Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.atlas.security; import org.apache.atlas.AtlasException; import org.apache.commons.collections.MapUtils; import org.apache.commons.configuration.ConfigurationConverter; import org.apache.commons.lang.ArrayUtils; import org.apache.hadoop.security.SecurityUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Properties; import java.util.SortedSet; import java.util.StringTokenizer; import java.util.TreeSet; /** * InMemoryJAASConfiguration * * An utility class - which has a static method init to load all JAAS configuration from Application * properties file (eg: atlas.properties) and set it as part of the default lookup configuration for * all JAAS configuration lookup. * * Example settings in jaas-application.properties: * * atlas.jaas.KafkaClient.loginModuleName = com.sun.security.auth.module.Krb5LoginModule * atlas.jaas.KafkaClient.loginModuleControlFlag = required * atlas.jaas.KafkaClient.option.useKeyTab = true * atlas.jaas.KafkaClient.option.storeKey = true * atlas.jaas.KafkaClient.option.serviceName = kafka * atlas.jaas.KafkaClient.option.keyTab = /etc/security/keytabs/kafka_client.keytab * atlas.jaas.KafkaClient.option.principal = kafka-client-1@EXAMPLE.COM * atlas.jaas.MyClient.0.loginModuleName = com.sun.security.auth.module.Krb5LoginModule * atlas.jaas.MyClient.0.loginModuleControlFlag = required * atlas.jaas.MyClient.0.option.useKeyTab = true * atlas.jaas.MyClient.0.option.storeKey = true * atlas.jaas.MyClient.0.option.serviceName = kafka * atlas.jaas.MyClient.0.option.keyTab = /etc/security/keytabs/kafka_client.keytab * atlas.jaas.MyClient.0.option.principal = kafka-client-1@EXAMPLE.COM * atlas.jaas.MyClient.1.loginModuleName = com.sun.security.auth.module.Krb5LoginModule * atlas.jaas.MyClient.1.loginModuleControlFlag = optional * atlas.jaas.MyClient.1.option.useKeyTab = true * atlas.jaas.MyClient.1.option.storeKey = true * atlas.jaas.MyClient.1.option.serviceName = kafka * atlas.jaas.MyClient.1.option.keyTab = /etc/security/keytabs/kafka_client.keytab * atlas.jaas.MyClient.1.option.principal = kafka-client-1@EXAMPLE.COM * This will set the JAAS configuration - equivalent to the jaas.conf file entries: * KafkaClient { * com.sun.security.auth.module.Krb5LoginModule required * useKeyTab=true * storeKey=true * serviceName=kafka * keyTab="/etc/security/keytabs/kafka_client.keytab" * principal="kafka-client-1@EXAMPLE.COM"; * }; * MyClient { * com.sun.security.auth.module.Krb5LoginModule required * useKeyTab=true * storeKey=true * serviceName=kafka keyTab="/etc/security/keytabs/kafka_client.keytab" * principal="kafka-client-1@EXAMPLE.COM"; * }; * MyClient { * com.sun.security.auth.module.Krb5LoginModule optional * useKeyTab=true * storeKey=true * serviceName=kafka * keyTab="/etc/security/keytabs/kafka_client.keytab" * principal="kafka-client-1@EXAMPLE.COM"; * }; * * Here is the syntax for atlas.properties to add JAAS configuration: * * The property name has to begin with 'atlas.jaas.' + clientId (in case of Kafka client, * it expects the clientId to be KafkaClient). * The following property must be there to specify the JAAS loginModule name * 'atlas.jaas.' + clientId + '.loginModuleName' * The following optional property should be set to specify the loginModuleControlFlag * 'atlas.jaas.' + clientId + '.loginModuleControlFlag' * Default value : required , Possible values: required, optional, sufficient, requisite * Then you can add additional optional parameters as options for the configuration using the following * syntax: * 'atlas.jaas.' + clientId + '.option.' + <optionName> = <optionValue> * * The current setup will lookup JAAS configration from the atlas-application.properties first, if not available, * it will delegate to the original configuration * */ public final class InMemoryJAASConfiguration extends Configuration { private static final Logger LOG = LoggerFactory.getLogger(InMemoryJAASConfiguration.class); private static final String JAAS_CONFIG_PREFIX_PARAM = "atlas.jaas."; private static final String JAAS_CONFIG_LOGIN_MODULE_NAME_PARAM = "loginModuleName"; private