/** * Merges the two {@link Subject}s in to a new {@link Subject}. The new subjects contains all the * {@link Principal}s from both subjects. If {@link #retainSubjectsPrivateCredentials} is true * then the new subject will contain all the private credentials from both subjects, if not the * new subject will not contain private credentials. If {@link #retainSubjectsPublicCredentials} * is true then the new subject will contain all the public credentials from both subjects, if not * the new subject will not contain public credentials. * * @param subject1 first subject to merge, may be null * @param subject2 second subject to merge, may be null * @return subject containing the merged information */ protected Subject mergeSubjects(Subject subject1, Subject subject2) { if (subject1 == null && subject2 == null) { return new Subject(); } if (subject1 == null) { return subject2; } if (subject2 == null) { return subject1; } Set<Principal> principals = new HashSet<Principal>(3); principals.addAll(subject1.getPrincipals()); principals.addAll(subject2.getPrincipals()); Set<Object> publicCredentials = new HashSet<Object>(3); if (retainSubjectsPublicCredentials) { LOG.debug("Merging in subjects public credentials"); publicCredentials.addAll(subject1.getPublicCredentials()); publicCredentials.addAll(subject2.getPublicCredentials()); } Set<Object> privateCredentials = new HashSet<Object>(3); if (retainSubjectsPrivateCredentials) { LOG.debug("Merging in subjects private credentials"); privateCredentials.addAll(subject1.getPrivateCredentials()); privateCredentials.addAll(subject2.getPrivateCredentials()); } return new Subject(false, principals, publicCredentials, privateCredentials); }
/** * Builds a security subject object based on the principal name and credential you pass. * * <p> * * @param principal * @param passwordCredential * @return a subject for use in the WBEMClient */ public Subject subject(final String principal, final String passwordCredential) { final Subject subject = new Subject(); subject.getPrincipals().add(new UserPrincipal(principal)); subject.getPrivateCredentials().add(new GetCim.PasswordCredential(passwordCredential)); return subject; }
/** * Obtain the collection of tokens associated with this user. * * @return an unmodifiable collection of tokens associated with user */ public synchronized Collection<Token<? extends TokenIdentifier>> getTokens() { Set<Object> creds = subject.getPrivateCredentials(); List<Token<?>> result = new ArrayList<Token<?>>(creds.size()); for (Object o : creds) { if (o instanceof Token<?>) { result.add((Token<?>) o); } } return Collections.unmodifiableList(result); }
/* (non-Javadoc) * @see org.apache.servicemix.components.util.TransformComponentSupport#transform(javax.jbi.messaging.MessageExchange, javax.jbi.messaging.NormalizedMessage, javax.jbi.messaging.NormalizedMessage) */ @Override protected boolean transform( MessageExchange exchange, NormalizedMessage inMsg, NormalizedMessage outMsg) throws Exception { boolean success = false; try { Subject subject = inMsg.getSecuritySubject(); // Get principal Principal principal = null; Set<GridIdentifierPrincipal> principals = subject.getPrincipals(GridIdentifierPrincipal.class); if (principals == null || principals.size() == 0) { throw new RuntimeException("No GridIdentifierPrincipal found!"); } else if (principals.size() > 1) { throw new RuntimeException(principals.size() + " GridIdentifierPrincipals found!"); } principal = principals.iterator().next(); System.out.println("## Principal is: " + principal.getName()); // Get cert chain X509Certificate[] chain = null; Set<X509Certificate[]> chains = subject.getPublicCredentials(X509Certificate[].class); if (chains == null || chains.size() == 0) { throw new RuntimeException("No X509Certificate[] found!"); } else if (chains.size() > 1) { throw new RuntimeException(chains.size() + " X509Certificate[]s found!"); } chain = chains.iterator().next(); // Get private key PrivateKey privateKey = null; Set<PrivateKey> privateKeys = subject.getPrivateCredentials(PrivateKey.class); if (privateKeys == null || privateKeys.size() == 0) { throw new RuntimeException("No PrivateKey found!"); } else if (privateKeys.size() > 1) { throw new RuntimeException(chains.size() + " PrivateKeys found!"); } privateKey = privateKeys.iterator().next(); GlobusCredential cred = new GlobusCredential(privateKey, chain); System.out.println("## Identity is: " + cred.getIdentity()); String inMsgXml = new SourceTransformer().contentToString(inMsg); outMsg.setContent(new StreamSource(new ByteArrayInputStream(inMsgXml.getBytes()))); success = true; } catch (Exception ex) { ex.printStackTrace(); } return success; }
public String getPassword() { String ret = null; try { ret = ((ConfigFileCredentials) subject.getPrivateCredentials().iterator().next()).getPassword(); } catch (Throwable t) { LOG.warn("UserGroupInformation.getPassword fail, exception: " + t); // t.printStackTrace(); } return ret; }
