All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.elasticsearch.hadoop.security.JdkUser Maven / Gradle / Ivy

There is a newer version: 8.16.0
Show newest version
/*
 * Licensed to Elasticsearch under one or more contributor
 * license agreements. See the NOTICE file distributed with
 * this work for additional information regarding copyright
 * ownership. Elasticsearch licenses this file to you under
 * the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.elasticsearch.hadoop.security;

import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;

import org.elasticsearch.hadoop.EsHadoopException;
import org.elasticsearch.hadoop.cfg.Settings;
import org.elasticsearch.hadoop.util.ClusterName;

public class JdkUser implements User {

    /**
     * Simplify getting and setting of tokens on a Subject by letting us store and retrieve them by name
     */
    static class EsTokenHolder {
        private Map creds = new HashMap();

        EsToken getCred(String alias) {
            return creds.get(alias);
        }

        Collection getCreds() {
            return creds.values();
        }

        void setCred(String alias, EsToken cred) {
            creds.put(alias, cred);
        }
    }

    private final Subject subject;
    private final Settings providerSettings;

    public JdkUser(Subject subject, Settings providerSettings) {
        this.subject = subject;
        this.providerSettings = providerSettings;
    }

    @Override
    public  T doAs(PrivilegedAction action) {
        return Subject.doAs(subject, action);
    }

    @Override
    public  T doAs(PrivilegedExceptionAction action) throws EsHadoopException {
        try {
            return Subject.doAs(subject, action);
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof EsHadoopException) {
                throw ((EsHadoopException) e.getCause());
            } else {
                throw new EsHadoopException(e.getCause());
            }
        }
    }

    @Override
    public EsToken getEsToken(String clusterName) {
        // An unset cluster name - Wouldn't have a token for it.
        if (clusterName == null || clusterName.equals("") || clusterName.equals(ClusterName.UNNAMED_CLUSTER_NAME)) {
            return null;
        }
        Set credSet = subject.getPrivateCredentials(EsTokenHolder.class);
        if (credSet.isEmpty()) {
            return null;
        } else {
            EsTokenHolder holder = credSet.iterator().next();
            return holder.getCred(clusterName);
        }
    }

    @Override
    public Iterable getAllEsTokens() {
        Set credSet = subject.getPrivateCredentials(EsTokenHolder.class);
        if (credSet.isEmpty()) {
            return Collections.emptyList();
        } else {
            EsTokenHolder holder = credSet.iterator().next();
            List tokens = new ArrayList<>();
            tokens.addAll(holder.getCreds());
            return Collections.unmodifiableList(tokens);
        }
    }

    @Override
    public void addEsToken(EsToken esToken) {
        Iterator credSet = subject.getPrivateCredentials(EsTokenHolder.class).iterator();
        EsTokenHolder creds = null;
        if (credSet.hasNext()) {
            creds = credSet.next();
        } else {
            creds = new EsTokenHolder();
            subject.getPrivateCredentials().add(creds);
        }
        creds.setCred(esToken.getClusterName(), esToken);
    }

    @Override
    public String getUserName() {
        KerberosPrincipal principal = getKerberosPrincipal();
        if (principal == null) {
            return null;
        }
        return principal.getName();
    }

    @Override
    public KerberosPrincipal getKerberosPrincipal() {
        Iterator iter = subject.getPrincipals(KerberosPrincipal.class).iterator();
        if (iter.hasNext()) {
            return iter.next();
        }
        return null;
    }

    @Override
    public boolean isProxyUser() {
        // Proxy users are a strictly Hadoop based mechanism.
        // A basic Subject will never be a Proxy user on its own.
        return false;
    }

    @Override
    public UserProvider getRealUserProvider() {
        // Since there is no real user under this subject, just return a
        // new provider with the same settings as this user's provider.
        UserProvider sameProvider = new JdkUserProvider();
        sameProvider.setSettings(providerSettings);
        return sameProvider;
    }

    @Override
    public String toString() {
        return "JdkUser{" +
                "subject=" + subject +
                '}';
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy