@Override public TTransport getTransport(final TTransport trans) { try { return Subject.doAs(subject, new PrivilegedExceptionAction<TTransport>() { public TTransport run() { try { return wrapped.getTransport(trans); } catch (Exception e) { LOG.error("Storm server failed to open transport to interact with a client during session initiation: " + e, e); return null; } } }); } catch (PrivilegedActionException e) { LOG.error("Storm server experienced a PrivilegedActionException exception while creating a transport using a JAAS principal context:" + e, e); return null; } } }
private static <T> T doAs(Subject subject, GssSupplier<T> action) { return Subject.doAs(subject, (PrivilegedAction<T>) () -> { try { return action.get(); } catch (GSSException e) { throw new RuntimeException(e); } }); } }
private static <T> T doAs(Subject subject, GssSupplier<T> action) throws GSSException { try { return Subject.doAs(subject, (PrivilegedExceptionAction<T>) action::get); } catch (PrivilegedActionException e) { Throwable t = e.getCause(); throwIfInstanceOf(t, GSSException.class); throwIfUnchecked(t); throw new RuntimeException(t); } }
private SaslClient createSaslClient() { try { return Subject.doAs(subject, (PrivilegedExceptionAction<SaslClient>) () -> { String[] mechs = {mechanism}; LOG.debug("Creating SaslClient: client={};service={};serviceHostname={};mechs={}", clientPrincipalName, servicePrincipal, host, Arrays.toString(mechs)); return Sasl.createSaslClient(mechs, clientPrincipalName, servicePrincipal, host, configs, callbackHandler); }); } catch (PrivilegedActionException e) { throw new SaslAuthenticationException("Failed to create SaslClient with mechanism " + mechanism, e.getCause()); } }
/** * Respond to server's SASL token. * * @param saslTokenMessage contains server's SASL token * @return client's response SASL token */ public byte[] saslResponse(SaslMessageToken saslTokenMessage) { try { final SaslMessageToken fSaslTokenMessage = saslTokenMessage; byte[] retval = Subject.doAs(subject, new PrivilegedExceptionAction<byte[]>() { public byte[] run() { try { byte[] retval = saslClient.evaluateChallenge(fSaslTokenMessage .getSaslToken()); return retval; } catch (SaslException e) { LOG.error("saslResponse: Failed to respond to SASL server's token:", e); throw new RuntimeException(e); } } }); return retval; } catch (PrivilegedActionException e) { LOG.error("Failed to generate response for token: ", e); throw new RuntimeException(e); } }
private static <T> T doAs(Subject subject, GssSupplier<T> action) throws GSSException { try { return Subject.doAs(subject, (PrivilegedExceptionAction<T>) action::get); } catch (PrivilegedActionException e) { Throwable t = e.getCause(); throwIfInstanceOf(t, GSSException.class); throwIfUnchecked(t); throw new RuntimeException(t); } }
/** * Executes the PrivilegedAction as this user. * * @param action the action to execute * @param <T> the type of result * @return the result of the action * @throws IllegalStateException if this method is called while not logged in */ @Override public <T> T doAs(final PrivilegedAction<T> action) throws IllegalStateException { if (!isLoggedIn()) { throw new IllegalStateException("Must login before executing actions"); } return Subject.doAs(subject, action); }
private void createSaslServer(String mechanism) throws IOException { this.saslMechanism = mechanism; Subject subject = subjects.get(mechanism); final AuthenticateCallbackHandler callbackHandler = callbackHandlers.get(mechanism); if (mechanism.equals(SaslConfigs.GSSAPI_MECHANISM)) { saslServer = createSaslKerberosServer(callbackHandler, configs, subject); } else { try { saslServer = Subject.doAs(subject, (PrivilegedExceptionAction<SaslServer>) () -> Sasl.createSaslServer(saslMechanism, "kafka", serverAddress().getHostName(), configs, callbackHandler)); } catch (PrivilegedActionException e) { throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause()); } } }
@Override public TTransport getTransport(final TTransport trans) { try { return Subject.doAs(subject, (PrivilegedExceptionAction<TTransport>) () -> { try { return wrapped.getTransport(trans); } catch (Exception e) { LOG.debug("Storm server failed to open transport " + "to interact with a client during session initiation: " + e, e); return new NoOpTTrasport(null); } }); } catch (PrivilegedActionException e) { LOG.error( "Storm server experienced a PrivilegedActionException exception while creating a transport using a JAAS principal " + "context:" + e, e); return null; } } }
public SaslServerContext(final SaslServerFactory saslServerFactory, final String mech, final String serverName, final CallbackHandler callback_handler, final Map<String, String> props, final Subject subject) throws SaslException { this.subject = subject; if (this.subject != null) { try { server = Subject.doAs(this.subject, (PrivilegedExceptionAction<SaslServer>)() -> saslServerFactory.createSaslServer(mech, SASL.SASL_PROTOCOL_NAME, serverName, props, callback_handler)); } catch (PrivilegedActionException e) { throw (SaslException)e.getCause(); // The createSaslServer will only throw this type of exception } } else { server = saslServerFactory.createSaslServer(mech, SASL.SASL_PROTOCOL_NAME, serverName, props, callback_handler); } }
public SaslClientContext(final SaslClientFactory saslClientFactory, final String mech, final String server_name, final CallbackHandler callback_handler, final Map<String, String> props, final Subject subject) throws SaslException { this.subject = subject; if (this.subject != null) { try { client = Subject.doAs(this.subject, (PrivilegedExceptionAction<SaslClient>)() -> saslClientFactory.createSaslClient(new String[] { mech }, null, SASL.SASL_PROTOCOL_NAME, server_name, props, callback_handler)); } catch (PrivilegedActionException e) { throw (SaslException)e.getCause(); // The createSaslServer will only throw this type of exception } } else { client = saslClientFactory.createSaslClient(new String[] { mech }, null, SASL.SASL_PROTOCOL_NAME, server_name, props, callback_handler); } }
