001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security.provider; 019 020import java.io.IOException; 021import java.net.InetAddress; 022import java.util.Map; 023 024import javax.security.sasl.Sasl; 025import javax.security.sasl.SaslClient; 026 027import org.apache.hadoop.conf.Configuration; 028import org.apache.hadoop.hbase.security.SaslUtil; 029import org.apache.hadoop.hbase.security.SecurityInfo; 030import org.apache.hadoop.hbase.security.User; 031import org.apache.hadoop.security.SecurityUtil; 032import org.apache.hadoop.security.UserGroupInformation; 033import org.apache.hadoop.security.token.Token; 034import org.apache.hadoop.security.token.TokenIdentifier; 035import org.apache.yetus.audience.InterfaceAudience; 036import org.slf4j.Logger; 037import org.slf4j.LoggerFactory; 038 039import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation; 040 041@InterfaceAudience.Private 042public class GssSaslClientAuthenticationProvider extends GssSaslAuthenticationProvider 043 implements SaslClientAuthenticationProvider { 044 private static final Logger LOG = LoggerFactory.getLogger( 045 GssSaslClientAuthenticationProvider.class); 046 047 String getServerPrincipal(Configuration conf, SecurityInfo securityInfo, InetAddress server) 048 throws IOException { 049 String serverKey = securityInfo.getServerPrincipal(); 050 if (serverKey == null) { 051 throw new IllegalArgumentException( 052 "Can't obtain server Kerberos config key from SecurityInfo"); 053 } 054 return SecurityUtil.getServerPrincipal(conf.get(serverKey), 055 server.getCanonicalHostName().toLowerCase()); 056 } 057 058 @Override 059 public SaslClient createClient(Configuration conf, InetAddress serverAddr, 060 SecurityInfo securityInfo, Token<? extends TokenIdentifier> token, boolean fallbackAllowed, 061 Map<String, String> saslProps) throws IOException { 062 String serverPrincipal = getServerPrincipal(conf, securityInfo, serverAddr); 063 LOG.debug("Setting up Kerberos RPC to server={}", serverPrincipal); 064 String[] names = SaslUtil.splitKerberosName(serverPrincipal); 065 if (names.length != 3) { 066 throw new IOException("Kerberos principal '" + serverPrincipal 067 + "' does not have the expected format"); 068 } 069 return Sasl.createSaslClient(new String[] { getSaslAuthMethod().getSaslMechanism() }, null, 070 names[0], names[1], saslProps, null); 071 } 072 073 @Override 074 public UserInformation getUserInfo(User user) { 075 UserInformation.Builder userInfoPB = UserInformation.newBuilder(); 076 // Send effective user for Kerberos auth 077 userInfoPB.setEffectiveUser(user.getUGI().getUserName()); 078 return userInfoPB.build(); 079 } 080 081 @Override 082 public boolean canRetry() { 083 return true; 084 } 085 086 @Override 087 public void relogin() throws IOException { 088 // Check if UGI thinks we need to do another login 089 if (UserGroupInformation.isLoginKeytabBased()) { 090 UserGroupInformation.getLoginUser().reloginFromKeytab(); 091 } else { 092 UserGroupInformation.getLoginUser().reloginFromTicketCache(); 093 } 094 } 095 096 @Override 097 public UserGroupInformation getRealUser(User user) { 098 final UserGroupInformation ugi = user.getUGI(); 099 // Unwrap the UGI with the real user when we're using Kerberos auth 100 if (ugi != null && ugi.getRealUser() != null) { 101 return ugi.getRealUser(); 102 } 103 104 // Otherwise, use the UGI we were given 105 return ugi; 106 } 107}