Package org.apache.hadoop.security.authentication.server

Class KerberosAuthenticationHandler

java.lang.Object

org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler

All Implemented Interfaces:

AuthenticationHandler

Direct Known Subclasses:

AltKerberosAuthenticationHandler

public class KerberosAuthenticationHandler
extends java.lang.Object
implements AuthenticationHandler

The KerberosAuthenticationHandler implements the Kerberos SPNEGO authentication mechanism for HTTP.

The supported configuration properties are:

• kerberos.principal: the Kerberos principal to used by the server. As stated by the Kerberos SPNEGO specification, it should be HTTP/${HOSTNAME}@{REALM}. The realm can be omitted from the principal as the JDK GSS libraries will use the realm name of the configured default realm. It does not have a default value.
• kerberos.keytab: the keytab file containing the credentials for the Kerberos principal. It does not have a default value.
• kerberos.name.rules: kerberos names rules to resolve principal names, see KerberosName.setRules(String)

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	KEYTAB	Constant for the configuration property that indicates the keytab file path.
static org.slf4j.Logger	LOG
static java.lang.String	NAME_RULES	Constant for the configuration property that indicates the Kerberos name rules for the Kerberos principals.
static java.lang.String	PRINCIPAL	Constant for the configuration property that indicates the kerberos principal.
static java.lang.String	RULE_MECHANISM	Constant for the configuration property that indicates how auth_to_local rules are evaluated.
static java.lang.String	TYPE	Constant that identifies the authentication mechanism.

Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

WWW_AUTHENTICATE

Constructor Summary

Constructors

Constructor	Description
KerberosAuthenticationHandler()	Creates a Kerberos SPNEGO authentication handler with the default auth-token type, kerberos.
KerberosAuthenticationHandler(java.lang.String type)	Creates a Kerberos SPNEGO authentication handler with a custom auth-token type.

Method Summary

Modifier and Type	Method	Description
AuthenticationToken	authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully.
void	destroy()	Releases any resources initialized by the authentication handler.
protected java.lang.String	getKeytab()	Returns the keytab used by the authentication handler.
protected java.util.Set<javax.security.auth.kerberos.KerberosPrincipal>	getPrincipals()	Returns the Kerberos principals used by the authentication handler.
java.lang.String	getType()	Returns the authentication type of the authentication handler, 'kerberos'.
void	init(java.util.Properties config)	Initializes the authentication handler instance.
boolean	managementOperation(AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	This is an empty implementation, it always returns TRUE.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

public static final org.slf4j.Logger LOG

TYPE

public static final java.lang.String TYPE

Constant that identifies the authentication mechanism.

See Also:

Constant Field Values

PRINCIPAL

public static final java.lang.String PRINCIPAL

Constant for the configuration property that indicates the kerberos principal.

See Also:

Constant Field Values

KEYTAB

public static final java.lang.String KEYTAB

Constant for the configuration property that indicates the keytab file path.

See Also:

Constant Field Values

NAME_RULES

public static final java.lang.String NAME_RULES

Constant for the configuration property that indicates the Kerberos name rules for the Kerberos principals.

See Also:

Constant Field Values

RULE_MECHANISM

public static final java.lang.String RULE_MECHANISM

Constant for the configuration property that indicates how auth_to_local rules are evaluated.

See Also:

Constant Field Values

Constructor Detail

KerberosAuthenticationHandler

public KerberosAuthenticationHandler()

Creates a Kerberos SPNEGO authentication handler with the default auth-token type, kerberos.

KerberosAuthenticationHandler

public KerberosAuthenticationHandler(java.lang.String type)

Creates a Kerberos SPNEGO authentication handler with a custom auth-token type.

Parameters:

type - auth-token type.

Method Detail

init

public void init(java.util.Properties config)
          throws javax.servlet.ServletException

Initializes the authentication handler instance.

It creates a Kerberos context using the principal and keytab specified in the configuration.

This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

Specified by:

init in interface AuthenticationHandler

Parameters:

config - configuration properties to initialize the handler.

Throws:

javax.servlet.ServletException - thrown if the handler could not be initialized.

destroy

public void destroy()

Releases any resources initialized by the authentication handler.

It destroys the Kerberos context.

Specified by:

destroy in interface AuthenticationHandler

getType

public java.lang.String getType()

Returns the authentication type of the authentication handler, 'kerberos'.

Specified by:

getType in interface AuthenticationHandler

Returns:

the authentication type of the authentication handler, 'kerberos'.

getPrincipals

protected java.util.Set<javax.security.auth.kerberos.KerberosPrincipal> getPrincipals()

Returns the Kerberos principals used by the authentication handler.

Returns:

the Kerberos principals used by the authentication handler.

getKeytab

protected java.lang.String getKeytab()

Returns the keytab used by the authentication handler.

Returns:

the keytab used by the authentication handler.

managementOperation

public boolean managementOperation(AuthenticationToken token,
                                   javax.servlet.http.HttpServletRequest request,
                                   javax.servlet.http.HttpServletResponse response)
                            throws java.io.IOException,
                                   AuthenticationException

This is an empty implementation, it always returns TRUE.

Specified by:

managementOperation in interface AuthenticationHandler

Parameters:

token - the authentication token if any, otherwise NULL.

request - the HTTP client request.

response - the HTTP client response.

Returns:

TRUE

Throws:

java.io.IOException - it is never thrown.

AuthenticationException - it is never thrown.

authenticate

public AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response)
                                 throws java.io.IOException,
                                        AuthenticationException

It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully.

Specified by:

authenticate in interface AuthenticationHandler

Parameters:

request - the HTTP client request.

response - the HTTP client response.

Returns:

an authentication token if the Kerberos SPNEGO sequence is complete and valid, null if it is in progress (in this case the handler handles the response to the client).

Throws:

java.io.IOException - thrown if an IO error occurred.

AuthenticationException - thrown if Kerberos SPNEGO sequence failed.