private synchronized void serviceLogin() throws AuthLoginException { debug.message("New Service Login ..."); System.setProperty("java.security.krb5.realm", kdcRealm); System.setProperty("java.security.krb5.kdc", kdcServer); System.setProperty("java.security.auth.login.config", "/dev/null"); try { Configuration config = Configuration.getConfiguration(); WindowsDesktopSSOConfig wtc = null; if (config instanceof WindowsDesktopSSOConfig) { wtc = (WindowsDesktopSSOConfig) config; wtc.setRefreshConfig("true"); } else { wtc = new WindowsDesktopSSOConfig(config); } wtc.setPrincipalName(servicePrincipalName); wtc.setKeyTab(keyTabFile); Configuration.setConfiguration(wtc); // perform service authentication using JDK Kerberos module LoginContext lc = new LoginContext(WindowsDesktopSSOConfig.defaultAppName); lc.login(); serviceSubject = lc.getSubject(); debug.message("Service login succeeded."); } catch (Exception e) { debug.error("Service Login Error: "); if (debug.messageEnabled()) { debug.message("Stack trace: ", e); } throw new AuthLoginException(amAuthWindowsDesktopSSO, "serviceAuth", null, e); } }
/** * Set the configuration values for UGI. * * @param conf the configuration to use */ private static synchronized void initialize(Configuration conf) { String value = conf.get(HADOOP_SECURITY_AUTHENTICATION); if (value == null || "simple".equals(value)) { useKerberos = false; useConfiguredFileAuth = false; } else if ("kerberos".equals(value)) { useKerberos = true; useConfiguredFileAuth = false; } else if ("configfile".equals(value)) { useKerberos = false; useConfiguredFileAuth = true; } else { throw new IllegalArgumentException( "Invalid attribute value for " + HADOOP_SECURITY_AUTHENTICATION + " of " + value); } // The getUserToGroupsMappingService will change the conf value, record the UGI information // firstly if (configUGIInformation == null) { configUGIInformation = conf.getStrings("hadoop.client.ugi"); } // If we haven't set up testing groups, use the configuration to find it if (!(groups instanceof TestingGroups)) { groups = Groups.getUserToGroupsMappingService(conf); } // Set the configuration for JAAS to be the Hadoop configuration. // This is done here rather than a static initializer to avoid a // circular dependence. javax.security.auth.login.Configuration existingConfig = null; try { existingConfig = javax.security.auth.login.Configuration.getConfiguration(); } catch (SecurityException se) { // If no security configuration is on the classpath, then // we catch this exception, and we don't need to delegate // to anyone } if (existingConfig instanceof HadoopConfiguration) { LOG.info("JAAS Configuration already set up for Hadoop, not re-installing."); } else { javax.security.auth.login.Configuration.setConfiguration( new HadoopConfiguration(existingConfig)); } // We're done initializing at this point. Important not to classload // KerberosName before this point, or else its static initializer // may call back into this same method! isInitialized = true; UserGroupInformation.conf = conf; // give the configuration on how to translate Kerberos names try { KerberosName.setConfiguration(conf); } catch (IOException ioe) { throw new RuntimeException( "Problem with Kerberos auth_to_local name " + "configuration", ioe); } }
private static void validate( final String username, final String password, final String krbfile, final String loginfile, final String moduleName) throws FileNotFoundException, NoSuchAlgorithmException { // confirm username was provided if (null == username || username.isEmpty()) { throw new IllegalArgumentException("Must provide a username"); } // confirm password was provided if (null == password || password.isEmpty()) { throw new IllegalArgumentException("Must provide a password"); } // confirm krb5.conf file exists if (null == krbfile || krbfile.isEmpty()) { throw new IllegalArgumentException("Must provide a krb5 file"); } else { final File file = new File(krbfile); if (!file.exists()) { throw new FileNotFoundException(krbfile); } } // confirm loginfile if (null == loginfile || loginfile.isEmpty()) { throw new IllegalArgumentException("Must provide a login file"); } else { final File file = new File(loginfile); if (!file.exists()) { throw new FileNotFoundException(loginfile); } } // confirm that runtime loaded the login file final Configuration config = Configuration.getConfiguration(); // confirm that the module name exists in the file if (null == config.getAppConfigurationEntry(moduleName)) { throw new IllegalArgumentException( "The module name " + moduleName + " was not found in the login file"); } }
/** * Setup a JAAS Configuration that handles a fake app. This runs before UserGroupInformation has * been initialized, so UGI picks up this Configuration as the parent. */ private static void setupMockJaasParent() { javax.security.auth.login.Configuration existing = null; try { existing = javax.security.auth.login.Configuration.getConfiguration(); assertFalse( "setupMockJaasParent should run before the Hadoop " + "configuration provider is installed.", existing.getClass().getCanonicalName().startsWith("org.apache.hadoop")); } catch (SecurityException se) { // We get this if no configuration has been set. So it's OK. } mockJaasConf = mock(javax.security.auth.login.Configuration.class); Mockito.doReturn(new AppConfigurationEntry[] {}) .when(mockJaasConf) .getAppConfigurationEntry("foobar-app"); javax.security.auth.login.Configuration.setConfiguration(mockJaasConf); }
public static void main(String[] args) { Configuration config = null; try { config = Configuration.getConfiguration(); } catch (SecurityException se) { System.out.println("test 1 failed"); throw se; } AppConfigurationEntry[] entries = config.getAppConfigurationEntry("InnerClassConfig"); System.out.println("module = " + entries[0].getLoginModuleName()); if (entries[0].getLoginModuleName().equals("package.Foo$Bar")) { System.out.println("test succeeded"); } else { System.out.println("test 2 failed"); throw new SecurityException("package name incorrect"); } }