All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.hive.service.auth.PlainSaslHelper Maven / Gradle / Ivy

There is a newer version: 4.0.1
Show newest version
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hive.service.auth;

import java.io.IOException;
import java.net.InetAddress;
import java.security.Security;
import java.util.HashMap;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthenticationException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;

import org.apache.hive.service.auth.AuthenticationProviderFactory.AuthMethods;
import org.apache.hive.service.auth.PlainSaslServer.SaslPlainProvider;
import org.apache.hive.service.rpc.thrift.TCLIService;
import org.apache.hive.service.rpc.thrift.TCLIService.Iface;
import org.apache.thrift.TProcessor;
import org.apache.thrift.TProcessorFactory;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSaslServerTransport;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.apache.thrift.transport.TTransportFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public final class PlainSaslHelper {
  private static final Logger LOG = LoggerFactory.getLogger(PlainSaslHelper.class);

  public static TProcessorFactory getPlainProcessorFactory(TCLIService.Iface service) {
    return new SQLPlainProcessorFactory(service);
  }

  // Register Plain SASL server provider
  static {
    Security.addProvider(new SaslPlainProvider());
  }

  public static TTransportFactory getPlainTransportFactory(String authTypeStr)
    throws LoginException {
    TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory();
    try {
      saslFactory.addServerDefinition("PLAIN", authTypeStr, null, new HashMap(),
        new PlainServerCallbackHandler(authTypeStr));
    } catch (AuthenticationException e) {
      throw new LoginException("Error setting callback handler" + e);
    }
    return saslFactory;
  }

  static TTransportFactory getDualPlainTransportFactory(TTransportFactory otherTrans,
                                                        String trustedDomain)
          throws LoginException {
    LOG.info("Created additional transport factory for skipping authentication when client " +
            "connection is from the same domain.");
    return new DualSaslTransportFactory(otherTrans, trustedDomain);
  }

  public static TTransport getPlainTransport(String username, String password,
    TTransport underlyingTransport) throws SaslException, TTransportException {
    return new TSaslClientTransport("PLAIN", null, null, null, new HashMap(),
      new PlainCallbackHandler(username, password), underlyingTransport);
  }

  // Return true if the remote host is from the trusted domain, i.e. host URL has the same
  // suffix as the trusted domain.
  static public boolean isHostFromTrustedDomain(String remoteHost, String trustedDomain) {
    return remoteHost.endsWith(trustedDomain);
  }

  private PlainSaslHelper() {
    throw new UnsupportedOperationException("Can't initialize class");
  }

  static final class DualSaslTransportFactory extends TTransportFactory {
    TTransportFactory otherFactory;
    TTransportFactory noAuthFactory;
    String trustedDomain;

    DualSaslTransportFactory(TTransportFactory otherFactory, String trustedDomain)
            throws LoginException {
      this.noAuthFactory = getPlainTransportFactory(AuthMethods.NONE.toString());
      this.otherFactory = otherFactory;
      this.trustedDomain = trustedDomain;
    }

    @Override
    public TTransport getTransport(final TTransport trans) throws TTransportException {
      TSocket tSocket = null;
      // Attempt to avoid authentication if only we can fetch the client IP address and it
      // happens to be from the same domain as the server.
      if (trans instanceof TSocket) {
        tSocket = (TSocket) trans;
      } else if (trans instanceof TSaslServerTransport) {
        TSaslServerTransport saslTrans = (TSaslServerTransport) trans;
        tSocket = (TSocket)(saslTrans.getUnderlyingTransport());
      }
      String remoteHost = tSocket != null ?
              tSocket.getSocket().getInetAddress().getCanonicalHostName() : null;
      if (remoteHost != null && isHostFromTrustedDomain(remoteHost, trustedDomain)) {
        LOG.info("No authentication performed because the connecting host " + remoteHost + " is " +
                "from the trusted domain " + trustedDomain);
        return noAuthFactory.getTransport(trans);
      }

      return otherFactory.getTransport(trans);
    }
  }

  public static final class PlainServerCallbackHandler implements CallbackHandler {

    private final AuthMethods authMethod;

    PlainServerCallbackHandler(String authMethodStr) throws AuthenticationException {
      authMethod = AuthMethods.getValidAuthMethod(authMethodStr);
    }

    @Override
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
      String username = null;
      String password = null;
      AuthorizeCallback ac = null;

      for (Callback callback : callbacks) {
        if (callback instanceof NameCallback) {
          NameCallback nc = (NameCallback) callback;
          username = nc.getName();
        } else if (callback instanceof PasswordCallback) {
          PasswordCallback pc = (PasswordCallback) callback;
          password = new String(pc.getPassword());
        } else if (callback instanceof AuthorizeCallback) {
          ac = (AuthorizeCallback) callback;
        } else {
          throw new UnsupportedCallbackException(callback);
        }
      }
      PasswdAuthenticationProvider provider =
        AuthenticationProviderFactory.getAuthenticationProvider(authMethod);
      try {
        provider.Authenticate(username, password);
      } catch (Exception e) {
        LOG.error("Login attempt is failed for user : " + username + ". Error Messsage : " + e.getMessage());
        throw e;
      }
      if (ac != null) {
        ac.setAuthorized(true);
      }
    }
  }

  public static class PlainCallbackHandler implements CallbackHandler {

    private final String username;
    private final String password;

    public PlainCallbackHandler(String username, String password) {
      this.username = username;
      this.password = password;
    }

    @Override
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
      for (Callback callback : callbacks) {
        if (callback instanceof NameCallback) {
          NameCallback nameCallback = (NameCallback) callback;
          nameCallback.setName(username);
        } else if (callback instanceof PasswordCallback) {
          PasswordCallback passCallback = (PasswordCallback) callback;
          passCallback.setPassword(password.toCharArray());
        } else {
          throw new UnsupportedCallbackException(callback);
        }
      }
    }
  }

  private static final class SQLPlainProcessorFactory extends TProcessorFactory {

    private final TCLIService.Iface service;

    SQLPlainProcessorFactory(TCLIService.Iface service) {
      super(null);
      this.service = service;
    }

    @Override
    public TProcessor getProcessor(TTransport trans) {
      return new TSetIpAddressProcessor(service);
    }
  }

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy