directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject [directory-kerby] branch trunk updated: DIRKRB-746 Verify kadmin principal in HAS remote kadmin tool. Contributed by Jiayi Liu.
Date Mon, 03 Aug 2020 11:31:39 GMT
This is an automated email from the ASF dual-hosted git repository.

plusplusjiajia pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/directory-kerby.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 7b4286a  DIRKRB-746 Verify kadmin principal in HAS remote kadmin tool. Contributed
by Jiayi Liu.
7b4286a is described below

commit 7b4286aa5646bd54d8dfd3ca74b604ddc109d716
Author: Li Jiajia <ljj270386@alibaba-inc.com>
AuthorDate: Mon Aug 3 19:31:12 2020 +0800

    DIRKRB-746 Verify kadmin principal in HAS remote kadmin tool. Contributed by Jiayi Liu.
---
 has-project/docs/deploy-spnego.md                  |  4 +-
 .../kerby/has/client/HasAuthAdminClient.java       |  3 +-
 .../kerby/has/server/web/rest/KadminApi.java       | 51 ++++++++++++++++++++++
 kerby-dist/has-dist/conf/admin.conf                |  2 +-
 .../tool/admin/remote/AdminRemoteTool.java         |  3 ++
 5 files changed, 59 insertions(+), 4 deletions(-)

diff --git a/has-project/docs/deploy-spnego.md b/has-project/docs/deploy-spnego.md
index 803c345..3f18907 100644
--- a/has-project/docs/deploy-spnego.md
+++ b/has-project/docs/deploy-spnego.md
@@ -28,5 +28,5 @@ To use Kerberos SPNEGO as the authentication mechanism, the authentication
filte
 ## 2. Client Side Configuration(in client side admin.conf)
 
 - filter_auth_type the keyword kerberos.  For example: filter_auth_type = kerberos
-- admin_keytab: The path to the keytab file containing the credential for the admin principal.
For example: admin_keytab = /etc/has/admin.keytab
-- admin_keytab_principal: The admin principal. For example: admin_keytab_principal = kadmin/<YOUR-REALM.COM>@<YOUR-REALM.COM>
+- admin_keytab: The path to the keytab file containing the credential for the admin principal(kadmin/<YOUR-REALM.COM>@<YOUR-REALM.COM>).
For example: admin_keytab = /etc/has/admin.keytab
+- realm: The realm of KDC. For example: realm = YOUR-REALM.COM
diff --git a/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasAuthAdminClient.java
b/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasAuthAdminClient.java
index 22a39f9..d6cd9a3 100644
--- a/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasAuthAdminClient.java
+++ b/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasAuthAdminClient.java
@@ -23,6 +23,7 @@ import org.apache.kerby.KOptions;
 import org.apache.kerby.has.common.HasConfig;
 import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.admin.kadmin.Kadmin;
+import org.apache.kerby.kerberos.kerb.common.KrbUtil;
 import org.codehaus.jettison.json.JSONArray;
 import org.codehaus.jettison.json.JSONException;
 import org.slf4j.Logger;
@@ -384,7 +385,7 @@ public class HasAuthAdminClient implements Kadmin {
 
     @Override
     public String getKadminPrincipal() {
-        return null;
+        return KrbUtil.makeKadminPrincipal(hasConfig.getRealm()).getName();
     }
 
     @Override
diff --git a/has-project/has-server/src/main/java/org/apache/kerby/has/server/web/rest/KadminApi.java
b/has-project/has-server/src/main/java/org/apache/kerby/has/server/web/rest/KadminApi.java
index 040bf8a..21a35d5 100644
--- a/has-project/has-server/src/main/java/org/apache/kerby/has/server/web/rest/KadminApi.java
+++ b/has-project/has-server/src/main/java/org/apache/kerby/has/server/web/rest/KadminApi.java
@@ -17,12 +17,14 @@
  */
 package org.apache.kerby.has.server.web.rest;
 
