@Before public void setUp() { conf.set(ServerConfig.ALLOW_CONNECT, "hive"); callBack = new GSSCallback(conf); }
boolean allowConnect(String principal) { String allowedPrincipals = conf.get(ServerConfig.ALLOW_CONNECT); if (allowedPrincipals == null) { return false; } String principalShortName = getShortName(principal); List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*")); for (String item : items) { if (comparePrincipals(item, principalShortName)) { return true; } } return false; }
@Test public void testAllowConnectOnKerberosPrincipal() { //Test with ruleset not set String validPrincipal = "hive@GCE.CLOUDERA.COM"; assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal)); String invalidPrincipal = "impala@GCE.CLOUDERA.COM"; assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal)); //Test with ruleset set to DEFAULT String ruleString = "DEFAULT"; KerberosName.setRules(ruleString); assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal)); assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal)); }
@Test public void testAllowConnectWithRuleSet() { String ruleString = "RULE:[1:$1@$0](user1@TEST.REALM.COM)s/.*/hive/"; KerberosName.setRules(ruleString); String validPrincipal = "user1@TEST.REALM.COM"; assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal)); //New rule for a different user ruleString = "RULE:[1:$1@$0](user2@TEST.REALM.COM)s/.*/solr/"; KerberosName.setRules(ruleString); String invalidPrincipal1 = "user2@TEST.REALM.COM"; assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal1)); String invalidPrincipal2 = "user3@TEST.REALM.COM"; assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal2)); }
String authzid = ac.getAuthorizationID(); if (allowConnect(authid)) { if (authid.equals(authzid)) { ac.setAuthorized(true);
principalShortName = getShortName(principal); principalShortName = getShortName(principal); } catch (Exception e) { LoggerFactory.getLogger(GSSCallback.class) .debug("Cannot derive short name from KerberosName. " + "Use principal name prefix to authenticate", e); principalShortName = getShortName(principal); principalShortName = getShortName(principal); if (comparePrincipals(item, principalShortName)) { return true;
saslTransportFactory.addServerDefinition(AuthMethod.KERBEROS .getMechanismName(), principalParts[0], principalParts[1], ServerConfig.SASL_PROPERTIES, new GSSCallback(conf)); transportFactory = saslTransportFactory; } else {
String authzid = ac.getAuthorizationID(); if (allowConnect(authid)) { if (authid.equals(authzid)) { ac.setAuthorized(true);
saslTransportFactory.addServerDefinition(AuthMethod.KERBEROS .getMechanismName(), principalParts[0], principalParts[1], ServerConfig.SASL_PROPERTIES, new GSSCallback(conf)); transportFactory = saslTransportFactory; } else {