static final String JAAS_CONFIG_LOGIN_MODULE_CONTROL_FLAG_PARAM = "loginModuleControlFlag"; private static final String JAAS_CONFIG_LOGIN_OPTIONS_PREFIX = "option"; private static final String JAAS_PRINCIPAL_PROP = "principal"; private static final Map<String, String> CONFIG_SECTION_REDIRECTS = new HashMap<>(); private Configuration parent = null; private Map<String, List<AppConfigurationEntry>> applicationConfigEntryMap = new HashMap<>(); public static void init(String propFile) throws AtlasException { if (LOG.isDebugEnabled()) { LOG.debug("==> InMemoryJAASConfiguration.init({})", propFile); } InputStream in = null; try { Properties properties = new Properties(); in = ClassLoader.getSystemResourceAsStream(propFile); if (in == null) { if (!propFile.startsWith("/")) { in = ClassLoader.getSystemResourceAsStream("/" + propFile); } if (in == null) { in = new FileInputStream(new File(propFile)); } } properties.load(in); init(properties); } catch (IOException e) { throw new AtlasException("Failed to load JAAS application properties", e); } finally { if (in != null) { try { in.close(); } catch (Exception exception) { // Ignore } } } if (LOG.isDebugEnabled()) { LOG.debug("<== InMemoryJAASConfiguration.init({})", propFile); } } public static void init(org.apache.commons.configuration.Configuration atlasConfiguration) throws AtlasException { LOG.debug("==> InMemoryJAASConfiguration.init()"); if (atlasConfiguration != null && !atlasConfiguration.isEmpty()) { Properties properties = ConfigurationConverter.getProperties(atlasConfiguration); init(properties); } else { throw new AtlasException("Failed to load JAAS application properties: configuration NULL or empty!"); } LOG.debug("<== InMemoryJAASConfiguration.init()"); } public static void init(Properties properties) throws AtlasException { LOG.debug("==> InMemoryJAASConfiguration.init()"); if (properties != null && MapUtils.isNotEmpty(properties)) { InMemoryJAASConfiguration conf = new InMemoryJAASConfiguration(properties); Configuration.setConfiguration(conf); } else { throw new AtlasException("Failed to load JAAS application properties: properties NULL or empty!"); } LOG.debug("<== InMemoryJAASConfiguration.init()"); } @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { if (LOG.isDebugEnabled()) { LOG.debug("==> InMemoryJAASConfiguration.getAppConfigurationEntry({})", name); } AppConfigurationEntry[] ret = null; List<AppConfigurationEntry> retList = null; String redirectedName = getConfigSectionRedirect(name); if (redirectedName != null) { retList = applicationConfigEntryMap.get(redirectedName); if (LOG.isDebugEnabled()) { LOG.debug("Redirected jaasConfigSection ({} -> {}): ", name, redirectedName, retList); } } if (retList == null || retList.size() == 0) { retList = applicationConfigEntryMap.get(name); } if (retList == null || retList.size() == 0) { if (parent != null) { ret = parent.getAppConfigurationEntry(name); } } else { int sz = retList.size(); ret = new AppConfigurationEntry[sz]; ret = retList.toArray(ret); } if (LOG.isDebugEnabled()) { LOG.debug("<== InMemoryJAASConfiguration.getAppConfigurationEntry({}): {}", name, ArrayUtils.toString(ret)); } return ret; } private InMemoryJAASConfiguration(Properties prop) { parent = Configuration.getConfiguration(); initialize(prop); } private void initialize(Properties properties) { LOG.debug("==> InMemoryJAASConfiguration.initialize()"); int prefixLen = JAAS_CONFIG_PREFIX_PARAM.length(); Map<String, SortedSet<Integer>> jaasClients = new HashMap<>(); for (String key : properties.stringPropertyNames()) { if (key.startsWith(JAAS_CONFIG_PREFIX_PARAM)) { String jaasKey = key.substring(prefixLen); StringTokenizer tokenizer = new StringTokenizer(jaasKey, "."); int tokenCount = tokenizer.countTokens(); if (tokenCount > 0) { String clientId = tokenizer.nextToken(); SortedSet<Integer> indexList = jaasClients.get(clientId); if (indexList == null) { indexList = new TreeSet<>(); jaasClients.put(clientId, indexList); } String indexStr = tokenizer.nextToken(); int indexId = isNumeric(indexStr) ? Integer.parseInt(indexStr) : -1; Integer