries[0].getLoginModuleName());
    if (entries[0].getLoginModuleName().equals("package.Foo$Bar")) {
      System.out.println("test succeeded");
    } else {
      System.out.println("test 2 failed");
      throw new SecurityException("package name incorrect");
    }
  }