@Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { if (loginContextName.equals(appName)) { Map<String, String> krbOptions = new HashMap<String, String>(); krbOptions.put("doNotPrompt", "true"); krbOptions.put("storeKey", "true"); krbOptions.put("useKeyTab", "true"); krbOptions.put("principal", principal); krbOptions.put("keyTab", keyTabFile); krbOptions.put("refreshKrb5Config", "true"); AppConfigurationEntry zooKeeperClientEntry = new AppConfigurationEntry( KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, krbOptions); return new AppConfigurationEntry[] { zooKeeperClientEntry }; } // Try the base config if (baseConfig != null) { return baseConfig.getAppConfigurationEntry(appName); } return null; } }
case KERBEROS_SSL: try { KerberosUtil.getDefaultRealm(); } catch (Exception ke) { throw new IllegalArgumentException("Can't get Kerberos realm", ke);
public byte[] run() throws UnknownHostException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException { GSSManager gssManager = GSSManager.getInstance(); String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", authServer); Oid serviceOid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.createName(servicePrincipal, serviceOid); Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSContext gssContext = gssManager.createContext(serviceName, mechOid, null, 0); gssContext.requestCredDeleg(true); gssContext.requestMutualAuth(true); return gssContext.initSecContext(input, 0, input.length); }
spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*")); if (spnegoPrincipals.length == 0) { throw new ServletException("Principals do not exist in the keytab");
throws IOException, UnknownHostException { String service = "TestKerberosUtil"; String localHostname = KerberosUtil.getLocalHostName(); String testHost = "FooBar"; String defaultRealm = KerberosUtil.getDefaultRealmProtected(); KerberosUtil.getDomainRealm(service + "/" + localHostname.toLowerCase(Locale.ENGLISH)), defaultRealm); Assert.assertEquals("testGetServerPrincipal assumes realm of testHost 'FooBar' is default", KerberosUtil.getDomainRealm(service + "/" + testHost.toLowerCase(Locale.ENGLISH)), defaultRealm); KerberosUtil.getServicePrincipal(service, null)); KerberosUtil.getServicePrincipal(service, "")); KerberosUtil.getServicePrincipal(service, "0.0.0.0")); KerberosUtil.getServicePrincipal(service, testHost)); KerberosUtil.getServicePrincipal( service, testHost.toLowerCase(Locale.ENGLISH)));
try { Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSManager manager = GSSManager.getInstance();
@Test public void testGetServerPrincipal() throws IOException { String service = "TestKerberosUtil"; String localHostname = KerberosUtil.getLocalHostName(); String testHost = "FooBar"; // send null hostname Assert.assertEquals("When no hostname is sent", service + "/" + localHostname.toLowerCase(), KerberosUtil.getServicePrincipal(service, null)); // send empty hostname Assert.assertEquals("When empty hostname is sent", service + "/" + localHostname.toLowerCase(), KerberosUtil.getServicePrincipal(service, "")); // send 0.0.0.0 hostname Assert.assertEquals("When 0.0.0.0 hostname is sent", service + "/" + localHostname.toLowerCase(), KerberosUtil.getServicePrincipal(service, "0.0.0.0")); // send uppercase hostname Assert.assertEquals("When uppercase hostname is sent", service + "/" + testHost.toLowerCase(), KerberosUtil.getServicePrincipal(service, testHost)); // send lowercase hostname Assert.assertEquals("When lowercase hostname is sent", service + "/" + testHost.toLowerCase(), KerberosUtil.getServicePrincipal(service, testHost.toLowerCase())); }
String realmString = null; if (null == fqdn || fqdn.equals("") || fqdn.equals("0.0.0.0")) { fqdn = getLocalHostName(); shortprinc = service + "/" + fqdn; realmString = getDomainRealm(shortprinc); if (null == realmString || realmString.equals("")) { return shortprinc;
/** * Create Kerberos principal for a given service and hostname. It converts * hostname to lower case. If hostname is null or "0.0.0.0", it uses * dynamically looked-up fqdn of the current host instead. * * @param service * Service for which you want to generate the principal. * @param hostname * Fully-qualified domain name. * @return Converted Kerberos principal name. * @throws UnknownHostException * If no IP address for the local host could be found. */ public static final String getServicePrincipal(String service, String hostname) throws UnknownHostException { String fqdn = hostname; if (null == fqdn || fqdn.equals("") || fqdn.equals("0.0.0.0")) { fqdn = getLocalHostName(); } // convert hostname to lowercase as kerberos does not work with hostnames // with uppercase characters. return service + "/" + fqdn.toLowerCase(Locale.ENGLISH); }
try { GSSManager gssManager = GSSManager.getInstance(); String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", KerberosAuthenticator.this.url.getHost()); Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
