Package org.apache.hadoop.security.authentication.server

Class KerberosAuthenticationHandler

java.lang.Object
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler
All Implemented Interfaces:
AuthenticationHandler
Direct Known Subclasses:
AltKerberosAuthenticationHandler
public class KerberosAuthenticationHandler extends Object implements AuthenticationHandler
The KerberosAuthenticationHandler implements the Kerberos SPNEGO authentication mechanism for HTTP.

The supported configuration properties are:

  • kerberos.principal: the Kerberos principal to used by the server. As stated by the Kerberos SPNEGO specification, it should be HTTP/${HOSTNAME}@{REALM}. The realm can be omitted from the principal as the JDK GSS libraries will use the realm name of the configured default realm. It does not have a default value.
  • kerberos.keytab: the keytab file containing the credentials for the Kerberos principal. It does not have a default value.
  • kerberos.name.rules: kerberos names rules to resolve principal names, see KerberosName.setRules(String)

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    KEYTAB
    Constant for the configuration property that indicates the keytab file path.
    static final org.slf4j.Logger
    LOG
     
    static final String
    NAME_RULES
    Constant for the configuration property that indicates the Kerberos name rules for the Kerberos principals.
    static final String
    PRINCIPAL
    Constant for the configuration property that indicates the kerberos principal.
    static final String
    RULE_MECHANISM
    Constant for the configuration property that indicates how auth_to_local rules are evaluated.
    static final String
    TYPE
    Constant that identifies the authentication mechanism.

    Fields inherited from interface org.apache.hadoop.security.authentication.server.AuthenticationHandler

    WWW_AUTHENTICATE

  • Constructor Summary

    Constructors
    Constructor
    Description
    KerberosAuthenticationHandler()
    Creates a Kerberos SPNEGO authentication handler with the default auth-token type, kerberos.
    KerberosAuthenticationHandler(String type)
    Creates a Kerberos SPNEGO authentication handler with a custom auth-token type.

  • Method Summary

    Modifier and Type
    Method
    Description
    AuthenticationToken
    authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully.
    void
    destroy()
    Releases any resources initialized by the authentication handler.
    protected String
    getKeytab()
    Returns the keytab used by the authentication handler.
    protected Set<KerberosPrincipal>
    getPrincipals()
    Returns the Kerberos principals used by the authentication handler.
    String
    getType()
    Returns the authentication type of the authentication handler, 'kerberos'.
    void
    init(Properties config)
    Initializes the authentication handler instance.
    boolean
    managementOperation(AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
    This is an empty implementation, it always returns TRUE.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • LOG

      public static final org.slf4j.Logger LOG

    • TYPE

      public static final String TYPE
      Constant that identifies the authentication mechanism.
      See Also:

    • PRINCIPAL

      public static final String PRINCIPAL
      Constant for the configuration property that indicates the kerberos principal.
      See Also:

    • KEYTAB

      public static final String KEYTAB
      Constant for the configuration property that indicates the keytab file path.
      See Also:

    • NAME_RULES

      public static final String NAME_RULES
      Constant for the configuration property that indicates the Kerberos name rules for the Kerberos principals.
      See Also:

    • RULE_MECHANISM

      public static final String RULE_MECHANISM
      Constant for the configuration property that indicates how auth_to_local rules are evaluated.
      See Also:

  • Constructor Details

    • KerberosAuthenticationHandler

      public KerberosAuthenticationHandler()
      Creates a Kerberos SPNEGO authentication handler with the default auth-token type, kerberos.

    • KerberosAuthenticationHandler

      public KerberosAuthenticationHandler(String type)
      Creates a Kerberos SPNEGO authentication handler with a custom auth-token type.
      Parameters:
      type - auth-token type.

  • Method Details

    • init

      public void init(Properties config) throws javax.servlet.ServletException
      Initializes the authentication handler instance.

      It creates a Kerberos context using the principal and keytab specified in the configuration.

      This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.

      Specified by:
      init in interface AuthenticationHandler
      Parameters:
      config - configuration properties to initialize the handler.
      Throws:
      javax.servlet.ServletException - thrown if the handler could not be initialized.

    • destroy

      public void destroy()
      Releases any resources initialized by the authentication handler.

      It destroys the Kerberos context.

      Specified by:
      destroy in interface AuthenticationHandler

    • getType

      public String getType()
      Returns the authentication type of the authentication handler, 'kerberos'.

      Specified by:
      getType in interface AuthenticationHandler
      Returns:
      the authentication type of the authentication handler, 'kerberos'.

    • getPrincipals

      protected Set<KerberosPrincipal> getPrincipals()
      Returns the Kerberos principals used by the authentication handler.
      Returns:
      the Kerberos principals used by the authentication handler.

    • getKeytab

      protected String getKeytab()
      Returns the keytab used by the authentication handler.
      Returns:
      the keytab used by the authentication handler.

    • managementOperation

      public boolean managementOperation(AuthenticationToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
      This is an empty implementation, it always returns TRUE.
      Specified by:
      managementOperation in interface AuthenticationHandler
      Parameters:
      token - the authentication token if any, otherwise NULL.
      request - the HTTP client request.
      response - the HTTP client response.
      Returns:
      TRUE
      Throws:
      IOException - it is never thrown.
      AuthenticationException - it is never thrown.

    • authenticate

      public AuthenticationToken authenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
      It enforces the the Kerberos SPNEGO authentication sequence returning an AuthenticationToken only after the Kerberos SPNEGO sequence has completed successfully.
      Specified by:
      authenticate in interface AuthenticationHandler
      Parameters:
      request - the HTTP client request.
      response - the HTTP client response.
      Returns:
      an authentication token if the Kerberos SPNEGO sequence is complete and valid, null if it is in progress (in this case the handler handles the response to the client).
      Throws:
      IOException - thrown if an IO error occurred.
      AuthenticationException - thrown if Kerberos SPNEGO sequence failed.