You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ha...@apache.org on 2015/03/26 04:27:45 UTC
directory-kerby git commit: DIRKRB-197 Enhance client to support
request TGT by keytab
Repository: directory-kerby
Updated Branches:
refs/heads/master e59e24329 -> 4afff9526
DIRKRB-197 Enhance client to support request TGT by keytab
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/4afff952
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/4afff952
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/4afff952
Branch: refs/heads/master
Commit: 4afff95260a3e128c93d482b4aa9180d74d332c8
Parents: e59e243
Author: hazel <li...@foxmail.com>
Authored: Thu Mar 26 11:27:36 2015 +0800
Committer: hazel <li...@foxmail.com>
Committed: Thu Mar 26 11:27:36 2015 +0800
----------------------------------------------------------------------
.../kerby/kerberos/kerb/client/KrbClient.java | 8 ++-
.../client/request/AsRequestWithKeytab.java | 75 ++++++++++++++++++++
.../apache/kerby/kerberos/tool/ToolUtil.java | 2 +-
.../apache/kerby/kerberos/tool/kinit/Kinit.java | 38 +++++++---
.../tool/kadmin/executor/KeytabAddExecutor.java | 2 +-
5 files changed, 113 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4afff952/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
index 9c96131..29c4815 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
@@ -244,7 +244,13 @@ public class KrbClient {
options = new KOptions();
}
- AsRequest asRequest = new AsRequest(context);
+ AsRequest asRequest;
+ if (options.contains(KrbOption.USE_KEYTAB)) {
+ asRequest = new AsRequestWithKeytab(context);
+ } else {
+ asRequest = new AsRequest(context);
+ }
+
asRequest.setKrbOptions(options);
return requestTgtTicket(principal, asRequest);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4afff952/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithKeytab.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithKeytab.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithKeytab.java
new file mode 100644
index 0000000..5fa6799
--- /dev/null
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithKeytab.java
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.client.request;
+
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KOptions;
+import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
+import org.apache.kerby.kerberos.kerb.keytab.Keytab;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+
+import java.io.File;
+import java.io.IOException;
+
+public class AsRequestWithKeytab extends AsRequest{
+ private static final String DEFAULT_KEY_LOCATION = "/etc/krb5.keytab";
+ private static final String DEFAULT_CLIENT_KEY_LOCATION = "/usr/local/var/krb5/user/0/client.keytab";
+
+
+ public AsRequestWithKeytab(KrbContext context) {
+ super(context);
+
+ setAllowedPreauth(PaDataType.ENC_TIMESTAMP);
+ }
+
+ private Keytab getKeytab() {
+ File keytabFile = null;
+ KOptions kOptions = getKrbOptions();
+
+ if (kOptions.contains(KrbOption.USE_DFT_KEYTAB)) {
+ keytabFile = new File(DEFAULT_CLIENT_KEY_LOCATION);
+ } else if (kOptions.contains(KrbOption.USER_KEYTAB_FILE)) {
+ keytabFile = new File(kOptions.getStringOption(KrbOption.USER_KEYTAB_FILE));
+ } else {
+ keytabFile = new File(DEFAULT_KEY_LOCATION);
+ }
+
+ Keytab keytab = null;
+ try {
+ keytab = Keytab.loadKeytab(keytabFile);
+ } catch (IOException e) {
+ System.err.println("Can not load keytab from file" + keytabFile.getAbsolutePath());
+ }
+ return keytab;
+ }
+
+ @Override
+ public EncryptionKey getClientKey() throws KrbException {
+ if (super.getClientKey() == null) {
+ EncryptionKey tmpKey = getKeytab().getKey(getClientPrincipal(),
+ getChosenEncryptionType());
+ setClientKey(tmpKey);
+ }
+ return super.getClientKey();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4afff952/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/ToolUtil.java
----------------------------------------------------------------------
diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/ToolUtil.java b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/ToolUtil.java
index f70543e..bce6117 100644
--- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/ToolUtil.java
+++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/ToolUtil.java
@@ -62,7 +62,7 @@ public class ToolUtil {
} catch (NumberFormatException nfe) {
throw new IllegalArgumentException("Invalid integer:" + strValue);
}
- } else if (kt == KOptionType.FILE) {
+ } else if (kt == KOptionType.STR) {
kopt.setValue(strValue);
} else {
throw new IllegalArgumentException("Not recognised option:" + strValue);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4afff952/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/Kinit.java
----------------------------------------------------------------------
diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/Kinit.java b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/Kinit.java
index 991a6ef..740bb90 100644
--- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/Kinit.java
+++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/kerberos/tool/kinit/Kinit.java
@@ -101,16 +101,35 @@ public class Kinit {
return password;
}
- private static void requestTicket(String principal, KOptions kinitOptions) throws KrbException, IOException {
- KrbClient krbClient = new KrbClient();
- krbClient.init();
+ private static void requestTicket(String principal, KOptions krbOptions) throws KrbException, IOException {
+ KrbClient krbClient = getClient();
+ TgtTicket tgt;
- String password = getPassword(principal);
+ if (krbOptions.contains(KrbOption.USE_KEYTAB)) {
+ tgt = krbClient.requestTgtTicket(principal, krbOptions);
+ } else {
+ String password = getPassword(principal);
+ tgt = krbClient.requestTgtTicket(principal, password,
+ krbOptions);
+ }
- TgtTicket tgt = krbClient.requestTgtTicket(principal, password,
- ToolUtil.convertOptions(kinitOptions));
+ writeTgtToCache(tgt, principal, krbOptions);
+ }
- // write tgt into credentials cache.
+ /**
+ * Init the client.
+ */
+ private static KrbClient getClient() {
+ KrbClient krbClient = new KrbClient();
+ krbClient.init();
+ return krbClient;
+ }
+
+ /**
+ * Write tgt into credentials cache.
+ */
+ private static void writeTgtToCache(TgtTicket tgt, String principal, KOptions kinitOptions)
+ throws IOException {
Credential credential = new Credential(tgt);
CredentialCache cCache = new CredentialCache();
cCache.addCredential(credential);
@@ -145,7 +164,7 @@ public class Kinit {
}
} else {
principal = opt;
- break;
+ kto = KinitOption.NONE;
}
if (kto.getType() != KOptionType.NOV) { // require a parameter
@@ -170,7 +189,8 @@ public class Kinit {
printUsage("No principal is specified");
}
- Kinit.requestTicket(principal, ktOptions);
+ Kinit.requestTicket(principal, ToolUtil.convertOptions(ktOptions));
+ System.exit(0);
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/4afff952/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/executor/KeytabAddExecutor.java
----------------------------------------------------------------------
diff --git a/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/executor/KeytabAddExecutor.java b/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/executor/KeytabAddExecutor.java
index bc3eb03..c27ce4a 100644
--- a/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/executor/KeytabAddExecutor.java
+++ b/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/executor/KeytabAddExecutor.java
@@ -37,7 +37,7 @@ public class KeytabAddExecutor implements KadminCommandExecutor{
private static final String USAGE =
"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]";
- private static final String DEFAULT_KEYTAB_FILE_LOCATION = "krb5.keytab";
+ private static final String DEFAULT_KEYTAB_FILE_LOCATION = "/etc/krb5.keytab";
private Config backendConfig;