private byte[] evaluateChallenge(final byte[] challenge) throws SaslException { if (subject != null) { try { return Subject.doAs(subject, (PrivilegedExceptionAction<byte[]>)() -> client.evaluateChallenge(challenge)); } catch (PrivilegedActionException e) { Throwable cause = e.getCause(); if (cause instanceof SaslException) { throw (SaslException)cause; } else { throw new RuntimeException(cause); } } } else { return client.evaluateChallenge(challenge); } } }
/** * Run the given action as the user. * @param <T> the return type of the run method * @param action the method to execute * @return the value from the run method */ @InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedAction<T> action) { logPrivilegedAction(subject, action); return Subject.doAs(subject, action); }
void doAsSubject(final java.security.PrivilegedAction<Void> action) { if (getSubject() == null) { action.run(); } else { Subject.doAs(getSubject(), action); } }
return Subject.doAs(subject, (PrivilegedExceptionAction<SaslServer>) () -> Sasl.createSaslServer(saslMechanism, servicePrincipalName, serviceHostname, configs, saslServerCallbackHandler)); } catch (PrivilegedActionException e) {
/** * @return Stringified Base64 encoded kerberosAuthHeader on success * @throws Exception */ public static String getKerberosServiceTicket(String principal, String host, String serverHttpUrl, Subject loggedInSubject) throws Exception { String serverPrincipal = HadoopThriftAuthBridge.getBridge().getServerPrincipal(principal, host); if (loggedInSubject != null) { return Subject.doAs(loggedInSubject, new HttpKerberosClientAction(serverPrincipal, serverHttpUrl)); } else { // JAAS login from ticket cache to setup the client UserGroupInformation UserGroupInformation clientUGI = HadoopThriftAuthBridge.getBridge().getCurrentUGIWithConf("kerberos"); return clientUGI.doAs(new HttpKerberosClientAction(serverPrincipal, serverHttpUrl)); } }
public static String validateSecurityContext(Subject subject, final byte[] serviceTicket) throws GSSException { // Accept the context and return the client principal name. return Subject.doAs(subject, (PrivilegedAction<String>)() -> { try { // Identify the server that communications are being made // to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext((GSSCredential) null); context.acceptSecContext(serviceTicket, 0, serviceTicket.length); return context.getSrcName().toString(); } catch (Exception e) { log.error(Util.getMessage("Krb5TokenKerberosContextProcessingException"),e); return null; } }); }
private byte[] createSaslToken(final byte[] saslToken, boolean isInitial) throws SaslException { if (saslToken == null) throw new IllegalSaslStateException("Error authenticating with the Kafka Broker: received a `null` saslToken."); try { if (isInitial && !saslClient.hasInitialResponse()) return saslToken; else return Subject.doAs(subject, (PrivilegedExceptionAction<byte[]>) () -> saslClient.evaluateChallenge(saslToken)); } catch (PrivilegedActionException e) { String error = "An error: (" + e + ") occurred when evaluating SASL token received from the Kafka Broker."; KerberosError kerberosError = KerberosError.fromException(e); // Try to provide hints to use about what went wrong so they can fix their configuration. if (kerberosError == KerberosError.SERVER_NOT_FOUND) { error += " This may be caused by Java's being unable to resolve the Kafka Broker's" + " hostname correctly. You may want to try to adding" + " '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment." + " Users must configure FQDN of kafka brokers when authenticating using SASL and" + " `socketChannel.socket().getInetAddress().getHostName()` must match the hostname in `principal/hostname@realm`"; } error += " Kafka Client will go to AUTHENTICATION_FAILED state."; //Unwrap the SaslException inside `PrivilegedActionException` Throwable cause = e.getCause(); // Treat transient Kerberos errors as non-fatal SaslExceptions that are processed as I/O exceptions // and all other failures as fatal SaslAuthenticationException. if (kerberosError != null && kerberosError.retriable()) throw new SaslException(error, cause); else throw new SaslAuthenticationException(error, cause); } }
public AuthenticationMechanismOutcome runGSSAPI(final HttpServerExchange exchange, final ByteBuffer challenge, final SecurityContext securityContext) { try { Subject server = subjectFactory.getSubjectForHost(getHostName(exchange)); // The AcceptSecurityContext takes over responsibility for setting the result. return Subject.doAs(server, new AcceptSecurityContext(exchange, challenge, securityContext)); } catch (GeneralSecurityException e) { e.printStackTrace(); return AuthenticationMechanismOutcome.NOT_AUTHENTICATED; } catch (PrivilegedActionException e) { e.printStackTrace(); return AuthenticationMechanismOutcome.NOT_AUTHENTICATED; } }
public static void tryConnectAs(Map<String, Object> conf, ThriftServer server, Subject subject, String topoId) throws PrivilegedActionException { Subject.doAs(subject, (PrivilegedExceptionAction<Void>) () -> { try (NimbusClient client = new NimbusClient(conf, "localhost", server.getPort(), NIMBUS_TIMEOUT)) { client.getClient().activate(topoId); //Yes this should be a topo name, but it makes this simpler... } return null; }); }