internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth
authType)
{
KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf);
Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
if (krbInfo == null)
{
// protocol has no support for kerberos
return(null);
}
string serverKey = krbInfo.ServerPrincipal();
if (serverKey == null)
{
throw new ArgumentException("Can't obtain server Kerberos config key from protocol="
+ protocol.GetCanonicalName());
}
// construct server advertised principal for comparision
string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType
.GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName();
bool isPrincipalValid = false;
// use the pattern if defined
string serverKeyPattern = conf.Get(serverKey + ".pattern");
if (serverKeyPattern != null && !serverKeyPattern.IsEmpty())
{
Pattern pattern = GlobPattern.Compile(serverKeyPattern);
isPrincipalValid = pattern.Matcher(serverPrincipal).Matches();
}
else
{
// check that the server advertised principal matches our conf
string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr
.Address);
if (Log.IsDebugEnabled())
{
Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey
) + " principal: " + confPrincipal);
}
if (confPrincipal == null || confPrincipal.IsEmpty())
{
throw new ArgumentException("Failed to specify server's Kerberos principal name");
}
KerberosName name = new KerberosName(confPrincipal);
if (name.GetHostName() == null)
{
throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: "
+ confPrincipal);
}
isPrincipalValid = serverPrincipal.Equals(confPrincipal);
}
if (!isPrincipalValid)
{
throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal
);
}
return(serverPrincipal);
}
public virtual void TestLocalHostNameForNullOrWild()
{
string local = StringUtils.ToLowerCase(SecurityUtil.GetLocalHostName());
Assert.Equal("hdfs/" + local + "@REALM", SecurityUtil.GetServerPrincipal
("hdfs/_HOST@REALM", (string)null));
Assert.Equal("hdfs/" + local + "@REALM", SecurityUtil.GetServerPrincipal
("hdfs/_HOST@REALM", "0.0.0.0"));
}
/// <exception cref="System.IO.IOException"/>
private void Verify(string original, string hostname, string expected)
{
Assert.Equal(expected, SecurityUtil.GetServerPrincipal(original
, hostname));
IPAddress addr = MockAddr(hostname);
Assert.Equal(expected, SecurityUtil.GetServerPrincipal(original
, addr));
}
public static void Login(Configuration conf, string keytabFileKey, string userNameKey
, string hostname)
{
if (!UserGroupInformation.IsSecurityEnabled())
{
return;
}
string keytabFilename = conf.Get(keytabFileKey);
if (keytabFilename == null || keytabFilename.Length == 0)
{
throw new IOException("Running in secure mode, but config doesn't have a keytab");
}
string principalConfig = conf.Get(userNameKey, Runtime.GetProperty("user.name"));
string principalName = SecurityUtil.GetServerPrincipal(principalConfig, hostname);
UserGroupInformation.LoginUserFromKeytab(principalName, keytabFilename);
}
public virtual void TestGetServerPrincipal()
{
string service = "hdfs/";
string realm = "@REALM";
string hostname = "foohost";
string userPrincipal = "foo@FOOREALM";
string shouldReplace = service + SecurityUtil.HostnamePattern + realm;
string replaced = service + hostname + realm;
Verify(shouldReplace, hostname, replaced);
string shouldNotReplace = service + SecurityUtil.HostnamePattern + "NAME" + realm;
Verify(shouldNotReplace, hostname, shouldNotReplace);
Verify(userPrincipal, hostname, userPrincipal);
// testing reverse DNS lookup doesn't happen
IPAddress notUsed = Org.Mockito.Mockito.Mock <IPAddress>();
Assert.Equal(shouldNotReplace, SecurityUtil.GetServerPrincipal
(shouldNotReplace, notUsed));
Org.Mockito.Mockito.Verify(notUsed, Org.Mockito.Mockito.Never()).ToString();
}
public static IDictionary <string, string> GetFilterConfigMap(Configuration conf,
string prefix)
{
IDictionary <string, string> filterConfig = new Dictionary <string, string>();
//setting the cookie path to root '/' so it is used for all resources.
filterConfig[AuthenticationFilter.CookiePath] = "/";
foreach (KeyValuePair <string, string> entry in conf)
{
string name = entry.Key;
if (name.StartsWith(prefix))
{
string value = conf.Get(name);
name = Runtime.Substring(name, prefix.Length);
filterConfig[name] = value;
}
}
//Resolve _HOST into bind address
string bindAddress = conf.Get(HttpServer2.BindAddress);
string principal = filterConfig[KerberosAuthenticationHandler.Principal];
if (principal != null)
{
try
{
principal = SecurityUtil.GetServerPrincipal(principal, bindAddress);
}
catch (IOException ex)
{
throw new RuntimeException("Could not resolve Kerberos principal name: " + ex.ToString
(), ex);
}
filterConfig[KerberosAuthenticationHandler.Principal] = principal;
}
return(filterConfig);
}
