internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth
authType)
{
KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf);
Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
if (krbInfo == null)
{
// protocol has no support for kerberos
return(null);
}
string serverKey = krbInfo.ServerPrincipal();
if (serverKey == null)
{
throw new ArgumentException("Can't obtain server Kerberos config key from protocol="
+ protocol.GetCanonicalName());
}
// construct server advertised principal for comparision
string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType
.GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName();
bool isPrincipalValid = false;
// use the pattern if defined
string serverKeyPattern = conf.Get(serverKey + ".pattern");
if (serverKeyPattern != null && !serverKeyPattern.IsEmpty())
{
Pattern pattern = GlobPattern.Compile(serverKeyPattern);
isPrincipalValid = pattern.Matcher(serverPrincipal).Matches();
}
else
{
// check that the server advertised principal matches our conf
string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr
.Address);
if (Log.IsDebugEnabled())
{
Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey
) + " principal: " + confPrincipal);
}
if (confPrincipal == null || confPrincipal.IsEmpty())
{
throw new ArgumentException("Failed to specify server's Kerberos principal name");
}
KerberosName name = new KerberosName(confPrincipal);
if (name.GetHostName() == null)
{
throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: "
+ confPrincipal);
}
isPrincipalValid = serverPrincipal.Equals(confPrincipal);
}
if (!isPrincipalValid)
{
throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal
);
}
return(serverPrincipal);
}
// For each class, first ACL in the array specifies the allowed entries
// and second ACL specifies blocked entries.
// For each class, first MachineList in the array specifies the allowed entries
// and second MachineList specifies blocked entries.
/// <summary>Authorize the user to access the protocol being used.</summary>
/// <param name="user">user accessing the service</param>
/// <param name="protocol">service being accessed</param>
/// <param name="conf">configuration to use</param>
/// <param name="addr">InetAddress of the client</param>
/// <exception cref="AuthorizationException">on authorization failure</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
public virtual void Authorize(UserGroupInformation user, Type protocol, Configuration
conf, IPAddress addr)
{
AccessControlList[] acls = protocolToAcls[protocol];
MachineList[] hosts = protocolToMachineLists[protocol];
if (acls == null || hosts == null)
{
throw new AuthorizationException("Protocol " + protocol + " is not known.");
}
// get client principal key to verify (if available)
KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf);
string clientPrincipal = null;
if (krbInfo != null)
{
string clientKey = krbInfo.ClientPrincipal();
if (clientKey != null && !clientKey.IsEmpty())
{
try
{
clientPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(clientKey), addr);
}
catch (IOException e)
{
throw (AuthorizationException)Extensions.InitCause(new AuthorizationException
("Can't figure out Kerberos principal name for connection from " + addr + " for user="******" protocol=" + protocol), e);
}
}
}
if ((clientPrincipal != null && !clientPrincipal.Equals(user.GetUserName())) || acls
.Length != 2 || !acls[0].IsUserAllowed(user) || acls[1].IsUserAllowed(user))
{
Auditlog.Warn(AuthzFailedFor + user + " for protocol=" + protocol + ", expected client Kerberos principal is "
+ clientPrincipal);
throw new AuthorizationException("User " + user + " is not authorized for protocol "
+ protocol + ", expected client Kerberos principal is " + clientPrincipal);
}
if (addr != null)
{
string hostAddress = addr.GetHostAddress();
if (hosts.Length != 2 || !hosts[0].Includes(hostAddress) || hosts[1].Includes(hostAddress
))
{
Auditlog.Warn(AuthzFailedFor + " for protocol=" + protocol + " from host = " + hostAddress
);
throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol "
+ protocol);
}
}
Auditlog.Info(AuthzSuccessfulFor + user + " for protocol=" + protocol);
}
/// <summary>Look up the KerberosInfo for a given protocol.</summary>
/// <remarks>
/// Look up the KerberosInfo for a given protocol. It searches all known
/// SecurityInfo providers.
/// </remarks>
/// <param name="protocol">the protocol class to get the information for</param>
/// <param name="conf">configuration object</param>
/// <returns>the KerberosInfo or null if it has no KerberosInfo defined</returns>
public static KerberosInfo GetKerberosInfo(Type protocol, Configuration conf)
{
foreach (SecurityInfo provider in testProviders)
{
KerberosInfo result = provider.GetKerberosInfo(protocol, conf);
if (result != null)
{
return(result);
}
}
lock (securityInfoProviders)
{
foreach (SecurityInfo provider_1 in securityInfoProviders)
{
KerberosInfo result = provider_1.GetKerberosInfo(protocol, conf);
if (result != null)
{
return(result);
}
}
}
return(null);
}
