internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth authType) { KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf); Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo); if (krbInfo == null) { // protocol has no support for kerberos return(null); } string serverKey = krbInfo.ServerPrincipal(); if (serverKey == null) { throw new ArgumentException("Can't obtain server Kerberos config key from protocol=" + protocol.GetCanonicalName()); } // construct server advertised principal for comparision string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType .GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName(); bool isPrincipalValid = false; // use the pattern if defined string serverKeyPattern = conf.Get(serverKey + ".pattern"); if (serverKeyPattern != null && !serverKeyPattern.IsEmpty()) { Pattern pattern = GlobPattern.Compile(serverKeyPattern); isPrincipalValid = pattern.Matcher(serverPrincipal).Matches(); } else { // check that the server advertised principal matches our conf string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr .Address); if (Log.IsDebugEnabled()) { Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey ) + " principal: " + confPrincipal); } if (confPrincipal == null || confPrincipal.IsEmpty()) { throw new ArgumentException("Failed to specify server's Kerberos principal name"); } KerberosName name = new KerberosName(confPrincipal); if (name.GetHostName() == null) { throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: " + confPrincipal); } isPrincipalValid = serverPrincipal.Equals(confPrincipal); } if (!isPrincipalValid) { throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal ); } return(serverPrincipal); }
// For each class, first ACL in the array specifies the allowed entries // and second ACL specifies blocked entries. // For each class, first MachineList in the array specifies the allowed entries // and second MachineList specifies blocked entries. /// <summary>Authorize the user to access the protocol being used.</summary> /// <param name="user">user accessing the service</param> /// <param name="protocol">service being accessed</param> /// <param name="conf">configuration to use</param> /// <param name="addr">InetAddress of the client</param> /// <exception cref="AuthorizationException">on authorization failure</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/> public virtual void Authorize(UserGroupInformation user, Type protocol, Configuration conf, IPAddress addr) { AccessControlList[] acls = protocolToAcls[protocol]; MachineList[] hosts = protocolToMachineLists[protocol]; if (acls == null || hosts == null) { throw new AuthorizationException("Protocol " + protocol + " is not known."); } // get client principal key to verify (if available) KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf); string clientPrincipal = null; if (krbInfo != null) { string clientKey = krbInfo.ClientPrincipal(); if (clientKey != null && !clientKey.IsEmpty()) { try { clientPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(clientKey), addr); } catch (IOException e) { throw (AuthorizationException)Extensions.InitCause(new AuthorizationException ("Can't figure out Kerberos principal name for connection from " + addr + " for user="******" protocol=" + protocol), e); } } } if ((clientPrincipal != null && !clientPrincipal.Equals(user.GetUserName())) || acls .Length != 2 || !acls[0].IsUserAllowed(user) || acls[1].IsUserAllowed(user)) { Auditlog.Warn(AuthzFailedFor + user + " for protocol=" + protocol + ", expected client Kerberos principal is " + clientPrincipal); throw new AuthorizationException("User " + user + " is not authorized for protocol " + protocol + ", expected client Kerberos principal is " + clientPrincipal); } if (addr != null) { string hostAddress = addr.GetHostAddress(); if (hosts.Length != 2 || !hosts[0].Includes(hostAddress) || hosts[1].Includes(hostAddress )) { Auditlog.Warn(AuthzFailedFor + " for protocol=" + protocol + " from host = " + hostAddress ); throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + protocol); } } Auditlog.Info(AuthzSuccessfulFor + user + " for protocol=" + protocol); }
/// <summary>Look up the KerberosInfo for a given protocol.</summary> /// <remarks> /// Look up the KerberosInfo for a given protocol. It searches all known /// SecurityInfo providers. /// </remarks> /// <param name="protocol">the protocol class to get the information for</param> /// <param name="conf">configuration object</param> /// <returns>the KerberosInfo or null if it has no KerberosInfo defined</returns> public static KerberosInfo GetKerberosInfo(Type protocol, Configuration conf) { foreach (SecurityInfo provider in testProviders) { KerberosInfo result = provider.GetKerberosInfo(protocol, conf); if (result != null) { return(result); } } lock (securityInfoProviders) { foreach (SecurityInfo provider_1 in securityInfoProviders) { KerberosInfo result = provider_1.GetKerberosInfo(protocol, conf); if (result != null) { return(result); } } } return(null); }