public static UserGroupInformation createConfigFileUser(String user, String password) { if (user == null || "".equals(user)) { throw new IllegalArgumentException("Null user"); } Subject subject = new Subject(); subject.getPrincipals().add(new User(user)); subject.getPrivateCredentials().add(new ConfigFileCredentials(password)); UserGroupInformation result = new UserGroupInformation(subject); result.setAuthenticationMethod(AuthenticationMethod.CONFIGFILE); return result; }
// helper methods here on down private static SSOToken getSSOToken(Subject subject) { Set privateCred = subject.getPrivateCredentials(); for (Iterator i = privateCred.iterator(); i.hasNext(); ) { Object o = i.next(); if (o instanceof SSOToken) { return (SSOToken) o; } } return null; }
private boolean validLoginContext() { if (loginContext == null) return false; Subject subject = loginContext.getSubject(); if (subject == null) return false; Set<KerberosTicket> privateCreds = subject.getPrivateCredentials(KerberosTicket.class); if (privateCreds == null || privateCreds.size() == 0) return false; Iterator<KerberosTicket> iterator = privateCreds.iterator(); KerberosTicket ticket = iterator.next(); return ticket.isCurrent(); }
/** * Get the Kerberos TGT * * @return the user's TGT or null if none was found */ private synchronized KerberosTicket getTGT() { Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class); for (KerberosTicket ticket : tickets) { KerberosPrincipal server = ticket.getServer(); if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) { if (LOG.isDebugEnabled()) { LOG.debug("Found tgt " + ticket); } return ticket; } } return null; }
/** * Put user into realm. * * @param userName The user to add * @param credential The users Credentials * @param roles The users roles * @return UserIdentity */ public synchronized UserIdentity putUser(String userName, Credential credential, String[] roles) { Principal userPrincipal = new KnownUser(userName, credential); Subject subject = new Subject(); subject.getPrincipals().add(userPrincipal); subject.getPrivateCredentials().add(credential); if (roles != null) for (String role : roles) subject.getPrincipals().add(new RolePrincipal(role)); subject.setReadOnly(); UserIdentity identity = _identityService.newUserIdentity(subject, userPrincipal, roles); _users.put(userName, identity); return identity; }
public Map<String, Set<String>> getAttributes(Subject subject, Set<String> attrNames) throws EntitlementException { // read original attributes Map<String, Set<String>> attributes = super.getAttributes(subject, attrNames); // find token if present Set<AccessToken> accessTokenCredentials = subject.getPrivateCredentials(AccessToken.class); if (accessTokenCredentials != null && !accessTokenCredentials.isEmpty()) { Set<String> set = new HashSet<String>(); set.add(accessTokenCredentials.iterator().next().getToken()); attributes.put(ACCESS_TOKEN_ATTRIBUTE_NAME, set); } return attributes; }
public String getserverstatus( String ipAddress, String username, String password, String namespace, String port, String protocol, String ftag) { this.status = "OFFLINE"; this.ftag = ftag; String unsecureClientNameSpace = protocol + "://" + ipAddress + ":" + port + "/" + namespace; try { CIMObjectPath cns = new CIMObjectPath(unsecureClientNameSpace); UserPrincipal up = new UserPrincipal(username); PasswordCredential pc = new PasswordCredential(password); Subject s = new Subject(); s.getPrincipals().add(up); s.getPrivateCredentials().add(pc); this.cc = WBEMClientFactory.getClient("CIM-XML"); Locale[] l = {Locale.ENGLISH, Locale.CHINESE}; this.cc.initialize(cns, s, l); try { this.instanceEnum = this.cc.enumerateInstances( new CIMObjectPath("CIM_System", namespace), true, false, true, null); } catch (WBEMException ce) { this.instanceEnum = null; } if (this.instanceEnum == null) { this.status = "OFFLINE"; // this.ucs.updateCimom(Cimom.STATUS_OFFLINE, cimomId); } else if (instanceEnum != null) { this.status = "ONLINE"; // this.ucs.updateCimom(Cimom.STATUS_ONLINE, cimomId); } } catch (WBEMException ce) { // ucs.updateCimom(Cimom.STATUS_OFFLINE, cimomId); } // return this.cc; return this.status; }
@Override public UserGroupInformation cloneUgi(UserGroupInformation baseUgi) throws IOException { // Based on UserGroupInformation::createProxyUser. // TODO: use a proper method after we can depend on HADOOP-13081. if (getSubjectMethod == null) { throw new IOException("The UGI method was not found: " + ugiCloneError); } try { Subject origSubject = (Subject) getSubjectMethod.invoke(baseUgi); Subject subject = new Subject( false, origSubject.getPrincipals(), origSubject.getPublicCredentials(), origSubject.getPrivateCredentials()); return ugiCtor.newInstance(subject); } catch (InstantiationException | IllegalAccessException | InvocationTargetException e) { throw new IOException(e); } }