+import org.apache.hadoop.security.authentication.server.AuthenticationToken;
 import org.apache.kerby.has.server.HasServer;
 import org.apache.kerby.has.server.web.WebServer;
 import org.apache.kerby.has.server.web.rest.param.PasswordParam;
 import org.apache.kerby.has.server.web.rest.param.PrincipalParam;
 import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.admin.kadmin.local.LocalKadminImpl;
+import org.apache.kerby.kerberos.kerb.common.KrbUtil;
 import org.apache.kerby.kerberos.kerb.request.KrbIdentity;
 import org.apache.kerby.kerberos.kerb.server.KdcSetting;
 import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
@@ -44,6 +46,7 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import java.io.File;
+import java.security.Principal;
 import java.util.List;
 import java.util.Map;
 
@@ -76,6 +79,9 @@ public class KadminApi {
         if (globalModeVlue.equals(isGlobal)) {
             global = true;
         }
+        if (!isAdminPrincipal()) {
+            return Response.status(Response.Status.FORBIDDEN).entity("kadmin principal required.\n").build();
+        }
         if (httpRequest.isSecure()) {
             WebServer.LOG.info("Exporting keytab file for " + principal + "...");
             String msg;
@@ -152,6 +158,9 @@ public class KadminApi {
     @Path("/listprincipals")
     @Produces(MediaType.APPLICATION_JSON)
     public Response listPrincipals(@QueryParam("exp") String exp) {
+        if (!isAdminPrincipal()) {
+            return Response.status(Response.Status.FORBIDDEN).entity("kadmin principal required.\n").build();
+        }
         if (httpRequest.isSecure()) {
             WebServer.LOG.info("Request to get principals.");
             String msg;
@@ -196,6 +205,9 @@ public class KadminApi {
                                  final PrincipalParam principal,
                                  @QueryParam(PasswordParam.NAME) @DefaultValue(PasswordParam.DEFAULT)
                                  final PasswordParam password) {
+        if (!isAdminPrincipal()) {
+            return Response.status(Response.Status.FORBIDDEN).entity("kadmin principal required.\n").build();
+        }
         if (httpRequest.isSecure()) {
             WebServer.LOG.info("Request to add the principal named " + principal.getValue());
             String msg;
@@ -244,6 +256,9 @@ public class KadminApi {
     @Produces(MediaType.TEXT_PLAIN)
     public Response renamePrincipal(@QueryParam("oldprincipal") String oldPrincipal,
                                     @QueryParam("newprincipal") String newPrincipal) {
+        if (!isAdminPrincipal()) {
+            return Response.status(Response.Status.FORBIDDEN).entity("kadmin principal required.\n").build();
+        }
         if (httpRequest.isSecure()) {
             WebServer.LOG.info("Request to rename " + oldPrincipal + " to " + newPrincipal);
             String msg;
@@ -289,6 +304,9 @@ public class KadminApi {
     @Produces(MediaType.TEXT_PLAIN)
     public Response deletePrincipal(@QueryParam(PrincipalParam.NAME) @DefaultValue(PrincipalParam.DEFAULT)
                                     final PrincipalParam principal) {
+        if (!isAdminPrincipal()) {
+            return Response.status(Response.Status.FORBIDDEN).entity("kadmin principal required.\n").build();
+        }
         if (httpRequest.isSecure()) {
             WebServer.LOG.info("Request to delete the principal named " + principal.getValue());
             String msg;
@@ -331,6 +349,9 @@ public class KadminApi {
                                    final PrincipalParam principal,
                                    @QueryParam(PasswordParam.NAME) @DefaultValue(PasswordParam.DEFAULT)
                                    final PasswordParam newPassword) {
+        if (!isAdminPrincipal()) {
+            return Response.status(Response.Status.FORBIDDEN).entity("kadmin principal required.\n").build();
+        }
         if (httpRequest.isSecure()) {
             WebServer.LOG.info("Request to add the principal named " + principal.getValue());
             String msg;
@@ -380,6 +401,9 @@ public class KadminApi {
     @Produces(MediaType.APPLICATION_JSON)
     public Response getPrincipal(@QueryParam(PrincipalParam.NAME) @DefaultValue(PrincipalParam.DEFAULT)
                                  final PrincipalParam principal) {
+        if (!isAdminPrincipal()) {
+            return Response.status(Response.Status.FORBIDDEN).entity("kadmin principal required.\n").build();
+        }
         if (httpRequest.isSecure()) {
             WebServer.LOG.info("Request to get a principal named " + principal.getValue());
             String msg;
@@ -422,5 +446,32 @@ public class KadminApi {
         }
         return Response.status(Response.Status.FORBIDDEN).entity("HTTPS required.\n").build();
     }
+
+    private boolean isAdminPrincipal() {
+        HasServer hasServer = WebServer.getHasServerFromContext(context);
+        String serverFilterAuthType = hasServer.getWebServer().getConf().getFilterAuthType();
+        if (!serverFilterAuthType.equals("kerberos")) {
+            // When filter_auth_type is not kerberos, there is no need to check the admin
principal
+            return true;
+        }
+        Principal requestPrincipal = httpRequest.getUserPrincipal();
+        if (requestPrincipal == null) {
+            WebServer.LOG.warn("Request principal is null.");
+            return false;
+        }
+        if (requestPrincipal instanceof AuthenticationToken) {
+            KdcSetting serverSetting = hasServer.getKdcServer().getKdcSetting();
+            String adminPrincipal = KrbUtil.makeKadminPrincipal(serverSetting.getKdcRealm()).getName();
+            boolean check = adminPrincipal.equals(requestPrincipal.getName());
+            if (!check) {
+                WebServer.LOG.warn("Client tries to pass the authentication using principal
"
+                        + requestPrincipal.getName());
+            }
+            return check;
+        } else {
+            WebServer.LOG.warn("Abnormal authentication token " + requestPrincipal.getClass().getCanonicalName());
+            return false;
+        }
+    }
 }
 
