You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by ma...@apache.org on 2011/09/29 09:40:05 UTC
svn commit: r1177191 - in /zookeeper/trunk: CHANGES.txt
src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java
Author: mahadev
Date: Thu Sep 29 07:40:05 2011
New Revision: 1177191
URL: http://svn.apache.org/viewvc?rev=1177191&view=rev
Log:
ZOOKEEPER-1201. Clean SaslServerCallbackHandler.java. (Thomas Koch via mahadev)
Modified:
zookeeper/trunk/CHANGES.txt
zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java
Modified: zookeeper/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/zookeeper/trunk/CHANGES.txt?rev=1177191&r1=1177190&r2=1177191&view=diff
==============================================================================
--- zookeeper/trunk/CHANGES.txt (original)
+++ zookeeper/trunk/CHANGES.txt Thu Sep 29 07:40:05 2011
@@ -485,7 +485,9 @@ IMPROVEMENTS:
code (Thomas Koch via phunt)
ZOOKEEPER-1171. fix build for java 7 (phunt via mahadev)
-
+
+ ZOOKEEPER-1201. Clean SaslServerCallbackHandler.java. (Thomas Koch
+ via mahadev)
NEW FEATURES:
ZOOKEEPER-729. Java client API to recursively delete a subtree.
Modified: zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java
URL: http://svn.apache.org/viewvc/zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java?rev=1177191&r1=1177190&r2=1177191&view=diff
==============================================================================
--- zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java (original)
+++ zookeeper/trunk/src/java/main/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java Thu Sep 29 07:40:05 2011
@@ -20,7 +20,6 @@ package org.apache.zookeeper.server.auth
import java.io.IOException;
import java.util.HashMap;
-import java.util.Iterator;
import java.util.Map;
import org.slf4j.Logger;
@@ -36,125 +35,114 @@ import javax.security.sasl.AuthorizeCall
import javax.security.sasl.RealmCallback;
public class SaslServerCallbackHandler implements CallbackHandler {
- private String userName = null;
- private Map<String,String> credentials = new HashMap<String,String>();
- Logger LOG = LoggerFactory.getLogger(SaslServerCallbackHandler.class);
+ private static final String USER_PREFIX = "user_";
+ private static final Logger LOG = LoggerFactory.getLogger(SaslServerCallbackHandler.class);
+ private static final String SYSPROP_SUPER_PASSWORD = "zookeeper.SASLAuthenticationProvider.superPassword";
+ private static final String SYSPROP_REMOVE_HOST = "zookeeper.kerberos.removeHostFromPrincipal";
+ private static final String SYSPROP_REMOVE_REALM = "zookeeper.kerberos.removeRealmFromPrincipal";
+
+ private String userName;
+ private final Map<String,String> credentials = new HashMap<String,String>();
public SaslServerCallbackHandler(Configuration configuration) throws IOException {
AppConfigurationEntry configurationEntries[] = configuration.getAppConfigurationEntry("Server");
if (configurationEntries == null) {
- String errorMessage = "could not find a 'Server' entry in this configuration: server cannot start.";
+ String errorMessage = "Could not find a 'Server' entry in this configuration: Server cannot start.";
LOG.error(errorMessage);
- throw(new IOException(errorMessage));
+ throw new IOException(errorMessage);
}
credentials.clear();
for(AppConfigurationEntry entry: configurationEntries) {
Map<String,?> options = entry.getOptions();
// Populate DIGEST-MD5 user -> password map with JAAS configuration entries from the "Server" section.
// Usernames are distinguished from other options by prefixing the username with a "user_" prefix.
- Iterator it = options.entrySet().iterator();
- while (it.hasNext()) {
- Map.Entry pair = (Map.Entry)it.next();
- String key = (String)pair.getKey();
- if (key.substring(0,5).equals("user_")) {
- String userName = key.substring(5);
- credentials.put(userName,(String)pair.getValue());
- }
+ for(Map.Entry<String, ?> pair : options.entrySet()) {
+ String key = pair.getKey();
+ if (key.startsWith(USER_PREFIX)) {
+ String userName = key.substring(USER_PREFIX.length());
+ credentials.put(userName,(String)pair.getValue());
}
}
+ }
+ }
+
+ public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
+ for (Callback callback : callbacks) {
+ if (callback instanceof NameCallback) {
+ handleNameCallback((NameCallback) callback);
+ } else if (callback instanceof PasswordCallback) {
+ handlePasswordCallback((PasswordCallback) callback);
+ } else if (callback instanceof RealmCallback) {
+ handleRealmCallback((RealmCallback) callback);
+ } else if (callback instanceof AuthorizeCallback) {
+ handleAuthorizeCallback((AuthorizeCallback) callback);
+ }
+ }
+ }
+
+ private void handleNameCallback(NameCallback nc) {
+ // check to see if this user is in the user password database.
+ if (credentials.get(nc.getDefaultName()) == null) {
+ LOG.warn("User '" + nc.getDefaultName() + "' not found in list of DIGEST-MD5 authenticateable users.");
return;
}
+ nc.setName(nc.getDefaultName());
+ userName = nc.getDefaultName();
+ }
- public void handle(Callback[] callbacks) throws
- UnsupportedCallbackException {
- for (Callback callback : callbacks) {
- if (callback instanceof NameCallback) {
- NameCallback nc = (NameCallback) callback;
- // check to see if this user is in the user password database.
- if (credentials.get(nc.getDefaultName()) != null) {
- nc.setName(nc.getDefaultName());
- this.userName = nc.getDefaultName();
- }
- else { // no such user.
