agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java - ranger - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.hadoop.security;

 import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.authentication.util.KerberosName;
 import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.apache.hadoop.util.StringUtils;
 import org.apache.ranger.authorization.utils.StringUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.security.auth.Subject;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;

 import java.io.File;
 import java.io.IOException;
 import java.security.Principal;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;

 public class SecureClientLogin {
     private static final Logger LOG = LoggerFactory.getLogger(SecureClientLogin.class);

     public static final String HOSTNAME_PATTERN = "_HOST";

     private SecureClientLogin() {
         // to block instantiation
     }

     public static synchronized Subject loginUserFromKeytab(String user, String path) throws IOException {
         try {
             Subject                        subject   = new Subject();
             SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
             LoginContext                   login     = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);

             subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));

             login.login();

             return login.getSubject();
         } catch (LoginException le) {
             throw new IOException("Login failure for " + user + " from keytab " + path, le);
         }
     }

     public static synchronized Subject loginUserFromKeytab(String user, String path, String nameRules) throws IOException {
         try {
             Subject                        subject   = new Subject();
             SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
             LoginContext                   login     = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);

             KerberosName.setRules(nameRules);

             subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));

             login.login();

             return login.getSubject();
         } catch (LoginException le) {
             throw new IOException("Login failure for " + user + " from keytab " + path, le);
         }
     }

     public static synchronized Subject loginUserWithPassword(String user, String password) throws IOException {
         try {
             Subject                        subject   = new Subject();
             SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(false, user, password);
             LoginContext                   login     = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);

             subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));

             login.login();

             return login.getSubject();
         } catch (LoginException le) {
             throw new IOException("Login failure for " + user + " using password ****", le);
         }
     }

     public static synchronized Subject login(String user) throws IOException {
         Subject subject = new Subject();

         subject.getPrincipals().add(new User(user));

         return subject;
     }

     public static Set<Principal> getUserPrincipals(Subject aSubject) {
         if (aSubject != null) {
             Set<User> list = aSubject.getPrincipals(User.class);

             return list != null ? new HashSet<>(list) : null;
         } else {
             return null;
         }
     }

     public static Principal createUserPrincipal(String aLoginName) {
         return new User(aLoginName);
     }

     public static boolean isKerberosCredentialExists(String principal, String keytabPath) {
         boolean isValid = false;

         if (keytabPath != null && !keytabPath.isEmpty()) {
             File keytabFile = new File(keytabPath);

             if (!keytabFile.exists()) {
                 LOG.warn("{} doesn't exist.", keytabPath);
             } else if (!keytabFile.canRead()) {
                 LOG.warn("Unable to read {}. Please check the file access permissions for user", keytabPath);
             } else {
                 isValid = true;
             }
         } else {
             LOG.warn("Can't find keyTab Path : {}", keytabPath);
         }
         if (!(principal != null && !principal.isEmpty() && isValid)) {
             isValid = false;

             LOG.warn("Can't find principal : {}", principal);
         }

         return isValid;
     }

     public static String getPrincipal(String principalConfig, String hostName) throws IOException {
         String[] components = getComponents(principalConfig);

         if (components == null || components.length != 3 || !HOSTNAME_PATTERN.equals(components[1])) {
             return principalConfig;
         } else {
             if (hostName == null) {
                 throw new IOException("Can't replace " + HOSTNAME_PATTERN + " pattern since client ranger.service.host is null");
             }

             return replacePattern(components, hostName);
         }
     }

     private static String[] getComponents(String principalConfig) {
         if (principalConfig == null) {
             return null;
         }

         return principalConfig.split("[/@]");
     }

     private static String replacePattern(String[] components, String hostname) throws IOException {
         String fqdn = hostname;

         if (StringUtil.isEmpty(fqdn) || "0.0.0.0".equals(fqdn)) {
             fqdn = java.net.InetAddress.getLocalHost().getCanonicalHostName();
         }

         return components[0] + "/" + StringUtils.toLowerCase(fqdn) + "@" + components[2];
     }

     static class SecureClientLoginConfiguration extends javax.security.auth.login.Configuration {
         private final Map<String, String> kerberosOptions = new HashMap<>();
         private       boolean             usePassword;

         public SecureClientLoginConfiguration(boolean useKeyTab, String principal, String credential) {
             kerberosOptions.put("principal", principal);
             kerberosOptions.put("debug", "false");

             if (useKeyTab) {
                 kerberosOptions.put("useKeyTab", "true");
                 kerberosOptions.put("keyTab", credential);
                 kerberosOptions.put("doNotPrompt", "true");
             } else {
                 usePassword = true;

                 kerberosOptions.put("useKeyTab", "false");
                 kerberosOptions.put(KrbPasswordSaverLoginModule.USERNAME_PARAM, principal);
                 kerberosOptions.put(KrbPasswordSaverLoginModule.PASSWORD_PARAM, credential);
                 kerberosOptions.put("doNotPrompt", "false");
                 kerberosOptions.put("useFirstPass", "true");
                 kerberosOptions.put("tryFirstPass", "false");
             }

             kerberosOptions.put("storeKey", "true");
             kerberosOptions.put("refreshKrb5Config", "true");
         }

