private bool IsValidAuthType(RpcHeaderProtos.RpcSaslProto.SaslAuth authType)
{
SaslRpcServer.AuthMethod authMethod;
try
{
authMethod = SaslRpcServer.AuthMethod.ValueOf(authType.GetMethod());
}
catch (ArgumentException)
{
// unknown auth
authMethod = null;
}
// do we know what it is? is it using our mechanism?
return(authMethod != null && authMethod.GetMechanismName().Equals(authType.GetMechanism
()));
}
public SaslRpcServer(SaslRpcServer.AuthMethod authMethod)
{
this.authMethod = authMethod;
mechanism = authMethod.GetMechanismName();
switch (authMethod)
{
case SaslRpcServer.AuthMethod.Simple:
{
return;
}
case SaslRpcServer.AuthMethod.Token:
{
// no sasl for simple
protocol = string.Empty;
serverId = SaslRpcServer.SaslDefaultRealm;
break;
}
case SaslRpcServer.AuthMethod.Kerberos:
{
string fullName = UserGroupInformation.GetCurrentUser().GetUserName();
if (Log.IsDebugEnabled())
{
Log.Debug("Kerberos principal name is " + fullName);
}
// don't use KerberosName because we don't want auth_to_local
string[] parts = fullName.Split("[/@]", 3);
protocol = parts[0];
// should verify service host is present here rather than in create()
// but lazy tests are using a UGI that isn't a SPN...
serverId = (parts.Length < 2) ? string.Empty : parts[1];
break;
}
default:
{
// we should never be able to get here
throw new AccessControlException("Server does not support SASL " + authMethod);
}
}
}
/// <summary>Try to create a SaslClient for an authentication type.</summary>
/// <remarks>
/// Try to create a SaslClient for an authentication type. May return
/// null if the type isn't supported or the client lacks the required
/// credentials.
/// </remarks>
/// <param name="authType">- the requested authentication method</param>
/// <returns>SaslClient for the authType or null</returns>
/// <exception cref="Javax.Security.Sasl.SaslException">- error instantiating client</exception>
/// <exception cref="System.IO.IOException">- misc errors</exception>
private SaslClient CreateSaslClient(RpcHeaderProtos.RpcSaslProto.SaslAuth authType
)
{
string saslUser = null;
// SASL requires the client and server to use the same proto and serverId
// if necessary, auth types below will verify they are valid
string saslProtocol = authType.GetProtocol();
string saslServerName = authType.GetServerId();
IDictionary <string, string> saslProperties = saslPropsResolver.GetClientProperties
(serverAddr.Address);
CallbackHandler saslCallback = null;
SaslRpcServer.AuthMethod method = SaslRpcServer.AuthMethod.ValueOf(authType.GetMethod
());
switch (method)
{
case SaslRpcServer.AuthMethod.Token:
{
Org.Apache.Hadoop.Security.Token.Token <object> token = GetServerToken(authType);
if (token == null)
{
return(null);
}
// tokens aren't supported or user doesn't have one
saslCallback = new SaslRpcClient.SaslClientCallbackHandler(token);
break;
}
case SaslRpcServer.AuthMethod.Kerberos:
{
if (ugi.GetRealAuthenticationMethod().GetAuthMethod() != SaslRpcServer.AuthMethod
.Kerberos)
{
return(null);
}
// client isn't using kerberos
string serverPrincipal = GetServerPrincipal(authType);
if (serverPrincipal == null)
{
return(null);
}
// protocol doesn't use kerberos
if (Log.IsDebugEnabled())
{
Log.Debug("RPC Server's Kerberos principal name for protocol=" + protocol.GetCanonicalName
() + " is " + serverPrincipal);
}
break;
}
default:
{
throw new IOException("Unknown authentication method " + method);
}
}
string mechanism = method.GetMechanismName();
if (Log.IsDebugEnabled())
{
Log.Debug("Creating SASL " + mechanism + "(" + method + ") " + " client to authenticate to service at "
+ saslServerName);
}
return(Javax.Security.Sasl.Sasl.CreateSaslClient(new string[] { mechanism }, saslUser
, saslProtocol, saslServerName, saslProperties, saslCallback));
}