You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/07/30 08:24:46 UTC
[39/50] [abbrv] directory-kerby git commit: DIRKRB-280 Kadmin tool
will be authenticated first before any real operation.
DIRKRB-280 Kadmin tool will be authenticated first before any real operation.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/8f4eb7f4
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/8f4eb7f4
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/8f4eb7f4
Branch: refs/heads/pkinit-support
Commit: 8f4eb7f49fdd6b301d809dbe481de5983f211a45
Parents: 3f0a6b6
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Jul 22 10:37:48 2015 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Wed Jul 22 10:37:48 2015 +0800
----------------------------------------------------------------------
.gitignore | 2 +
.../kerby/kerberos/kerb/admin/KadminOption.java | 3 +-
.../kerby/kerberos/tool/kadmin/AuthUtil.java | 141 +++++++++++++++++++
.../kerby/kerberos/tool/kadmin/KadminTool.java | 76 ++++++++--
4 files changed, 213 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8f4eb7f4/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index 3f2a44c..d918a8e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,5 @@ dependency-reduced-pom.xml
.pmdruleset.xml
kerby-dist/kdc-dist/lib/
kerby-dist/tool-dist/lib/
+kerby-dist/kdc-dist/logs/
+kerby-dist/tool-dist/logs/
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8f4eb7f4/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/KadminOption.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/KadminOption.java b/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/KadminOption.java
index aa801af..8fd8002 100644
--- a/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/KadminOption.java
+++ b/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/KadminOption.java
@@ -34,7 +34,8 @@ public enum KadminOption implements KOption {
KEEPOLD("-keepold", "keep old passowrd", KOptionType.NOV),
KEYSALTLIST("-e", "key saltlist", KOptionType.STR),
K("-k", "keytab file path", KOptionType.STR),
- KEYTAB("-keytab", "keytab file path", KOptionType.STR);
+ KEYTAB("-keytab", "keytab file path", KOptionType.STR),
+ CCACHE("-c", "credentials cache", KOptionType.FILE);
private String name;
private KOptionType type = KOptionType.NONE;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8f4eb7f4/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/AuthUtil.java
----------------------------------------------------------------------
diff --git a/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/AuthUtil.java b/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/AuthUtil.java
new file mode 100644
index 0000000..8b79e83
--- /dev/null
+++ b/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/AuthUtil.java
@@ -0,0 +1,141 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.kerby.kerberos.tool.kadmin;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import java.io.File;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+public class AuthUtil {
+
+ public static boolean enableDebug = true;
+
+ private static String getKrb5LoginModuleName() {
+ return System.getProperty("java.vendor").contains("IBM")
+ ? "com.ibm.security.auth.module.Krb5LoginModule"
+ : "com.sun.security.auth.module.Krb5LoginModule";
+ }
+
+ public static Subject loginUsingTicketCache(
+ String principal, File cacheFile) throws LoginException {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new KerberosPrincipal(principal));
+
+ Subject subject = new Subject(false, principals,
+ new HashSet<Object>(), new HashSet<Object>());
+
+ Configuration conf = useTicketCache(principal, cacheFile);
+ String confName = "TicketCacheConf";
+ LoginContext loginContext = new LoginContext(confName, subject, null, conf);
+ loginContext.login();
+ return loginContext.getSubject();
+ }
+
+ public static Subject loginUsingKeytab(
+ String principal, File keytabFile) throws LoginException {
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new KerberosPrincipal(principal));
+
+ Subject subject = new Subject(false, principals,
+ new HashSet<Object>(), new HashSet<Object>());
+
+ Configuration conf = useKeytab(principal, keytabFile);
+ String confName = "KeytabConf";
+ LoginContext loginContext = new LoginContext(confName, subject, null, conf);
+ loginContext.login();
+ return loginContext.getSubject();
+ }
+
+ public static Configuration useTicketCache(String principal,
+ File credentialFile) {
+ return new TicketCacheJaasConf(principal, credentialFile);
+ }
+
+ public static Configuration useKeytab(String principal, File keytabFile) {
+ return new KeytabJaasConf(principal, keytabFile);
+ }
+
+ static class TicketCacheJaasConf extends Configuration {
+ private String principal;
+ private File clientCredentialFile;
+
+ public TicketCacheJaasConf(String principal, File clientCredentialFile) {
+ this.principal = principal;
+ this.clientCredentialFile = clientCredentialFile;
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ Map<String, String> options = new HashMap<String, String>();
+ options.put("principal", principal);
+ options.put("storeKey", "false");
+ options.put("doNotPrompt", "false");
+ options.put("useTicketCache", "true");
+ options.put("renewTGT", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", "true");
+ options.put("ticketCache", clientCredentialFile.getAbsolutePath());
+ options.put("debug", String.valueOf(enableDebug));
+
+ return new AppConfigurationEntry[]{