         @Override
         public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
             AppConfigurationEntry keytabKerberosLogin = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, kerberosOptions);

             if (usePassword) {
                 AppConfigurationEntry kerberosPwdSaver = new AppConfigurationEntry(KrbPasswordSaverLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, kerberosOptions);

                 return new AppConfigurationEntry[] {kerberosPwdSaver, keytabKerberosLogin};
             } else {
                 return new AppConfigurationEntry[] {keytabKerberosLogin};
             }
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.hadoop.security;

	import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
	import org.apache.hadoop.security.authentication.util.KerberosName;
	import org.apache.hadoop.security.authentication.util.KerberosUtil;
	import org.apache.hadoop.util.StringUtils;
	import org.apache.ranger.authorization.utils.StringUtil;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import javax.security.auth.Subject;
	import javax.security.auth.login.AppConfigurationEntry;
	import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
	import javax.security.auth.login.LoginContext;
	import javax.security.auth.login.LoginException;

	import java.io.File;
	import java.io.IOException;
	import java.security.Principal;
	import java.util.HashMap;
	import java.util.HashSet;
	import java.util.Map;
	import java.util.Set;

	public class SecureClientLogin {
	private static final Logger LOG = LoggerFactory.getLogger(SecureClientLogin.class);

	public static final String HOSTNAME_PATTERN = "_HOST";

	private SecureClientLogin() {
	// to block instantiation
	}

	public static synchronized Subject loginUserFromKeytab(String user, String path) throws IOException {
	try {
	Subject subject = new Subject();
	SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
	LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);

	subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));

	login.login();

	return login.getSubject();
	} catch (LoginException le) {
	throw new IOException("Login failure for " + user + " from keytab " + path, le);
	}
	}

	public static synchronized Subject loginUserFromKeytab(String user, String path, String nameRules) throws IOException {
	try {
	Subject subject = new Subject();
	SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
	LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);

	KerberosName.setRules(nameRules);

	subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));

	login.login();

	return login.getSubject();
	} catch (LoginException le) {
	throw new IOException("Login failure for " + user + " from keytab " + path, le);
	}
	}

	public static synchronized Subject loginUserWithPassword(String user, String password) throws IOException {
	try {
	Subject subject = new Subject();
	SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(false, user, password);
	LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);

	subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));

	login.login();

	return login.getSubject();
	} catch (LoginException le) {
	throw new IOException("Login failure for " + user + " using password ****", le);
	}
	}

	public static synchronized Subject login(String user) throws IOException {
	Subject subject = new Subject();

	subject.getPrincipals().add(new User(user));

	return subject;
	}

	public static Set<Principal> getUserPrincipals(Subject aSubject) {
	if (aSubject != null) {
	Set<User> list = aSubject.getPrincipals(User.class);

	return list != null ? new HashSet<>(list) : null;
	} else {
	return null;
	}
	}

	public static Principal createUserPrincipal(String aLoginName) {
	return new User(aLoginName);
	}

	public static boolean isKerberosCredentialExists(String principal, String keytabPath) {
	boolean isValid = false;

	if (keytabPath != null && !keytabPath.isEmpty()) {
	File keytabFile = new File(keytabPath);

	if (!keytabFile.exists()) {
	LOG.warn("{} doesn't exist.", keytabPath);
	} else if (!keytabFile.canRead()) {
	LOG.warn("Unable to read {}. Please check the file access permissions for user", keytabPath);
	} else {
	isValid = true;
	}
	} else {
	LOG.warn("Can't find keyTab Path : {}", keytabPath);
	}
	if (!(principal != null && !principal.isEmpty() && isValid)) {
	isValid = false;

	LOG.warn("Can't find principal : {}", principal);
	}

	return isValid;
	}

	public static String getPrincipal(String principalConfig, String hostName) throws IOException {
	String[] components = getComponents(principalConfig);

	if (components == null \|\| components.length != 3 \|\| !HOSTNAME_PATTERN.equals(components[1])) {
	return principalConfig;
	} else {
	if (hostName == null) {
	throw new IOException("Can't replace " + HOSTNAME_PATTERN + " pattern since client ranger.service.host is null");
	}

	return replacePattern(components, hostName);
	}
	}

	private static String[] getComponents(String principalConfig) {
	if (principalConfig == null) {
	return null;
	}

	return principalConfig.split("[/@]");
	}

	private static String replacePattern(String[] components, String hostname) throws IOException {
	String fqdn = hostname;

	if (StringUtil.isEmpty(fqdn) \|\| "0.0.0.0".equals(fqdn)) {
	fqdn = java.net.InetAddress.getLocalHost().getCanonicalHostName();
	}

	return components[0] + "/" + StringUtils.toLowerCase(fqdn) + "@" + components[2];
	}

	static class SecureClientLoginConfiguration extends javax.security.auth.login.Configuration {
	private final Map<String, String> kerberosOptions = new HashMap<>();
	private boolean usePassword;

	public SecureClientLoginConfiguration(boolean useKeyTab, String principal, String credential) {
	kerberosOptions.put("principal", principal);
	kerberosOptions.put("debug", "false");

	if (useKeyTab) {
	kerberosOptions.put("useKeyTab", "true");
	kerberosOptions.put("keyTab", credential);
	kerberosOptions.put("doNotPrompt", "true");
	} else {
	usePassword = true;

	kerberosOptions.put("useKeyTab", "false");
	kerberosOptions.put(KrbPasswordSaverLoginModule.USERNAME_PARAM, principal);
	kerberosOptions.put(KrbPasswordSaverLoginModule.PASSWORD_PARAM, credential);
	kerberosOptions.put("doNotPrompt", "false");
	kerberosOptions.put("useFirstPass", "true");
	kerberosOptions.put("tryFirstPass", "false");
	}

	kerberosOptions.put("storeKey", "true");
	kerberosOptions.put("refreshKrb5Config", "true");
	}

	@Override
	public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
	AppConfigurationEntry keytabKerberosLogin = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, kerberosOptions);

	if (usePassword) {
	AppConfigurationEntry kerberosPwdSaver = new AppConfigurationEntry(KrbPasswordSaverLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, kerberosOptions);

	return new AppConfigurationEntry[] {kerberosPwdSaver, keytabKerberosLogin};
	} else {
	return new AppConfigurationEntry[] {keytabKerberosLogin};
	}
	}
	}
	}