/** * Get all the unique principals from keytabfile which matches a pattern. * * @param keytab Name of the keytab file to be read. * @param pattern pattern to be matched. * @return list of unique principals which matches the pattern. * @throws IOException if cannot get the principal name */ public static final String[] getPrincipalNames(String keytab, Pattern pattern) throws IOException { String[] principals = getPrincipalNames(keytab); if (principals.length != 0) { List<String> matchingPrincipals = new ArrayList<String>(); for (String principal : principals) { if (pattern.matcher(principal).matches()) { matchingPrincipals.add(principal); } } principals = matchingPrincipals.toArray(new String[0]); } return principals; }
throws IOException, UnknownHostException { String service = "TestKerberosUtil"; String localHostname = KerberosUtil.getLocalHostName(); String testHost = "FooBar"; String defaultRealm = KerberosUtil.getDefaultRealmProtected(); KerberosUtil.getDomainRealm(service + "/" + localHostname.toLowerCase(Locale.ENGLISH)), defaultRealm); Assert.assertEquals("testGetServerPrincipal assumes realm of testHost 'FooBar' is default", KerberosUtil.getDomainRealm(service + "/" + testHost.toLowerCase(Locale.ENGLISH)), defaultRealm); KerberosUtil.getServicePrincipal(service, null)); KerberosUtil.getServicePrincipal(service, "")); KerberosUtil.getServicePrincipal(service, "0.0.0.0")); KerberosUtil.getServicePrincipal(service, testHost)); KerberosUtil.getServicePrincipal( service, testHost.toLowerCase(Locale.ENGLISH)));
try { Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSManager manager = GSSManager.getInstance();
String realmString = null; if (null == fqdn || fqdn.equals("") || fqdn.equals("0.0.0.0")) { fqdn = getLocalHostName(); shortprinc = service + "/" + fqdn; realmString = getDomainRealm(shortprinc); if (null == realmString || realmString.equals("")) { return shortprinc;
/** * Create Kerberos principal for a given service and hostname. It converts * hostname to lower case. If hostname is null or "0.0.0.0", it uses * dynamically looked-up fqdn of the current host instead. * * @param service * Service for which you want to generate the principal. * @param hostname * Fully-qualified domain name. * @return Converted Kerberos principal name. * @throws UnknownHostException * If no IP address for the local host could be found. */ public static final String getServicePrincipal(String service, String hostname) throws UnknownHostException { String fqdn = hostname; if (null == fqdn || fqdn.equals("") || fqdn.equals("0.0.0.0")) { fqdn = getLocalHostName(); } // convert hostname to lowercase as kerberos does not work with hostnames // with uppercase characters. return service + "/" + fqdn.toLowerCase(Locale.US); }
@Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { if (loginContextName.equals(appName)) { Map<String, String> krbOptions = new HashMap<String, String>(); if (IBM_JAVA) { krbOptions.put("credsType", "both"); krbOptions.put("useKeytab", keyTabFile); } else { krbOptions.put("doNotPrompt", "true"); krbOptions.put("storeKey", "true"); krbOptions.put("useKeyTab", "true"); krbOptions.put("keyTab", keyTabFile); } krbOptions.put("principal", principal); krbOptions.put("refreshKrb5Config", "true"); AppConfigurationEntry hiveZooKeeperClientEntry = new AppConfigurationEntry( KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, krbOptions); return new AppConfigurationEntry[] { hiveZooKeeperClientEntry }; } // Try the base config if (baseConfig != null) { return baseConfig.getAppConfigurationEntry(appName); } return null; } }
String defaultRealm = getDefaultRealm(); println("Default Realm = %s", defaultRealm); if (defaultRealm == null) {
gssCreds = gssManager.createCredential( gssManager.createName( KerberosUtil.getServicePrincipal("HTTP", serverName), KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL") ), GSSCredential.INDEFINITE_LIFETIME, new Oid[]{ KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY
/** * Get all the unique principals from keytabfile which matches a pattern. * * @param keytab Name of the keytab file to be read. * @param pattern pattern to be matched. * @return list of unique principals which matches the pattern. * @throws IOException if cannot get the principal name */ public static final String[] getPrincipalNames(String keytab, Pattern pattern) throws IOException { String[] principals = getPrincipalNames(keytab); if (principals.length != 0) { List<String> matchingPrincipals = new ArrayList<String>(); for (String principal : principals) { if (pattern.matcher(principal).matches()) { matchingPrincipals.add(principal); } } principals = matchingPrincipals.toArray(new String[0]); } return principals; }
gssCreds = this.gssManager.createCredential( this.gssManager.createName(serverPrincipal, KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[]{ KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID")}, GSSCredential.ACCEPT_ONLY); gssContext = this.gssManager.createContext(gssCreds);