com.datastax.driver.auth.DseGSSAPIAuthProvider Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of cassandra-driver-dse Show documentation
Show all versions of cassandra-driver-dse Show documentation
Extensions to the CQL driver for use with DataStax Enterprise.
The newest version!
/*
* Copyright (C) 2012-2015 DataStax Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.datastax.driver.auth;
import com.datastax.driver.core.AuthProvider;
import com.datastax.driver.core.Authenticator;
import com.datastax.driver.core.exceptions.AuthenticationException;
import com.google.common.base.Charsets;
import com.google.common.collect.ImmutableMap;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import java.net.InetSocketAddress;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Map;
/**
* AuthProvider that provides GSSAPI authenticator instances for clients to connect
* to DSE clusters secured with the DseAuthenticator.
*
* Kerberos Authentication
* The SASL protocol name defaults to "dse"; should you need to change that
* it can be overridden using the dse.sasl.protocol system property.
*
* Keytab and ticket cache settings are specified using a standard JAAS
* configuration file. The location of the file can be set using the
* java.security.auth.login.config system property or by adding a
* login.config.url.n entry in the java.security properties
* file.
*
* See the following documents for further details on the
* JAAS Login Configuration File and the
* JAAS Authentication Tutorial
* for more on JAAS in general.
*
* Authentication using ticket cache
* Run kinit to obtain a ticket and populate the cache before
* connecting. JAAS config:
*
*
* DseClient {
* com.sun.security.auth.module.Krb5LoginModule required
* useTicketCache=true
* renewTGT=true;
* };
*
*
*
* Authentication using a keytab file
* To enable authentication using a keytab file, specify its location on disk.
* If your keytab contains more than one principal key, you should also specify
* which one to select.
*
*
* DseClient {
* com.sun.security.auth.module.Krb5LoginModule required
* useKeyTab=true
* keyTab="/path/to/file.keytab"
* principal="[email protected]";
* };
*
* To create a cluster using this auth provider:
*
* Cluster cluster = Cluster.builder()
* .addContactPoint(hostname)
* .withAuthProvider(new DseGSSAPIAuthProvider())
* .build();
*
*/
public class DseGSSAPIAuthProvider implements AuthProvider {
public Authenticator newAuthenticator(InetSocketAddress host, String authenticator) throws AuthenticationException {
return new GSSAPIAuthenticator(authenticator, host);
}
private static class GSSAPIAuthenticator extends BaseDseAuthenticator {
private static final String JAAS_CONFIG_ENTRY = "DseClient";
private static final String[] SUPPORTED_MECHANISMS = new String[]{"GSSAPI"};
private static final String SASL_PROTOCOL_NAME = "dse";
private static final String SASL_PROTOCOL_NAME_PROPERTY = "dse.sasl.protocol";
private static final Map DEFAULT_PROPERTIES =
ImmutableMap.builder().put(Sasl.SERVER_AUTH, "true")
.put(Sasl.QOP, "auth")
.build();
private static final byte[] EMPTY_BYTE_ARRAY = new byte[0];
private static final byte[] MECHANISM = "GSSAPI".getBytes(Charsets.UTF_8);
private static final byte[] SERVER_INITIAL_CHALLENGE = "GSSAPI-START".getBytes(Charsets.UTF_8);
private final Subject subject;
private final SaslClient saslClient;
public GSSAPIAuthenticator(String authenticator, InetSocketAddress host) {
super(authenticator);
try {
LoginContext login = new LoginContext(JAAS_CONFIG_ENTRY);
login.login();
subject = login.getSubject();
saslClient = Sasl.createSaslClient(SUPPORTED_MECHANISMS,
null,
System.getProperty(SASL_PROTOCOL_NAME_PROPERTY, SASL_PROTOCOL_NAME),
host.getAddress().getCanonicalHostName(),
DEFAULT_PROPERTIES,
null);
} catch (LoginException e) {
throw new RuntimeException(e);
} catch (SaslException e) {
throw new RuntimeException(e);
}
}
public byte[] getMechanism() {
return MECHANISM.clone();
}
public byte[] getInitialServerChallenge() {
return SERVER_INITIAL_CHALLENGE.clone();
}
public byte[] evaluateChallenge(byte[] challenge) {
if (Arrays.equals(SERVER_INITIAL_CHALLENGE, challenge)) {
if (!saslClient.hasInitialResponse()) {
return EMPTY_BYTE_ARRAY;
}
challenge = EMPTY_BYTE_ARRAY;
}
final byte[] internalChallenge = challenge;
try {
return Subject.doAs(subject, new PrivilegedExceptionAction() {
public byte[] run() throws SaslException {
return saslClient.evaluateChallenge(internalChallenge);
}
});
} catch (PrivilegedActionException e) {
throw new RuntimeException(e.getException());
}
}
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy