private synchronized void serviceLogin() throws AuthLoginException {
debug.message("New Service Login ...");
System.setProperty("java.security.krb5.realm", kdcRealm);
System.setProperty("java.security.krb5.kdc", kdcServer);
System.setProperty("java.security.auth.login.config", "/dev/null");
try {
Configuration config = Configuration.getConfiguration();
WindowsDesktopSSOConfig wtc = null;
if (config instanceof WindowsDesktopSSOConfig) {
wtc = (WindowsDesktopSSOConfig) config;
wtc.setRefreshConfig("true");
} else {
wtc = new WindowsDesktopSSOConfig(config);
}
wtc.setPrincipalName(servicePrincipalName);
wtc.setKeyTab(keyTabFile);
Configuration.setConfiguration(wtc);
// perform service authentication using JDK Kerberos module
LoginContext lc = new LoginContext(WindowsDesktopSSOConfig.defaultAppName);
lc.login();
serviceSubject = lc.getSubject();
debug.message("Service login succeeded.");
} catch (Exception e) {
debug.error("Service Login Error: ");
if (debug.messageEnabled()) {
debug.message("Stack trace: ", e);
}
throw new AuthLoginException(amAuthWindowsDesktopSSO, "serviceAuth", null, e);
}
}
/**
* Set the configuration values for UGI.
*
* @param conf the configuration to use
*/
private static synchronized void initialize(Configuration conf) {
String value = conf.get(HADOOP_SECURITY_AUTHENTICATION);
if (value == null || "simple".equals(value)) {
useKerberos = false;
useConfiguredFileAuth = false;
} else if ("kerberos".equals(value)) {
useKerberos = true;
useConfiguredFileAuth = false;
} else if ("configfile".equals(value)) {
useKerberos = false;
useConfiguredFileAuth = true;
} else {
throw new IllegalArgumentException(
"Invalid attribute value for " + HADOOP_SECURITY_AUTHENTICATION + " of " + value);
}
// The getUserToGroupsMappingService will change the conf value, record the UGI information
// firstly
if (configUGIInformation == null) {
configUGIInformation = conf.getStrings("hadoop.client.ugi");
}
// If we haven't set up testing groups, use the configuration to find it
if (!(groups instanceof TestingGroups)) {
groups = Groups.getUserToGroupsMappingService(conf);
}
// Set the configuration for JAAS to be the Hadoop configuration.
// This is done here rather than a static initializer to avoid a
// circular dependence.
javax.security.auth.login.Configuration existingConfig = null;
try {
existingConfig = javax.security.auth.login.Configuration.getConfiguration();
} catch (SecurityException se) {
// If no security configuration is on the classpath, then
// we catch this exception, and we don't need to delegate
// to anyone
}
if (existingConfig instanceof HadoopConfiguration) {
LOG.info("JAAS Configuration already set up for Hadoop, not re-installing.");
} else {
javax.security.auth.login.Configuration.setConfiguration(
new HadoopConfiguration(existingConfig));
}
// We're done initializing at this point. Important not to classload
// KerberosName before this point, or else its static initializer
// may call back into this same method!
isInitialized = true;
UserGroupInformation.conf = conf;
// give the configuration on how to translate Kerberos names
try {
KerberosName.setConfiguration(conf);
} catch (IOException ioe) {
throw new RuntimeException(
"Problem with Kerberos auth_to_local name " + "configuration", ioe);
}
}
private static void validate(
final String username,
final String password,
final String krbfile,
final String loginfile,
final String moduleName)
throws FileNotFoundException, NoSuchAlgorithmException {
// confirm username was provided
if (null == username || username.isEmpty()) {
throw new IllegalArgumentException("Must provide a username");
}
// confirm password was provided
if (null == password || password.isEmpty()) {
throw new IllegalArgumentException("Must provide a password");
}
// confirm krb5.conf file exists
if (null == krbfile || krbfile.isEmpty()) {
throw new IllegalArgumentException("Must provide a krb5 file");
} else {
final File file = new File(krbfile);
if (!file.exists()) {
throw new FileNotFoundException(krbfile);
}
}
// confirm loginfile
if (null == loginfile || loginfile.isEmpty()) {
throw new IllegalArgumentException("Must provide a login file");
} else {
final File file = new File(loginfile);
if (!file.exists()) {
throw new FileNotFoundException(loginfile);
}
}
// confirm that runtime loaded the login file
final Configuration config = Configuration.getConfiguration();
// confirm that the module name exists in the file
if (null == config.getAppConfigurationEntry(moduleName)) {
throw new IllegalArgumentException(
"The module name " + moduleName + " was not found in the login file");
}
}
/**
* Setup a JAAS Configuration that handles a fake app. This runs before UserGroupInformation has
* been initialized, so UGI picks up this Configuration as the parent.
*/
private static void setupMockJaasParent() {
javax.security.auth.login.Configuration existing = null;
try {
existing = javax.security.auth.login.Configuration.getConfiguration();
assertFalse(
"setupMockJaasParent should run before the Hadoop "
+ "configuration provider is installed.",
existing.getClass().getCanonicalName().startsWith("org.apache.hadoop"));
} catch (SecurityException se) {
// We get this if no configuration has been set. So it's OK.
}
mockJaasConf = mock(javax.security.auth.login.Configuration.class);
Mockito.doReturn(new AppConfigurationEntry[] {})
.when(mockJaasConf)
.getAppConfigurationEntry("foobar-app");
javax.security.auth.login.Configuration.setConfiguration(mockJaasConf);
}
public static void main(String[] args) {
Configuration config = null;
try {
config = Configuration.getConfiguration();
} catch (SecurityException se) {
System.out.println("test 1 failed");
throw se;
}
AppConfigurationEntry[] entries = config.getAppConfigurationEntry("InnerClassConfig");
System.out.println("module = " + entries[0].getLoginModuleName());
if (entries[0].getLoginModuleName().equals("package.Foo$Bar")) {
System.out.println("test succeeded");
} else {
System.out.println("test 2 failed");
throw new SecurityException("package name incorrect");
}
}
