Package org.apache.hadoop.security.authentication.util

Class KerberosUtil

java.lang.Object
org.apache.hadoop.security.authentication.util.KerberosUtil
public class KerberosUtil extends Object

  • Field Details

    • GSS_SPNEGO_MECH_OID

      public static final Oid GSS_SPNEGO_MECH_OID

    • GSS_KRB5_MECH_OID

      public static final Oid GSS_KRB5_MECH_OID

    • NT_GSS_KRB5_PRINCIPAL_OID

      public static final Oid NT_GSS_KRB5_PRINCIPAL_OID

  • Constructor Details

    • KerberosUtil

      public KerberosUtil()

  • Method Details

    • getKrb5LoginModuleName

      public static String getKrb5LoginModuleName()

    • getOidInstance

      @Deprecated public static Oid getOidInstance(String oidName) throws ClassNotFoundException, GSSException, NoSuchFieldException, IllegalAccessException
      Deprecated.
      Returns the Oid instance from string oidName. Use GSS_SPNEGO_MECH_OID, GSS_KRB5_MECH_OID, or NT_GSS_KRB5_PRINCIPAL_OID instead.
      Parameters:
      oidName - The oid Name
      Returns:
      Oid instance
      Throws:
      ClassNotFoundException - for backward compatibility.
      GSSException - for backward compatibility.
      NoSuchFieldException - if the input is not supported.
      IllegalAccessException - for backward compatibility.

    • getDefaultRealm

      public static String getDefaultRealm() throws ClassNotFoundException, NoSuchMethodException, IllegalArgumentException, IllegalAccessException, InvocationTargetException
      Return the default realm for this JVM.
      Returns:
      The default realm
      Throws:
      IllegalArgumentException - If the default realm does not exist.
      ClassNotFoundException - Not thrown. Exists for compatibility.
      NoSuchMethodException - Not thrown. Exists for compatibility.
      IllegalAccessException - Not thrown. Exists for compatibility.
      InvocationTargetException - Not thrown. Exists for compatibility.

    • getDefaultRealmProtected

      public static String getDefaultRealmProtected()
      Return the default realm for this JVM. If the default realm does not exist, this method returns null.
      Returns:
      The default realm

    • getDomainRealm

      public static String getDomainRealm(String shortprinc)

    • getLocalHostName

      public static String getLocalHostName() throws UnknownHostException
      Throws:
      UnknownHostException

    • getServicePrincipal

      public static final String getServicePrincipal(String service, String hostname) throws UnknownHostException
      Create Kerberos principal for a given service and hostname, inferring realm from the fqdn of the hostname. It converts hostname to lower case. If hostname is null or "0.0.0.0", it uses dynamically looked-up fqdn of the current host instead. If domain_realm mappings are inadequately specified, it will use default_realm, per usual Kerberos behavior. If default_realm also gives a null value, then a principal without realm will be returned, which by Kerberos definitions is just another way to specify default realm.
      Parameters:
      service - Service for which you want to generate the principal.
      hostname - Fully-qualified domain name.
      Returns:
      Converted Kerberos principal name.
      Throws:
      UnknownHostException - If no IP address for the local host could be found.

    • getPrincipalNames

      public static final String[] getPrincipalNames(String keytab, Pattern pattern) throws IOException
      Get all the unique principals from keytabfile which matches a pattern.
      Parameters:
      keytab - Name of the keytab file to be read.
      pattern - pattern to be matched.
      Returns:
      list of unique principals which matches the pattern.
      Throws:
      IOException - if cannot get the principal name

    • hasKerberosKeyTab

      public static boolean hasKerberosKeyTab(Subject subject)
      Check if the subject contains Kerberos keytab related objects. The Kerberos keytab object attached in subject has been changed from KerberosKey (JDK 7) to KeyTab (JDK 8)
      Parameters:
      subject - subject to be checked
      Returns:
      true if the subject contains Kerberos keytab

    • hasKerberosTicket

      public static boolean hasKerberosTicket(Subject subject)
      Check if the subject contains Kerberos ticket.
      Parameters:
      subject - subject to be checked
      Returns:
      true if the subject contains Kerberos ticket

    • getTokenServerName

      public static String getTokenServerName(byte[] rawToken)
      Extract the TGS server principal from the given gssapi kerberos or spnego wrapped token.
      Parameters:
      rawToken - bytes of the gss token
      Returns:
      String of server principal
      Throws:
      IllegalArgumentException - if token is undecodable