hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ServerCredentialInterceptor.java - hadoop - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.hadoop.ozone.container.common.transport.server;

 import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
 import org.apache.hadoop.hdds.security.token.TokenVerifier;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ratis.thirdparty.io.grpc.Context;
 import org.apache.ratis.thirdparty.io.grpc.Contexts;
 import org.apache.ratis.thirdparty.io.grpc.Metadata;
 import org.apache.ratis.thirdparty.io.grpc.ServerCall;
 import org.apache.ratis.thirdparty.io.grpc.ServerCallHandler;
 import org.apache.ratis.thirdparty.io.grpc.ServerInterceptor;
 import org.apache.ratis.thirdparty.io.grpc.Status;

 import static org.apache.hadoop.ozone.OzoneConsts.OBT_METADATA_KEY;
 import static org.apache.hadoop.ozone.OzoneConsts.USER_METADATA_KEY;
 import static org.apache.hadoop.ozone.OzoneConsts.UGI_CTX_KEY;
 /**
  * Grpc Server Interceptor for Ozone Block token.
  */
 public class ServerCredentialInterceptor implements ServerInterceptor {


   private static final ServerCall.Listener NOOP_LISTENER =
       new ServerCall.Listener() {
   };

   private final TokenVerifier verifier;

   ServerCredentialInterceptor(TokenVerifier verifier) {
     this.verifier = verifier;
   }

   @Override
   public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
       ServerCall<ReqT, RespT> call, Metadata headers,
       ServerCallHandler<ReqT, RespT> next) {
     String token = headers.get(OBT_METADATA_KEY);
     String user = headers.get(USER_METADATA_KEY);
     Context ctx = Context.current();
     try {
       UserGroupInformation ugi = verifier.verify(user, token);
       if (ugi == null) {
         call.close(Status.UNAUTHENTICATED.withDescription("Missing Block " +
             "Token from headers when block token is required."), headers);
         return NOOP_LISTENER;
       } else {
         ctx = ctx.withValue(UGI_CTX_KEY, ugi);
       }
     } catch (SCMSecurityException e) {
       call.close(Status.UNAUTHENTICATED.withDescription(e.getMessage())
           .withCause(e), headers);
       return NOOP_LISTENER;
     }
     return Contexts.interceptCall(ctx, call, headers, next);
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.ozone.container.common.transport.server;

	import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
	import org.apache.hadoop.hdds.security.token.TokenVerifier;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.ratis.thirdparty.io.grpc.Context;
	import org.apache.ratis.thirdparty.io.grpc.Contexts;
	import org.apache.ratis.thirdparty.io.grpc.Metadata;
	import org.apache.ratis.thirdparty.io.grpc.ServerCall;
	import org.apache.ratis.thirdparty.io.grpc.ServerCallHandler;
	import org.apache.ratis.thirdparty.io.grpc.ServerInterceptor;
	import org.apache.ratis.thirdparty.io.grpc.Status;

	import static org.apache.hadoop.ozone.OzoneConsts.OBT_METADATA_KEY;
	import static org.apache.hadoop.ozone.OzoneConsts.USER_METADATA_KEY;
	import static org.apache.hadoop.ozone.OzoneConsts.UGI_CTX_KEY;
	/**
	* Grpc Server Interceptor for Ozone Block token.
	*/
	public class ServerCredentialInterceptor implements ServerInterceptor {


	private static final ServerCall.Listener NOOP_LISTENER =
	new ServerCall.Listener() {
	};

	private final TokenVerifier verifier;

	ServerCredentialInterceptor(TokenVerifier verifier) {
	this.verifier = verifier;
	}

	@Override
	public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
	ServerCall<ReqT, RespT> call, Metadata headers,
	ServerCallHandler<ReqT, RespT> next) {
	String token = headers.get(OBT_METADATA_KEY);
	String user = headers.get(USER_METADATA_KEY);
	Context ctx = Context.current();
	try {
	UserGroupInformation ugi = verifier.verify(user, token);
	if (ugi == null) {
	call.close(Status.UNAUTHENTICATED.withDescription("Missing Block " +
	"Token from headers when block token is required."), headers);
	return NOOP_LISTENER;
	} else {
	ctx = ctx.withValue(UGI_CTX_KEY, ugi);
	}
	} catch (SCMSecurityException e) {
	call.close(Status.UNAUTHENTICATED.withDescription(e.getMessage())
	.withCause(e), headers);
	return NOOP_LISTENER;
	}
	return Contexts.interceptCall(ctx, call, headers, next);
	}
	}