- LOG.warn("User '" + nc.getDefaultName() + "' not found in list of DIGEST-MD5 authenticateable users.");
- }
- }
- else {
- if (callback instanceof PasswordCallback) {
- PasswordCallback pc = (PasswordCallback) callback;
-
- if ((this.userName.equals("super")
- &&
- (System.getProperty("zookeeper.SASLAuthenticationProvider.superPassword") != null))) {
- // superuser: use Java system property for password, if available.
- pc.setPassword(System.getProperty("zookeeper.SASLAuthenticationProvider.superPassword").toCharArray());
- }
- else {
- if (this.credentials.get(this.userName) != null) {
- pc.setPassword(this.credentials.get(this.userName).toCharArray());
- }
- else {
- LOG.warn("No password found for user: " + this.userName);
- }
- }
- }
- else {
- if (callback instanceof RealmCallback) {
- RealmCallback rc = (RealmCallback) callback;
- LOG.debug("client supplied realm: " + rc.getDefaultText());
- rc.setText(rc.getDefaultText());
- }
- else {
- if (callback instanceof AuthorizeCallback) {
- AuthorizeCallback ac = (AuthorizeCallback) callback;
-
- String authenticationID = ac.getAuthenticationID();
- String authorizationID = ac.getAuthorizationID();
-
- LOG.info("Successfully authenticated client: authenticationID=" + authenticationID + "; authorizationID=" + authorizationID + ".");
- if (authenticationID.equals(authorizationID)) {
- LOG.debug("setAuthorized(true) since " + authenticationID + "==" + authorizationID);
- ac.setAuthorized(true);
- } else {
- LOG.debug("setAuthorized(true), even though " + authenticationID + "!=" + authorizationID + ".");
- ac.setAuthorized(true);
- }
- if (ac.isAuthorized()) {
- LOG.debug("isAuthorized() since ac.isAuthorized() == true");
- // canonicalize authorization id according to system properties:
- // kerberos.removeRealmFromPrincipal(={true,false})
- // kerberos.removeHostFromPrincipal(={true,false})
- KerberosName kerberosName = new KerberosName(authenticationID);
- try {
- String userName = kerberosName.getShortName();
- if (!removeHost() && (kerberosName.getHostName() != null)) {
- userName += "/" + kerberosName.getServiceName();
- }
- if (!removeRealm() && (kerberosName.getRealm() != null)) {
- userName += "@" + kerberosName.getRealm();
- }
- LOG.info("Setting authorizedID: " + userName);
- ac.setAuthorizedID(userName);
- }
- catch (IOException e) {
- LOG.error("Failed to set name based on Kerberos authentication rules.");
- }
- }
- }
- }
- }
- }
+ private void handlePasswordCallback(PasswordCallback pc) {
+ if ("super".equals(this.userName) && System.getProperty(SYSPROP_SUPER_PASSWORD) != null) {
+ // superuser: use Java system property for password, if available.
+ pc.setPassword(System.getProperty(SYSPROP_SUPER_PASSWORD).toCharArray());
+ } else if (credentials.containsKey(userName) ) {
+ pc.setPassword(credentials.get(userName).toCharArray());
+ } else {
+ LOG.warn("No password found for user: " + userName);
+ }
+ }
+
+ private void handleRealmCallback(RealmCallback rc) {
+ LOG.debug("client supplied realm: " + rc.getDefaultText());
+ rc.setText(rc.getDefaultText());
+ }
+
+ private void handleAuthorizeCallback(AuthorizeCallback ac) {
+ String authenticationID = ac.getAuthenticationID();
+ String authorizationID = ac.getAuthorizationID();
+
+ LOG.info("Successfully authenticated client: authenticationID=" + authenticationID
+ + "; authorizationID=" + authorizationID + ".");
+ ac.setAuthorized(true);
+
+ // canonicalize authorization id according to system properties:
+ // zookeeper.kerberos.removeRealmFromPrincipal(={true,false})
+ // zookeeper.kerberos.removeHostFromPrincipal(={true,false})
+ KerberosName kerberosName = new KerberosName(authenticationID);
+ try {
+ StringBuilder userNameBuilder = new StringBuilder(kerberosName.getShortName());
+ if (shouldAppendHost(kerberosName)) {
+ userNameBuilder.append("/").append(kerberosName.getHostName());
+ }
+ if (shouldAppendRealm(kerberosName)) {
+ userNameBuilder.append("@").append(kerberosName.getRealm());
}
+ LOG.info("Setting authorizedID: " + userNameBuilder);
+ ac.setAuthorizedID(userNameBuilder.toString());
+ } catch (IOException e) {
+ LOG.error("Failed to set name based on Kerberos authentication rules.");
}
+ }
+
+ private boolean shouldAppendRealm(KerberosName kerberosName) {
+ return !isSystemPropertyTrue(SYSPROP_REMOVE_REALM) && kerberosName.getRealm() != null;
+ }
- private boolean removeRealm() {
- return ((System.getProperty("zookeeper.kerberos.removeRealmFromPrincipal") != null) &&
- (System.getProperty("zookeeper.kerberos.removeRealmFromPrincipal").equals("true")));
+ private boolean shouldAppendHost(KerberosName kerberosName) {
+ return !isSystemPropertyTrue(SYSPROP_REMOVE_HOST) && kerberosName.getHostName() != null;
}
- private boolean removeHost() {
- return ((System.getProperty("zookeeper.kerberos.removeHostFromPrincipal") != null) &&
- (System.getProperty("zookeeper.kerberos.removeHostFromPrincipal").equals("true")));
+ private boolean isSystemPropertyTrue(String propertyName) {
+ return "true".equals(System.getProperty(propertyName));
}
}