org.apache.ambari.server.serveraction.kerberos

Class IPAKerberosOperationHandler

java.lang.Object

org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler

org.apache.ambari.server.serveraction.kerberos.IPAKerberosOperationHandler

public class IPAKerberosOperationHandler
extends KerberosOperationHandler

IPAKerberosOperationHandler is an implementation of a KerberosOperationHandler providing functionality specifically for IPA managed KDC. See http://www.freeipa.org

It is assumed that the IPA admin tools are installed and that the ipa shell command is available

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	KDCKerberosOperationHandler.InteractivePasswordHandler InteractivePasswordHandler is a ShellCommandUtil.InteractiveHandler implementation that answers queries from kadmin or kdamin.local command for the admin and/or user passwords.

Field Summary

Fields inherited from class org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler

KERBEROS_ENV_AD_CREATE_ATTRIBUTES_TEMPLATE, KERBEROS_ENV_ADMIN_SERVER_HOST, KERBEROS_ENV_ENCRYPTION_TYPES, KERBEROS_ENV_EXECUTABLE_SEARCH_PATHS, KERBEROS_ENV_KADMIN_PRINCIPAL_NAME, KERBEROS_ENV_KDC_CREATE_ATTRIBUTES, KERBEROS_ENV_KDC_HOSTS, KERBEROS_ENV_LDAP_URL, KERBEROS_ENV_PRINCIPAL_CONTAINER_DN, KERBEROS_ENV_USER_PRINCIPAL_GROUP

Constructor Summary

Constructors

Constructor and Description
IPAKerberosOperationHandler()

Method Summary

Modifier and Type	Method and Description
void	close() Closes and cleans up any resources used by this KerberosOperationHandler It is expected that this KerberosOperationHandler will not be used after this call.
protected org.apache.directory.server.kerberos.shared.keytab.Keytab	createKeytab(String principal, String password, Integer keyNumber) Creates a key tab by using the ipa commandline utilities.
Integer	createPrincipal(String principal, String password, boolean service) Creates a new principal in a previously configured KDC.
protected ShellCommandUtil.Result	executeCommand(String[] command, Map<String,String> envp, ShellCommandUtil.InteractiveHandler interactiveHandler) Executes a shell command in a credentials context See ShellCommandUtil.runCommand(String[])
protected void	exportKeytabFile(String principal, String keytabFileDestinationPath, Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType> keyEncryptionTypes) Export the requested keytab entries for a given principal into the specified file.
protected String[]	getKinitCommand(String executableKinit, PrincipalKeyCredential credentials, String credentialsCache, Map<String,String> kerberosConfiguration) Return an array of Strings containing the command and the relavant arguments needed authenticate with the KDC and create the Kerberos ticket/credential cache.
protected boolean	init(Map<String,String> kerberosConfiguration) Initialize the Kerberos ticket cache using the supplied KDC administrator's credentials.
void	open(PrincipalKeyCredential administratorCredentials, String realm, Map<String,String> kerberosConfiguration) Prepares and creates resources to be used by this KerberosOperationHandler It is expected that this KerberosOperationHandler will not be used before this call.
boolean	principalExists(String principal, boolean service) Test to see if the specified principal exists in a previously configured IPA KDC This implementation creates a query to send to the ipa shell command and then interrogates the result from STDOUT to determine if the presence of the specified principal.
boolean	removePrincipal(String principal, boolean service) Removes an existing principal in a previously configured KDC The implementation is specific to a particular type of KDC.
Integer	setPrincipalPassword(String principal, String password, boolean service) Updates the password for an existing user principal in a previously configured IPA KDC This implementation creates a query to send to the ipa shell command and then interrogates the exit code to determine if the operation executed successfully.

Methods inherited from class org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler

createDeconstructPrincipal, createKeytabFile, createKeytabFile, createKeytabFile, createKeytabFile, escapeCharacters, executeCommand, executeCommand, getAdministratorCredential, getDefaultRealm, getExecutable, getExecutableSearchPaths, getKeyEncryptionTypes, isOpen, mergeKeytabs, readKeytabFile, setAdministratorCredential, setDefaultRealm, setExecutableSearchPaths, setExecutableSearchPaths, setKeyEncryptionTypes, setOpen, testAdministratorCredentials, translateEncryptionType, translateEncryptionTypes

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IPAKerberosOperationHandler

public IPAKerberosOperationHandler()

Method Detail

open

public void open(PrincipalKeyCredential administratorCredentials,
                 String realm,
                 Map<String,String> kerberosConfiguration)
          throws KerberosOperationException

Prepares and creates resources to be used by this KerberosOperationHandler

It is expected that this KerberosOperationHandler will not be used before this call.

The kerberosConfiguration Map is not being used.

Parameters:

administratorCredentials - a KerberosCredential containing the administrative credentials for the relevant IPA KDC

realm - a String declaring the default Kerberos realm (or domain)

kerberosConfiguration - a Map of key/value pairs containing data from the kerberos-env configuration set

Throws:

KerberosKDCConnectionException - if a connection to the KDC cannot be made

KerberosAdminAuthenticationException - if the administrator credentials fail to authenticate

KerberosRealmException - if the realm does not map to a KDC

KerberosOperationException - if an unexpected error occurred

close

public void close()
           throws KerberosOperationException

Description copied from class: KerberosOperationHandler

Closes and cleans up any resources used by this KerberosOperationHandler

It is expected that this KerberosOperationHandler will not be used after this call.

Throws:

KerberosOperationException

principalExists

public boolean principalExists(String principal,
                               boolean service)
                        throws KerberosOperationException

Test to see if the specified principal exists in a previously configured IPA KDC

This implementation creates a query to send to the ipa shell command and then interrogates the result from STDOUT to determine if the presence of the specified principal.

