예제 #1
0
        internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth
                                                   authType)
        {
            KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf);

            Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
            if (krbInfo == null)
            {
                // protocol has no support for kerberos
                return(null);
            }
            string serverKey = krbInfo.ServerPrincipal();

            if (serverKey == null)
            {
                throw new ArgumentException("Can't obtain server Kerberos config key from protocol="
                                            + protocol.GetCanonicalName());
            }
            // construct server advertised principal for comparision
            string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType
                                                           .GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName();
            bool isPrincipalValid = false;
            // use the pattern if defined
            string serverKeyPattern = conf.Get(serverKey + ".pattern");

            if (serverKeyPattern != null && !serverKeyPattern.IsEmpty())
            {
                Pattern pattern = GlobPattern.Compile(serverKeyPattern);
                isPrincipalValid = pattern.Matcher(serverPrincipal).Matches();
            }
            else
            {
                // check that the server advertised principal matches our conf
                string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr
                                                                       .Address);
                if (Log.IsDebugEnabled())
                {
                    Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey
                                                                                             ) + " principal: " + confPrincipal);
                }
                if (confPrincipal == null || confPrincipal.IsEmpty())
                {
                    throw new ArgumentException("Failed to specify server's Kerberos principal name");
                }
                KerberosName name = new KerberosName(confPrincipal);
                if (name.GetHostName() == null)
                {
                    throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: "
                                                + confPrincipal);
                }
                isPrincipalValid = serverPrincipal.Equals(confPrincipal);
            }
            if (!isPrincipalValid)
            {
                throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal
                                            );
            }
            return(serverPrincipal);
        }
예제 #2
0
        /// <summary>Try to create a SaslClient for an authentication type.</summary>
        /// <remarks>
        /// Try to create a SaslClient for an authentication type.  May return
        /// null if the type isn't supported or the client lacks the required
        /// credentials.
        /// </remarks>
        /// <param name="authType">- the requested authentication method</param>
        /// <returns>SaslClient for the authType or null</returns>
        /// <exception cref="Javax.Security.Sasl.SaslException">- error instantiating client</exception>
        /// <exception cref="System.IO.IOException">- misc errors</exception>
        private SaslClient CreateSaslClient(RpcHeaderProtos.RpcSaslProto.SaslAuth authType
                                            )
        {
            string saslUser = null;
            // SASL requires the client and server to use the same proto and serverId
            // if necessary, auth types below will verify they are valid
            string saslProtocol   = authType.GetProtocol();
            string saslServerName = authType.GetServerId();
            IDictionary <string, string> saslProperties = saslPropsResolver.GetClientProperties
                                                              (serverAddr.Address);
            CallbackHandler saslCallback = null;

            SaslRpcServer.AuthMethod method = SaslRpcServer.AuthMethod.ValueOf(authType.GetMethod
                                                                                   ());
            switch (method)
            {
            case SaslRpcServer.AuthMethod.Token:
            {
                Org.Apache.Hadoop.Security.Token.Token <object> token = GetServerToken(authType);
                if (token == null)
                {
                    return(null);
                }
                // tokens aren't supported or user doesn't have one
                saslCallback = new SaslRpcClient.SaslClientCallbackHandler(token);
                break;
            }

            case SaslRpcServer.AuthMethod.Kerberos:
            {
                if (ugi.GetRealAuthenticationMethod().GetAuthMethod() != SaslRpcServer.AuthMethod
                    .Kerberos)
                {
                    return(null);
                }
                // client isn't using kerberos
                string serverPrincipal = GetServerPrincipal(authType);
                if (serverPrincipal == null)
                {
                    return(null);
                }
                // protocol doesn't use kerberos
                if (Log.IsDebugEnabled())
                {
                    Log.Debug("RPC Server's Kerberos principal name for protocol=" + protocol.GetCanonicalName
                                  () + " is " + serverPrincipal);
                }
                break;
            }

            default:
            {
                throw new IOException("Unknown authentication method " + method);
            }
            }
            string mechanism = method.GetMechanismName();

            if (Log.IsDebugEnabled())
            {
                Log.Debug("Creating SASL " + mechanism + "(" + method + ") " + " client to authenticate to service at "
                          + saslServerName);
            }
            return(Javax.Security.Sasl.Sasl.CreateSaslClient(new string[] { mechanism }, saslUser
                                                             , saslProtocol, saslServerName, saslProperties, saslCallback));
        }