[jira] [Commented] (DRILL-4280) Kerberos Authentication

Thu, 05 Jan 2017 17:34:18 -0800 

    [ 
https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15803148#comment-15803148
 ] 

ASF GitHub Bot commented on DRILL-4280:
---------------------------------------

Github user sohami commented on a diff in the pull request:

    https://github.com/apache/drill/pull/578#discussion_r94867052
  
    --- Diff: 
exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestKerberosSaslAuthentication.java
 ---
    @@ -0,0 +1,239 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *    http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.drill.exec.rpc.user.security;
    +
    +import com.google.common.collect.Lists;
    +import com.typesafe.config.ConfigValueFactory;
    +import org.apache.drill.BaseTestQuery;
    +import org.apache.drill.common.config.ConnectionParameters;
    +import org.apache.drill.common.config.DrillConfig;
    +import org.apache.drill.exec.ExecConstants;
    +import 
org.apache.drill.exec.rpc.user.security.testing.UserAuthenticatorTestImpl;
    +import org.apache.drill.exec.security.impl.LoginManagerImpl;
    +import org.apache.hadoop.security.authentication.util.KerberosName;
    +import org.apache.hadoop.security.authentication.util.KerberosUtil;
    +import org.apache.kerby.kerberos.kerb.KrbException;
    +import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;
    +import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
    +import org.junit.AfterClass;
    +import org.junit.BeforeClass;
    +import org.junit.Ignore;
    +import org.junit.Test;
    +import sun.security.krb5.Config;
    +
    +import javax.security.auth.Subject;
    +import java.io.File;
    +import java.io.IOException;
    +import java.lang.reflect.Field;
    +import java.net.ServerSocket;
    +import java.nio.file.Files;
    +import java.security.PrivilegedExceptionAction;
    +import java.util.Properties;
    +
    +@Ignore("Expects users to exist. Set SERVER_SHORT_NAME to current user 
name to run the tests.")
    +public class TestKerberosSaslAuthentication extends BaseTestQuery {
    +  private static final org.slf4j.Logger logger =
    +      
org.slf4j.LoggerFactory.getLogger(TestKerberosSaslAuthentication.class);
    +
    +  private static File workspace;
    +
    +  private static File kdcDir;
    +  private static SimpleKdcServer kdc;
    +  private static int kdcPort;
    +
    +  private static final String HOSTNAME = "localhost";
    +  private static final String REALM = "EXAMPLE.COM";
    +
    +  private static final String CLIENT_SHORT_NAME = "client";
    +  private static final String CLIENT_PRINCIPAL = CLIENT_SHORT_NAME + "@" + 
REALM;
    +  private static final String SERVER_SHORT_NAME = "server";
    +  private static final String SERVER_PRINCIPAL = SERVER_SHORT_NAME + "/" + 
HOSTNAME + "@" + REALM;
    +
    +  private static File keytabDir;
    +  private static File clientKeytab;
    +  private static File serverKeytab;
    +
    +  private static boolean kdcStarted;
    +
    +  @BeforeClass
    +  public static void setupKdc() throws Exception {
    +    kdc = new SimpleKdcServer();
    +    workspace = new File(getTempDir("kerberos_target"));
    +
    +    kdcDir = new File(workspace, 
TestKerberosSaslAuthentication.class.getSimpleName());
    +    kdcDir.mkdirs();
    +    kdc.setWorkDir(kdcDir);
    +
    +    kdc.setKdcHost(HOSTNAME);
    +    kdcPort = getFreePort();
    +    kdc.setAllowTcp(true);
    +    kdc.setAllowUdp(false);
    +    kdc.setKdcTcpPort(kdcPort);
    +
    +    logger.debug("Starting KDC server at {}:{}", HOSTNAME, kdcPort);
    +
    +    kdc.init();
    +    kdc.start();
    +    kdcStarted = true;
    +
    +
    +    keytabDir = new File(workspace, 
TestKerberosSaslAuthentication.class.getSimpleName()
    +        + "_keytabs");
    +    keytabDir.mkdirs();
    +    setupUsers(keytabDir);
    +
    +    // Kerby sets "java.security.krb5.conf" for us!
    +    System.clearProperty("java.security.auth.login.config");
    +    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    +    // Uncomment the following lines for debugging.
    +    // System.setProperty("sun.security.spnego.debug", "true");
    +    // System.setProperty("sun.security.krb5.debug", "true");
    +
    +    // Create a new DrillConfig which has user authentication enabled and 
authenticator set to
    +    // UserAuthenticatorTestImpl.
    +    final DrillConfig newConfig = new 
DrillConfig(DrillConfig.create(cloneDefaultTestConfigProperties())
    +        .withValue(ExecConstants.USER_AUTHENTICATION_ENABLED,
    +            ConfigValueFactory.fromAnyRef(true))
    +        .withValue(ExecConstants.USER_AUTHENTICATOR_IMPL,
    +            ConfigValueFactory.fromAnyRef(UserAuthenticatorTestImpl.TYPE))
    +        .withValue(LoginManagerImpl.SERVICE_PRINCIPAL,
    +            ConfigValueFactory.fromAnyRef(SERVER_PRINCIPAL))
    +        .withValue(LoginManagerImpl.SERVICE_KEYTAB_LOCATION,
    +            ConfigValueFactory.fromAnyRef(serverKeytab.toString()))
    +        .withValue(ExecConstants.AUTHENTICATION_MECHANISMS,
    +            ConfigValueFactory.fromIterable(Lists.newArrayList("plain", 
"kerberos"))),
    +        false);
    +
    +    final Properties connectionProps = new Properties();
    +    connectionProps.setProperty(ConnectionParameters.USER, "anonymous");
    +    connectionProps.setProperty(ConnectionParameters.PASSWORD, "anything 
works!");
    +
    +    // ADD A NOTE EXPLAINING THIS MAGIC
    --- End diff --
    
    Forget the add note ?


> Kerberos Authentication
> -----------------------
>
>                 Key: DRILL-4280
>                 URL: https://issues.apache.org/jira/browse/DRILL-4280
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Keys Botzum
>            Assignee: Sudheesh Katkam
>              Labels: security
>
> Drill should support Kerberos based authentication from clients. This means 
> that both the ODBC and JDBC drivers as well as the web/REST interfaces should 
> support inbound Kerberos. For Web this would most likely be SPNEGO while for 
> ODBC and JDBC this will be more generic Kerberos.
> Since Hive and much of Hadoop supports Kerberos there is a potential for a 
> lot of reuse of ideas if not implementation.
> Note that this is related to but not the same as 
> https://issues.apache.org/jira/browse/DRILL-3584 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to