diff --git a/kerby-dist/has-dist/conf/admin.conf b/kerby-dist/has-dist/conf/admin.conf
index 5e30899..3ae7289 100644
--- a/kerby-dist/has-dist/conf/admin.conf
+++ b/kerby-dist/has-dist/conf/admin.conf
@@ -19,5 +19,5 @@
     https_host = plusplus-desktop
     https_port = 8092
     admin_keytab = /etc/has/admin.keytab
-    admin_keytab_principal = kadmin/HADOOP.COM@HADOOP.COM
     filter_auth_type = kerberos
+    realm = HADOOP.COM
diff --git a/kerby-tool/has-tool/src/main/java/org/apache/kerby/kerberos/tool/admin/remote/AdminRemoteTool.java
b/kerby-tool/has-tool/src/main/java/org/apache/kerby/kerberos/tool/admin/remote/AdminRemoteTool.java
index 544cec7..96e38ee 100644
--- a/kerby-tool/has-tool/src/main/java/org/apache/kerby/kerberos/tool/admin/remote/AdminRemoteTool.java
+++ b/kerby-tool/has-tool/src/main/java/org/apache/kerby/kerberos/tool/admin/remote/AdminRemoteTool.java
@@ -21,6 +21,7 @@ package org.apache.kerby.kerberos.tool.admin.remote;
 
 import org.apache.kerby.has.client.HasAuthAdminClient;
 import org.apache.kerby.has.common.HasConfig;
+import org.apache.kerby.has.common.HasConfigKey;
 import org.apache.kerby.has.common.HasException;
 import org.apache.kerby.has.common.util.HasUtil;
 import org.apache.kerby.kerberos.kerb.KrbException;
@@ -110,6 +111,8 @@ public class AdminRemoteTool {
 
         if (hasConfig.getFilterAuthType().equals("kerberos")) {
             authHasAdminClient = new HasAuthAdminClient(hasConfig);
+            String adminPrincipal = authHasAdminClient.getKadminPrincipal();
+            hasConfig.setString(HasConfigKey.ADMIN_KEYTAB_PRINCIPAL, adminPrincipal);
         }
 
         System.out.println("enter \"cmd\" to see legal commands.");


Mime
View raw message