Package org.apache.hadoop.security.authentication.util

Class KerberosUtil

java.lang.Object

org.apache.hadoop.security.authentication.util.KerberosUtil

public class KerberosUtil
extends java.lang.Object

Field Summary

Fields

Modifier and Type	Field	Description
static org.ietf.jgss.Oid	GSS_KRB5_MECH_OID
static org.ietf.jgss.Oid	GSS_SPNEGO_MECH_OID
static org.ietf.jgss.Oid	NT_GSS_KRB5_PRINCIPAL_OID

Constructor Summary

Constructors

Constructor	Description
KerberosUtil()

Method Summary

Modifier and Type	Method	Description
static void	checkJCEKeyStrength()	Validate if JCE Unlimited Strength Jurisdiction Policy Files are installed, logs a warning otherwise.
static java.lang.String	getDefaultRealm()	Return the default realm for this JVM.
static java.lang.String	getDefaultRealmProtected()	Return the default realm for this JVM.
static java.lang.String	getDomainRealm(java.lang.String shortprinc)
static java.lang.String	getKrb5LoginModuleName()
static java.lang.String	getLocalHostName()
static org.ietf.jgss.Oid	getOidInstance(java.lang.String oidName)	Deprecated.
static java.lang.String[]	getPrincipalNames(java.lang.String keytab, java.util.regex.Pattern pattern)	Get all the unique principals from keytabfile which matches a pattern.
static java.lang.String	getServicePrincipal(java.lang.String service, java.lang.String hostname)	Create Kerberos principal for a given service and hostname, inferring realm from the fqdn of the hostname.
static java.lang.String	getTokenServerName(byte[] rawToken)	Extract the TGS server principal from the given gssapi kerberos or spnego wrapped token.
static boolean	hasKerberosKeyTab(javax.security.auth.Subject subject)	Check if the subject contains Kerberos keytab related objects.
static boolean	hasKerberosTicket(javax.security.auth.Subject subject)	Check if the subject contains Kerberos ticket.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

GSS_SPNEGO_MECH_OID

public static final org.ietf.jgss.Oid GSS_SPNEGO_MECH_OID

GSS_KRB5_MECH_OID

public static final org.ietf.jgss.Oid GSS_KRB5_MECH_OID

NT_GSS_KRB5_PRINCIPAL_OID

public static final org.ietf.jgss.Oid NT_GSS_KRB5_PRINCIPAL_OID

Constructor Detail

KerberosUtil

public KerberosUtil()

Method Detail

getKrb5LoginModuleName

public static java.lang.String getKrb5LoginModuleName()

getOidInstance

@Deprecated
public static org.ietf.jgss.Oid getOidInstance(java.lang.String oidName)
                                        throws java.lang.ClassNotFoundException,
                                               org.ietf.jgss.GSSException,
                                               java.lang.NoSuchFieldException,
                                               java.lang.IllegalAccessException

Deprecated.

Returns the Oid instance from string oidName. Use GSS_SPNEGO_MECH_OID, GSS_KRB5_MECH_OID, or NT_GSS_KRB5_PRINCIPAL_OID instead.

Parameters:

oidName - The oid Name

Returns:

Oid instance

Throws:

java.lang.ClassNotFoundException - for backward compatibility.

org.ietf.jgss.GSSException - for backward compatibility.

java.lang.NoSuchFieldException - if the input is not supported.

java.lang.IllegalAccessException - for backward compatibility.

getDefaultRealm

public static java.lang.String getDefaultRealm()
                                        throws java.lang.ClassNotFoundException,
                                               java.lang.NoSuchMethodException,
                                               java.lang.IllegalArgumentException,
                                               java.lang.IllegalAccessException,
                                               java.lang.reflect.InvocationTargetException

Return the default realm for this JVM.

Returns:

The default realm

Throws:

java.lang.IllegalArgumentException - If the default realm does not exist.

java.lang.ClassNotFoundException - Not thrown. Exists for compatibility.

java.lang.NoSuchMethodException - Not thrown. Exists for compatibility.

java.lang.IllegalAccessException - Not thrown. Exists for compatibility.

java.lang.reflect.InvocationTargetException - Not thrown. Exists for compatibility.

getDefaultRealmProtected

public static java.lang.String getDefaultRealmProtected()

Return the default realm for this JVM. If the default realm does not exist, this method returns null.

Returns:

The default realm

getDomainRealm

public static java.lang.String getDomainRealm(java.lang.String shortprinc)

getLocalHostName

public static java.lang.String getLocalHostName()
                                         throws java.net.UnknownHostException

Throws:

java.net.UnknownHostException

getServicePrincipal

public static final java.lang.String getServicePrincipal(java.lang.String service,
                                                         java.lang.String hostname)
                                                  throws java.net.UnknownHostException

Create Kerberos principal for a given service and hostname, inferring realm from the fqdn of the hostname. It converts hostname to lower case. If hostname is null or "0.0.0.0", it uses dynamically looked-up fqdn of the current host instead. If domain_realm mappings are inadequately specified, it will use default_realm, per usual Kerberos behavior. If default_realm also gives a null value, then a principal without realm will be returned, which by Kerberos definitions is just another way to specify default realm.

Parameters:

service - Service for which you want to generate the principal.

hostname - Fully-qualified domain name.

Returns:

Converted Kerberos principal name.

Throws:

java.net.UnknownHostException - If no IP address for the local host could be found.

getPrincipalNames

public static final java.lang.String[] getPrincipalNames(java.lang.String keytab,
                                                         java.util.regex.Pattern pattern)
                                                  throws java.io.IOException

Get all the unique principals from keytabfile which matches a pattern.

Parameters:

keytab - Name of the keytab file to be read.

pattern - pattern to be matched.

Returns:

list of unique principals which matches the pattern.

Throws:

java.io.IOException - if cannot get the principal name

hasKerberosKeyTab

public static boolean hasKerberosKeyTab(javax.security.auth.Subject subject)

Check if the subject contains Kerberos keytab related objects. The Kerberos keytab object attached in subject has been changed from KerberosKey (JDK 7) to KeyTab (JDK 8)

Parameters:

subject - subject to be checked

Returns:

true if the subject contains Kerberos keytab

hasKerberosTicket

public static boolean hasKerberosTicket(javax.security.auth.Subject subject)

Check if the subject contains Kerberos ticket.

Parameters:

subject - subject to be checked

Returns:

true if the subject contains Kerberos ticket

getTokenServerName

public static java.lang.String getTokenServerName(byte[] rawToken)

Extract the TGS server principal from the given gssapi kerberos or spnego wrapped token.

Parameters:

rawToken - bytes of the gss token

Returns:

String of server principal

Throws:

java.lang.IllegalArgumentException - if token is undecodable

checkJCEKeyStrength

public static void checkJCEKeyStrength()

Validate if JCE Unlimited Strength Jurisdiction Policy Files are installed, logs a warning otherwise.