// dynamic configuration of HTTP principals /// <exception cref="System.Exception"/> public virtual void TestDynamicPrincipalDiscovery() { string[] keytabUsers = new string[] { "HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host" }; string keytab = KerberosTestUtils.GetKeytabFile(); GetKdc().CreatePrincipal(new FilePath(keytab), keytabUsers); // destroy handler created in setUp() handler.Destroy(); Properties props = new Properties(); props.SetProperty(KerberosAuthenticationHandler.Keytab, keytab); props.SetProperty(KerberosAuthenticationHandler.Principal, "*"); handler = GetNewAuthenticationHandler(); handler.Init(props); Assert.Equal(KerberosTestUtils.GetKeytabFile(), handler.GetKeytab ()); ICollection <KerberosPrincipal> loginPrincipals = handler.GetPrincipals(); foreach (string user in keytabUsers) { Principal principal = new KerberosPrincipal(user + "@" + KerberosTestUtils.GetRealm ()); bool expected = user.StartsWith("HTTP/"); Assert.Equal("checking for " + user, expected, loginPrincipals .Contains(principal)); } }
internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth authType) { KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf); Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo); if (krbInfo == null) { // protocol has no support for kerberos return(null); } string serverKey = krbInfo.ServerPrincipal(); if (serverKey == null) { throw new ArgumentException("Can't obtain server Kerberos config key from protocol=" + protocol.GetCanonicalName()); } // construct server advertised principal for comparision string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType .GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName(); bool isPrincipalValid = false; // use the pattern if defined string serverKeyPattern = conf.Get(serverKey + ".pattern"); if (serverKeyPattern != null && !serverKeyPattern.IsEmpty()) { Pattern pattern = GlobPattern.Compile(serverKeyPattern); isPrincipalValid = pattern.Matcher(serverPrincipal).Matches(); } else { // check that the server advertised principal matches our conf string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr .Address); if (Log.IsDebugEnabled()) { Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey ) + " principal: " + confPrincipal); } if (confPrincipal == null || confPrincipal.IsEmpty()) { throw new ArgumentException("Failed to specify server's Kerberos principal name"); } KerberosName name = new KerberosName(confPrincipal); if (name.GetHostName() == null) { throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: " + confPrincipal); } isPrincipalValid = serverPrincipal.Equals(confPrincipal); } if (!isPrincipalValid) { throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal ); } return(serverPrincipal); }
/// <exception cref="System.Exception"/> public virtual void TestGetUGIFromSubject() { KerberosPrincipal p = new KerberosPrincipal("guest"); Subject subject = new Subject(); subject.GetPrincipals().AddItem(p); UserGroupInformation ugi = UserGroupInformation.GetUGIFromSubject(subject); NUnit.Framework.Assert.IsNotNull(ugi); Assert.Equal("*****@*****.**", ugi.GetUserName()); }
/// <exception cref="System.Exception"/> public virtual void TestInit() { Assert.Equal(KerberosTestUtils.GetKeytabFile(), handler.GetKeytab ()); ICollection <KerberosPrincipal> principals = handler.GetPrincipals(); Principal expectedPrincipal = new KerberosPrincipal(KerberosTestUtils.GetServerPrincipal ()); Assert.True(principals.Contains(expectedPrincipal)); Assert.Equal(1, principals.Count); }
/// <summary>TGS must have the server principal of the form "krbtgt/FOO@FOO".</summary> /// <param name="principal"/> /// <returns>true or false</returns> internal static bool IsTGSPrincipal(KerberosPrincipal principal) { if (principal == null) { return(false); } if (principal.GetName().Equals("krbtgt/" + principal.GetRealm() + "@" + principal .GetRealm())) { return(true); } return(false); }