+ new AppConfigurationEntry(getKrb5LoginModuleName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ options)};
+ }
+ }
+
+ static class KeytabJaasConf extends Configuration {
+ private String principal;
+ private File keytabFile;
+
+ public KeytabJaasConf(String principal, File keytab) {
+ this.principal = principal;
+ this.keytabFile = keytab;
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ Map<String, String> options = new HashMap<String, String>();
+ options.put("keyTab", keytabFile.getAbsolutePath());
+ options.put("principal", principal);
+ options.put("useKeyTab", "true");
+ options.put("storeKey", "true");
+ options.put("doNotPrompt", "true");
+ options.put("renewTGT", "false");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", "false");
+ options.put("debug", String.valueOf(enableDebug));
+
+ return new AppConfigurationEntry[]{
+ new AppConfigurationEntry(getKrb5LoginModuleName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ options)};
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8f4eb7f4/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java
----------------------------------------------------------------------
diff --git a/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java b/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java
index 63ec1b3..2706480 100644
--- a/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java
+++ b/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java
@@ -19,8 +19,10 @@
*/
package org.apache.kerby.kerberos.tool.kadmin;
+import org.apache.kerby.KOptions;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.admin.Kadmin;
+import org.apache.kerby.kerberos.kerb.admin.KadminOption;
import org.apache.kerby.kerberos.tool.kadmin.command.AddPrincipalCommand;
import org.apache.kerby.kerberos.tool.kadmin.command.ChangePasswordCommand;
import org.apache.kerby.kerberos.tool.kadmin.command.DeletePrincipalCommand;
@@ -31,12 +33,17 @@ import org.apache.kerby.kerberos.tool.kadmin.command.KeytabRemoveCommand;
import org.apache.kerby.kerberos.tool.kadmin.command.ListPrincipalCommand;
import org.apache.kerby.kerberos.tool.kadmin.command.ModifyPrincipalCommand;
import org.apache.kerby.kerberos.tool.kadmin.command.RenamePrincipalCommand;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import javax.security.auth.login.LoginException;
import java.io.File;
import java.util.Map;
import java.util.Scanner;
public class KadminTool {
+ private static final Logger LOG = LoggerFactory.getLogger(KadminTool.class);
+
private static final String PROMPT = KadminTool.class.getSimpleName() + ".local";
private static final String REQUEST_LIST = "Available " + PROMPT + " requests:\n"
+ "\n"
@@ -70,6 +77,16 @@ public class KadminTool {
+ "list_requests, lr, ? List available requests.\n"
+ "quit, exit, q Exit program.";
+ private static final String USAGE =
+ "Usage: sh bin/kadmin.sh <conf-dir> [-c cache_name]|[-k keytab]\n"
+ + "\tExample:\n"
+ + "\t\tsh bin/kadmin.sh conf -k /home/admin.keytab\n";
+
+ private static void printUsage(String error) {
+ System.err.println(error + "\n");
+ System.err.println(USAGE);
+ System.exit(-1);
+ }
private static void execute(Kadmin kadmin, String command) {
//Omit the leading and trailing whitespace.
@@ -121,8 +138,9 @@ public class KadminTool {
private static File getConfDir(String[] args) {
File confDir;
- if (args.length == 0) {
- String envDir;
+ String envDir;
+ confDir = new File(args[0]);
+ if (confDir == null || !confDir.exists()) {
try {
Map<String, String> mapEnv = System.getenv();
envDir = mapEnv.get("KRB5_KDC_DIR");
@@ -134,18 +152,23 @@ public class KadminTool {
} else {
confDir = new File("/etc/kerby/"); // for Linux. TODO: fix for Win etc.
}
- } else {
- confDir = new File(args[0]);
- }
- if (!confDir.exists()) {
- throw new RuntimeException("Can not locate KDC backend directory "
- + confDir.getAbsolutePath());
+ if (!confDir.exists()) {
+ throw new RuntimeException("Can not locate KDC backend directory "
+ + confDir.getAbsolutePath());
+ }
}
+ LOG.info("Conf dir:" + confDir.getAbsolutePath());
return confDir;
}
public static void main(String[] args) {
+
+ if (args.length < 2) {
+ System.err.println(USAGE);
+ return;
+ }
+
Kadmin kadmin;
try {
kadmin = new Kadmin(getConfDir(args));
@@ -154,6 +177,43 @@ public class KadminTool {
return;
}
+ KOptions kOptions = ToolUtil.parseOptions(args, 1, args.length - 1);
+ if (kOptions == null) {
+ System.err.println(USAGE);
+ return;
+ }
+
+ String kadminPrincipal = kadmin.getKadminPrincipal();
+ if (kOptions.contains(KadminOption.CCACHE)) {
+ File ccFile = kOptions.getFileOption(KadminOption.CCACHE);
+ if (ccFile == null || !ccFile.exists()) {
+ printUsage("Need the valid credentials cache file.");
+ return;
+ }
+ try {
+ AuthUtil.loginUsingTicketCache(kadminPrincipal, ccFile);
+ } catch (LoginException e) {
+ System.err.println("Could not login with: " + kadminPrincipal
+ + e.getMessage());
+ return;
+ }
+ } else if (kOptions.contains(KadminOption.K)) {
+ File keyTabFile = new File(kOptions.getStringOption(KadminOption.K));
+ if (keyTabFile == null || !keyTabFile.exists()) {
+ printUsage("Need the valid keytab file.");
+ return;
+ }
+ try {
+ AuthUtil.loginUsingKeytab(kadminPrincipal, keyTabFile);
+ } catch (LoginException e) {
+ System.err.println("Could not login with: " + kadminPrincipal
+ + e.getMessage());
+ return;
+ }
+ } else {
+ printUsage("No credentials cache file or keytab file for authentication.");
+ }
+
System.out.print(PROMPT + ": ");
try (Scanner scanner = new Scanner(System.in, "UTF-8")) {