clientIdIndex = Integer.valueOf(indexId); if (!indexList.contains(clientIdIndex)) { indexList.add(clientIdIndex); } } } } for (String jaasClient : jaasClients.keySet()) { for (Integer index : jaasClients.get(jaasClient)) { String keyPrefix = JAAS_CONFIG_PREFIX_PARAM + jaasClient + "."; if (index > -1) { keyPrefix = keyPrefix + String.valueOf(index) + "."; } String keyParam = keyPrefix + JAAS_CONFIG_LOGIN_MODULE_NAME_PARAM; String loginModuleName = properties.getProperty(keyParam); if (loginModuleName == null) { LOG.error( "Unable to add JAAS configuration for client [{}] as it is missing param [{}]. Skipping JAAS config for [{}]", jaasClient, keyParam, jaasClient); continue; } else { loginModuleName = loginModuleName.trim(); } keyParam = keyPrefix + JAAS_CONFIG_LOGIN_MODULE_CONTROL_FLAG_PARAM; String controlFlag = properties.getProperty(keyParam); AppConfigurationEntry.LoginModuleControlFlag loginControlFlag = null; if (controlFlag != null) { controlFlag = controlFlag.trim().toLowerCase(); switch (controlFlag) { case "optional": loginControlFlag = AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL; break; case "requisite": loginControlFlag = AppConfigurationEntry.LoginModuleControlFlag.REQUISITE; break; case "sufficient": loginControlFlag = AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT; break; case "required": loginControlFlag = AppConfigurationEntry.LoginModuleControlFlag.REQUIRED; break; default: String validValues = "optional|requisite|sufficient|required"; LOG.warn( "Unknown JAAS configuration value for ({}) = [{}], valid value are [{}] using the default value, REQUIRED", keyParam, controlFlag, validValues); loginControlFlag = AppConfigurationEntry.LoginModuleControlFlag.REQUIRED; break; } } else { LOG.warn("Unable to find JAAS configuration ({}); using the default value, REQUIRED", keyParam); loginControlFlag = AppConfigurationEntry.LoginModuleControlFlag.REQUIRED; } Map<String, String> options = new HashMap<>(); String optionPrefix = keyPrefix + JAAS_CONFIG_LOGIN_OPTIONS_PREFIX + "."; int optionPrefixLen = optionPrefix.length(); for (String key : properties.stringPropertyNames()) { if (key.startsWith(optionPrefix)) { String optionKey = key.substring(optionPrefixLen); String optionVal = properties.getProperty(key); if (optionVal != null) { optionVal = optionVal.trim(); try { if (optionKey.equalsIgnoreCase(JAAS_PRINCIPAL_PROP)) { optionVal = SecurityUtil.getServerPrincipal(optionVal, (String) null); } } catch (IOException e) { LOG.warn("Failed to build serverPrincipal. Using provided value:[{}]", optionVal); } } options.put(optionKey, optionVal); } } AppConfigurationEntry entry = new AppConfigurationEntry(loginModuleName, loginControlFlag, options); if (LOG.isDebugEnabled()) { StringBuilder sb = new StringBuilder(); sb.append("Adding client: [").append(jaasClient).append("{").append(index).append("}]\n"); sb.append("\tloginModule: [").append(loginModuleName).append("]\n"); sb.append("\tcontrolFlag: [").append(loginControlFlag).append("]\n"); for (String key : options.keySet()) { String val = options.get(key); sb.append("\tOptions: [").append(key).append("] => [").append(val).append("]\n"); } LOG.debug(sb.toString()); } List<AppConfigurationEntry> retList = applicationConfigEntryMap.get(jaasClient); if (retList == null) { retList = new ArrayList<>(); applicationConfigEntryMap.put(jaasClient, retList); } retList.add(entry); } } LOG.debug("<== InMemoryJAASConfiguration.initialize({})", applicationConfigEntryMap); } private static boolean isNumeric(String str) { return str.matches("-?\\d+(\\.\\d+)?"); //match a number with optional '-' and decimal. } public static void setConfigSectionRedirect(String name, String redirectTo) { if (LOG.isDebugEnabled()) { LOG.debug("setConfigSectionRedirect({}, {})", name, redirectTo); } if (name != null) { if (redirectTo != null) { CONFIG_SECTION_REDIRECTS.put(name, redirectTo); } else { CONFIG_SECTION_REDIRECTS.remove(name); } } } private static String getConfigSectionRedirect(String name) { return name != null ? CONFIG_SECTION_REDIRECTS.get(name) : null; } }