internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth authType) { KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf); Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo); if (krbInfo == null) { // protocol has no support for kerberos return(null); } string serverKey = krbInfo.ServerPrincipal(); if (serverKey == null) { throw new ArgumentException("Can't obtain server Kerberos config key from protocol=" + protocol.GetCanonicalName()); } // construct server advertised principal for comparision string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType .GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName(); bool isPrincipalValid = false; // use the pattern if defined string serverKeyPattern = conf.Get(serverKey + ".pattern"); if (serverKeyPattern != null && !serverKeyPattern.IsEmpty()) { Pattern pattern = GlobPattern.Compile(serverKeyPattern); isPrincipalValid = pattern.Matcher(serverPrincipal).Matches(); } else { // check that the server advertised principal matches our conf string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr .Address); if (Log.IsDebugEnabled()) { Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey ) + " principal: " + confPrincipal); } if (confPrincipal == null || confPrincipal.IsEmpty()) { throw new ArgumentException("Failed to specify server's Kerberos principal name"); } KerberosName name = new KerberosName(confPrincipal); if (name.GetHostName() == null) { throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: " + confPrincipal); } isPrincipalValid = serverPrincipal.Equals(confPrincipal); } if (!isPrincipalValid) { throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal ); } return(serverPrincipal); }
public virtual void TestLocalHostNameForNullOrWild() { string local = StringUtils.ToLowerCase(SecurityUtil.GetLocalHostName()); Assert.Equal("hdfs/" + local + "@REALM", SecurityUtil.GetServerPrincipal ("hdfs/_HOST@REALM", (string)null)); Assert.Equal("hdfs/" + local + "@REALM", SecurityUtil.GetServerPrincipal ("hdfs/_HOST@REALM", "0.0.0.0")); }
/// <exception cref="System.IO.IOException"/> private void Verify(string original, string hostname, string expected) { Assert.Equal(expected, SecurityUtil.GetServerPrincipal(original , hostname)); IPAddress addr = MockAddr(hostname); Assert.Equal(expected, SecurityUtil.GetServerPrincipal(original , addr)); }
public static void Login(Configuration conf, string keytabFileKey, string userNameKey , string hostname) { if (!UserGroupInformation.IsSecurityEnabled()) { return; } string keytabFilename = conf.Get(keytabFileKey); if (keytabFilename == null || keytabFilename.Length == 0) { throw new IOException("Running in secure mode, but config doesn't have a keytab"); } string principalConfig = conf.Get(userNameKey, Runtime.GetProperty("user.name")); string principalName = SecurityUtil.GetServerPrincipal(principalConfig, hostname); UserGroupInformation.LoginUserFromKeytab(principalName, keytabFilename); }
public virtual void TestGetServerPrincipal() { string service = "hdfs/"; string realm = "@REALM"; string hostname = "foohost"; string userPrincipal = "foo@FOOREALM"; string shouldReplace = service + SecurityUtil.HostnamePattern + realm; string replaced = service + hostname + realm; Verify(shouldReplace, hostname, replaced); string shouldNotReplace = service + SecurityUtil.HostnamePattern + "NAME" + realm; Verify(shouldNotReplace, hostname, shouldNotReplace); Verify(userPrincipal, hostname, userPrincipal); // testing reverse DNS lookup doesn't happen IPAddress notUsed = Org.Mockito.Mockito.Mock <IPAddress>(); Assert.Equal(shouldNotReplace, SecurityUtil.GetServerPrincipal (shouldNotReplace, notUsed)); Org.Mockito.Mockito.Verify(notUsed, Org.Mockito.Mockito.Never()).ToString(); }
public static IDictionary <string, string> GetFilterConfigMap(Configuration conf, string prefix) { IDictionary <string, string> filterConfig = new Dictionary <string, string>(); //setting the cookie path to root '/' so it is used for all resources. filterConfig[AuthenticationFilter.CookiePath] = "/"; foreach (KeyValuePair <string, string> entry in conf) { string name = entry.Key; if (name.StartsWith(prefix)) { string value = conf.Get(name); name = Runtime.Substring(name, prefix.Length); filterConfig[name] = value; } } //Resolve _HOST into bind address string bindAddress = conf.Get(HttpServer2.BindAddress); string principal = filterConfig[KerberosAuthenticationHandler.Principal]; if (principal != null) { try { principal = SecurityUtil.GetServerPrincipal(principal, bindAddress); } catch (IOException ex) { throw new RuntimeException("Could not resolve Kerberos principal name: " + ex.ToString (), ex); } filterConfig[KerberosAuthenticationHandler.Principal] = principal; } return(filterConfig); }