Specified by:

principalExists in class KerberosOperationHandler

Parameters:

principal - a String containing the principal to test

service - a boolean value indicating whether the principal is for a service or not

Returns:

true if the principal exists; false otherwise

Throws:

KerberosOperationException - if an unexpected error occurred

createPrincipal

public Integer createPrincipal(String principal,
                               String password,
                               boolean service)
                        throws KerberosOperationException

Creates a new principal in a previously configured KDC.

This implementation uses the ipa shell to create either a user or service account. No password will be set for either account type. The password (or key) will be automatically generated by the IPA server when exporting the keytab entry. Upon success, this method will always return 0 as the key number since the value is not generated until the keytab entry is exported.

Specified by:

createPrincipal in class KerberosOperationHandler

Parameters:

principal - a String containing the principal to add

password - a String containing the password to use when creating the principal (ignored)

service - a boolean value indicating whether the principal is to be created as a service principal or not

Returns:

an Integer declaring the generated key number (always 0)

Throws:

KerberosOperationException

KerberosPrincipalAlreadyExistsException - if the principal already exists

removePrincipal

public boolean removePrincipal(String principal,
                               boolean service)
                        throws KerberosOperationException

Removes an existing principal in a previously configured KDC

The implementation is specific to a particular type of KDC.

Specified by:

removePrincipal in class KerberosOperationHandler

Parameters:

principal - a String containing the principal to remove

service - a boolean value indicating whether the principal is for a service or not

Returns:

true if the principal was successfully removed; otherwise false

Throws:

KerberosKDCConnectionException - if a connection to the KDC cannot be made

KerberosAdminAuthenticationException - if the administrator credentials fail to authenticate

KerberosRealmException - if the realm does not map to a KDC

KerberosOperationException - if an unexpected error occurred

getKinitCommand

protected String[] getKinitCommand(String executableKinit,
                                   PrincipalKeyCredential credentials,
                                   String credentialsCache,
                                   Map<String,String> kerberosConfiguration)
                            throws KerberosOperationException

Return an array of Strings containing the command and the relavant arguments needed authenticate with the KDC and create the Kerberos ticket/credential cache.

Parameters:

executableKinit - the absolute path to the kinit executable

credentials - the KDC adminisrator's credentials

credentialsCache - the absolute path to the expected location of the Kerberos ticket/credential cache file

kerberosConfiguration - a Map of key/value pairs containing data from the kerberos-env configuration set

Returns:

an array of Strings containing the command to execute

Throws:

KerberosOperationException - in case there was any error during kinit command creation

exportKeytabFile

protected void exportKeytabFile(String principal,
                                String keytabFileDestinationPath,
                                Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType> keyEncryptionTypes)
                         throws KerberosOperationException

Export the requested keytab entries for a given principal into the specified file.

Parameters:

principal - the principal name

keytabFileDestinationPath - the absolute path to the keytab file

keyEncryptionTypes - a collection of encrption algorithm types indicating which ketyab entries are requested

Throws:

KerberosOperationException

setPrincipalPassword

public Integer setPrincipalPassword(String principal,
                                    String password,
                                    boolean service)
                             throws KerberosOperationException

Updates the password for an existing user principal in a previously configured IPA KDC

This implementation creates a query to send to the ipa shell command and then interrogates the exit code to determine if the operation executed successfully.

Specified by:

setPrincipalPassword in class KerberosOperationHandler

Parameters:

principal - a String containing the principal to update

password - a String containing the password to set

service - a boolean value indicating whether the principal is for a service or not

Returns:

an Integer declaring the new key number

Throws:

KerberosOperationException - if an unexpected error occurred

createKeytab

protected org.apache.directory.server.kerberos.shared.keytab.Keytab createKeytab(String principal,
                                                                                 String password,
                                                                                 Integer keyNumber)
                                                                          throws KerberosOperationException

Creates a key tab by using the ipa commandline utilities. It ignores key number and password as this will be handled by IPA

Overrides:

createKeytab in class KerberosOperationHandler

Parameters:

principal - a String containing the principal to test

password - (IGNORED) a String containing the password to use when creating the principal

keyNumber - (IGNORED) a Integer indicating the key number for the keytab entries

Returns:

the created Keytab

Throws:

KerberosOperationException

executeCommand

protected ShellCommandUtil.Result executeCommand(String[] command,
                                                 Map<String,String> envp,
                                                 ShellCommandUtil.InteractiveHandler interactiveHandler)
                                          throws KerberosOperationException

Executes a shell command in a credentials context

See ShellCommandUtil.runCommand(String[])

This implementation sets the proper environment for the custom KRB5CCNAME value.

Overrides:

executeCommand in class KerberosOperationHandler

Parameters:

command - an array of String value representing the command and its arguments

envp - a map of string, string of environment variables

interactiveHandler - a handler to provide responses to queries from the command, or null if no queries are expected

Returns:

a ShellCommandUtil.Result declaring the result of the operation

Throws:

KerberosOperationException

init

protected boolean init(Map<String,String> kerberosConfiguration)
                throws KerberosOperationException

Initialize the Kerberos ticket cache using the supplied KDC administrator's credentials.

A randomly named temporary file is created to store the Kerberos ticket cache for this KerberosOperationHandler's session. The file will be removed upon closing when the session is complete. The geneated ticket cache filename is set in the environment variable map using the variable name "KRB5CCNAME". This will be passed in for all relevant-system commands.

Returns:

Throws:

KerberosOperationException