/** * Put user into realm. Called by implementations to put the user data loaded from file/db etc * into the user structure. * * @param userName User name * @param info a UserIdentity instance, or a String password or Credential instance * @return User instance */ protected synchronized UserIdentity putUser(String userName, Object info) { final UserIdentity identity; if (info instanceof UserIdentity) identity = (UserIdentity) info; else { Credential credential = (info instanceof Credential) ? (Credential) info : Credential.getCredential(info.toString()); Principal userPrincipal = new KnownUser(userName, credential); Subject subject = new Subject(); subject.getPrincipals().add(userPrincipal); subject.getPrivateCredentials().add(credential); subject.setReadOnly(); identity = _identityService.newUserIdentity(subject, userPrincipal, IdentityService.NO_ROLES); } _users.put(userName, identity); return identity; }
/** whether user is authorized? */ public boolean isAuthorized() { if (!useConfiguredFileAuth) { return true; } Set privateCredList = subject.getPrivateCredentials(); String userName = user.getName(); String userPassword = null; if ((userName == null) || (privateCredList == null)) { return false; } userPassword = getPassword(); try { String correctPassword = groups.getPassword(user.getName()); if ((correctPassword != null) && (correctPassword.equals(userPassword))) { return true; } } catch (Exception e) { e.printStackTrace(); } return false; }
@Override public boolean commit() throws LoginException { // if we already have a user, we are done. if (!subject.getPrincipals(User.class).isEmpty()) { return true; } Principal user = null; // if we are using kerberos, try it out if (useKerberos) { user = getCanonicalUser(KerberosPrincipal.class); } // if we don't have a kerberos user, use configured user if ((user == null) && (useConfiguredFileAuth)) { if (configUGIInformation == null) { configUGIInformation = conf.getStrings("hadoop.client.ugi"); } if ((configUGIInformation != null) && (configUGIInformation.length == 2)) { LOG.info( "Using the configured user name and password, user name is " + configUGIInformation[0]); user = new User(configUGIInformation[0].trim(), configUGIInformation[1].trim()); ConfigFileCredentials configFileCredentials = new ConfigFileCredentials(configUGIInformation[1]); subject.getPrivateCredentials().add(configFileCredentials); } else if ((configUGIInformation != null) && (configUGIInformation.length == 1)) { // get the username and password from config file String configedPath = configUGIInformation[0]; String filePath = null; if ("/".equals(configedPath.substring(0, 1))) { filePath = configedPath; } else { // Get path from home directory String usrHome = System.getProperty("user.home"); filePath = usrHome + "/" + configedPath; } BufferedReader reader = null; try { File file = new File(filePath); reader = new BufferedReader(new FileReader(file)); // Only read the first line String tempString = reader.readLine(); reader.close(); configUGIInformation = tempString.split(","); if ((configUGIInformation != null) && (configUGIInformation.length == 2)) { LOG.info( "Load user ugi information from " + filePath + ", user name is " + configUGIInformation[0]); user = new User(configUGIInformation[0].trim(), configUGIInformation[1].trim()); ConfigFileCredentials configFileCredentials = new ConfigFileCredentials(configUGIInformation[1]); subject.getPrivateCredentials().add(configFileCredentials); } } catch (IOException e) { throw new LoginException("Read username password file fail"); } finally { if (reader != null) { try { reader.close(); } catch (IOException e1) { throw new LoginException("Read username password file fail"); } } } } } // if we don't have a configured user, use the OS user if (user == null) { user = getCanonicalUser(OS_PRINCIPAL_CLASS); } // if we found the user, add our principal if (user != null) { if ((user instanceof User) && (((User) user).getPassword() != null)) { subject.getPrincipals().add(new User(user.getName(), ((User) user).getPassword())); } else { subject.getPrincipals().add(new User(user.getName())); } return true; } LOG.error("Can't find user in " + subject); throw new LoginException("Can't find user name"); }
/** Create a KerberosSaslNettyClient for authentication with servers. */ public KerberosSaslNettyClient(Map storm_conf, String jaas_section) { LOG.debug( "KerberosSaslNettyClient: Creating SASL {} client to authenticate to server ", SaslUtils.KERBEROS); LOG.info("Creating Kerberos Client."); Configuration login_conf; try { login_conf = AuthUtils.GetConfiguration(storm_conf); } catch (Throwable t) { LOG.error("Failed to get login_conf: ", t); throw t; } LOG.debug("KerberosSaslNettyClient: authmethod {}", SaslUtils.KERBEROS); SaslClientCallbackHandler ch = new SaslClientCallbackHandler(); subject = null; try { LOG.debug("Setting Configuration to login_config: {}", login_conf); // specify a configuration object to be used Configuration.setConfiguration(login_conf); // now login LOG.debug("Trying to login."); Login login = new Login(jaas_section, ch); subject = login.getSubject(); LOG.debug("Got Subject: {}", subject.toString()); } catch (LoginException ex) { LOG.error("Client failed to login in principal:" + ex, ex); throw new RuntimeException(ex); } // check the credential of our principal if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) { LOG.error("Failed to verify user principal."); throw new RuntimeException( "Fail to verify user principal with section \"" + jaas_section + "\" in login configuration file " + login_conf); } String serviceName = null; try { serviceName = AuthUtils.get(login_conf, jaas_section, "serviceName"); } catch (IOException e) { LOG.error("Failed to get service name.", e); throw new RuntimeException(e); } try { Principal principal = (Principal) subject.getPrincipals().toArray()[0]; final String fPrincipalName = principal.getName(); final String fHost = (String) storm_conf.get(Config.PACEMAKER_HOST); final String fServiceName = serviceName; final CallbackHandler fch = ch; LOG.debug("Kerberos Client with principal: {}, host: {}", fPrincipalName, fHost); saslClient = Subject.doAs( subject, new PrivilegedExceptionAction<SaslClient>() { public SaslClient run() { try { Map<String, String> props = new TreeMap<String, String>(); props.put(Sasl.QOP, "auth"); props.put(Sasl.SERVER_AUTH, "false"); return Sasl.createSaslClient( new String[] {SaslUtils.KERBEROS}, fPrincipalName, fServiceName, fHost, props, fch); } catch (Exception e) { LOG.error("Subject failed to create sasl client.", e); return null; } } }); LOG.info("Got Client: {}", saslClient); } catch (PrivilegedActionException e) { LOG.error("KerberosSaslNettyClient: Could not create Sasl Netty Client."); throw new RuntimeException(e); } }
public UserIdentity login(String userName, Object credential) { // AuthFactory supports both a bare username, as well as user@domain. However, UserManager only // accepts the bare // username. If the provided value includes a domain, use only the node-part (after verifying // that it's actually // a user of our domain). final String[] parts = userName.split("@", 2); if (parts.length > 1) { if (XMPPServer.getInstance().getServerInfo().getXMPPDomain().equals(parts[1])) { userName = parts[0]; } else { Log.error("access denied, unknown domain" + userName); return null; } } UserIdentity identity = null; if (identities.containsKey(userName)) { identity = identities.get(userName); if (authTokens.containsKey(userName) == false) { Log.debug("UserIdentity login " + userName + " "); try { AuthToken authToken = AuthFactory.authenticate(userName, (String) credential); authTokens.put(userName, authToken); } catch (UnauthorizedException e) { Log.error("access denied, bad password " + userName); return null; } catch (Exception e) { Log.error("access denied " + userName); return null; } } } else { Log.debug("UserIdentity login " + userName + " "); try { userManager.getUser(userName); } catch (UserNotFoundException e) { Log.error("user not found " + userName, e); return null; } try { AuthToken authToken = AuthFactory.authenticate(userName, (String) credential); authTokens.put(userName, authToken); } catch (UnauthorizedException e) { Log.error("access denied, bad password " + userName); return null; } catch (Exception e) { Log.error("access denied " + userName); return null; } Principal userPrincipal = new KnownUser(userName, credential); Subject subject = new Subject(); subject.getPrincipals().add(userPrincipal); subject.getPrivateCredentials().add(credential); subject.getPrincipals().add(new RolePrincipal("ofmeet")); subject.setReadOnly(); identity = _identityService.newUserIdentity(subject, userPrincipal, new String[] {"ofmeet"}); identities.put(userName, identity); } return identity; }
public void setJAASInfo(Subject subject) { subject.getPrincipals().add(this.principal); subject.getPrivateCredentials().add(this.user.getCredential()); subject.getPrincipals().addAll(roles); }
/** * Add a token to this UGI * * @param token Token to be added * @return true on successful add of new token */ public synchronized boolean addToken(Token<? extends TokenIdentifier> token) { return subject.getPrivateCredentials().add(token); }
public void unsetJAASInfo(Subject subject) { subject.getPrincipals().remove(this.principal); subject.getPrivateCredentials().remove(this.user.getCredential()); subject.getPrincipals().removeAll(this.roles); }
/** * Create a UserGroupInformation for the given subject. This does not change the subject or * acquire new credentials. * * @param subject the user's subject */ UserGroupInformation(Subject subject) { this.subject = subject; this.user = subject.getPrincipals(User.class).iterator().next(); this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty(); this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty(); }