org.apache.ambari.server.serveraction.kerberos

Class KerberosOperationHandler

java.lang.Object

org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler

Direct Known Subclasses:

ADKerberosOperationHandler, IPAKerberosOperationHandler, MITKerberosOperationHandler

public abstract class KerberosOperationHandler
extends Object

KerberosOperationHandler is an abstract class providing basic implementations of common Kerberos operations (like generating secure passwords) and placeholders for KDC-specific operations (such as creating principals).

Field Summary

Fields

Modifier and Type	Field and Description
static String	KERBEROS_ENV_AD_CREATE_ATTRIBUTES_TEMPLATE Kerberos-env configuration property name: ad_create_attributes_template
static String	KERBEROS_ENV_ADMIN_SERVER_HOST Kerberos-env configuration property name: admin_server_host
static String	KERBEROS_ENV_ENCRYPTION_TYPES Kerberos-env configuration property name: encryption_types
static String	KERBEROS_ENV_EXECUTABLE_SEARCH_PATHS Kerberos-env configuration property name: executable_search_paths
static String	KERBEROS_ENV_KADMIN_PRINCIPAL_NAME Kerberos-env configuration property name: kadmin_principal_name
static String	KERBEROS_ENV_KDC_CREATE_ATTRIBUTES Kerberos-env configuration property name: kdc_create_attributes
static String	KERBEROS_ENV_KDC_HOSTS Kerberos-env configuration property name: kdc_hosts
static String	KERBEROS_ENV_LDAP_URL Kerberos-env configuration property name: ldap_url
static String	KERBEROS_ENV_PRINCIPAL_CONTAINER_DN Kerberos-env configuration property name: container_dn
static String	KERBEROS_ENV_USER_PRINCIPAL_GROUP Kerberos-env configuration property name: group

Constructor Summary

Constructors

Constructor and Description
KerberosOperationHandler()

Method Summary

Modifier and Type	Method and Description
void	close() Closes and cleans up any resources used by this KerberosOperationHandler It is expected that this KerberosOperationHandler will not be used after this call.
protected DeconstructedPrincipal	createDeconstructPrincipal(String principal) Given a principal, attempt to create a new DeconstructedPrincipal
protected org.apache.directory.server.kerberos.shared.keytab.Keytab	createKeytab(String principal, String password, Integer keyNumber) Create a keytab using the specified principal and password.
protected boolean	createKeytabFile(File sourceKeytabFile, File destinationKeytabFile) Create or append to a keytab file using keytab data from another keytab file.
boolean	createKeytabFile(org.apache.directory.server.kerberos.shared.keytab.Keytab keytab, File destinationKeytabFile) Create or append to a keytab file using the specified Keytab If the destination keytab file contains keytab data, that data will be merged with the new data to create a composite set of keytab entries.
protected File	createKeytabFile(String keytabData) Given base64-encoded keytab data, decode the String to binary data and write it to a (temporary) file.
protected boolean	createKeytabFile(String principal, String password, Integer keyNumber, File destinationKeytabFile) Create or append to a keytab file using the specified principal and password.
abstract Integer	createPrincipal(String principal, String password, boolean service) Creates a new principal in a previously configured KDC The implementation is specific to a particular type of KDC.
protected String	escapeCharacters(String string, Set<Character> charactersToEscape, Character escapeCharacter) Iterates through the characters in a string to escape special characters
protected ShellCommandUtil.Result	executeCommand(String[] command) Executes a shell command.
protected ShellCommandUtil.Result	executeCommand(String[] command, Map<String,String> envp, ShellCommandUtil.InteractiveHandler interactiveHandler) Executes a shell command.
protected ShellCommandUtil.Result	executeCommand(String[] command, ShellCommandUtil.InteractiveHandler interactiveHandler) Executes a shell command.
PrincipalKeyCredential	getAdministratorCredential() Sets the KDC administrator credential.
String	getDefaultRealm()
protected String	getExecutable(String executable) Given the name of an executable, searches the configured executable search path for an executable file with that name.
String[]	getExecutableSearchPaths() Gets the ordered array of search paths used to find Kerberos-related executables.
Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType>	getKeyEncryptionTypes() Gets the encryption algorithms used to encrypt keys in keytab entries
boolean	isOpen() Test this KerberosOperationHandler to see whether is was previously open or not
protected org.apache.directory.server.kerberos.shared.keytab.Keytab	mergeKeytabs(org.apache.directory.server.kerberos.shared.keytab.Keytab keytab, org.apache.directory.server.kerberos.shared.keytab.Keytab updates) Merge the keytab data from one keytab with the keytab data from a different keytab.
void	open(PrincipalKeyCredential administratorCredential, String defaultRealm, Map<String,String> kerberosConfiguration) Prepares and creates resources to be used by this KerberosOperationHandler.
abstract boolean	principalExists(String principal, boolean service) Test to see if the specified principal exists in a previously configured KDC The implementation is specific to a particular type of KDC.
protected org.apache.directory.server.kerberos.shared.keytab.Keytab	readKeytabFile(File file) Reads a file containing keytab data into a new Keytab
abstract boolean	removePrincipal(String principal, boolean service) Removes an existing principal in a previously configured KDC The implementation is specific to a particular type of KDC.
void	setAdministratorCredential(PrincipalKeyCredential administratorCredential) Sets the administrator credentials for this KerberosOperationHandler.
void	setDefaultRealm(String defaultRealm)
void	setExecutableSearchPaths(String delimitedExecutableSearchPaths) Sets the ordered array of search paths used to find Kerberos-related executables.
void	setExecutableSearchPaths(String[] executableSearchPaths) Sets the ordered array of search paths used to find Kerberos-related executables.
void	setKeyEncryptionTypes(Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType> keyEncryptionTypes) Sets the encryption algorithms to use to encrypt keys in keytab entries If set to null the default set of ciphers will be used.
void	setOpen(boolean open) Sets whether this KerberosOperationHandler is open or not.
abstract Integer	setPrincipalPassword(String principal, String password, boolean service) Updates the password for an existing principal in a previously configured KDC The implementation is specific to a particular type of KDC.
boolean	testAdministratorCredentials() Tests to ensure the connection information and credentials allow for administrative connectivity to the KDC
protected Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType>	translateEncryptionType(String name) Given a cipher (or algorithm) name, attempts to translate it into an EncryptionType value.
protected Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType>	translateEncryptionTypes(String names, String delimiter) Given a delimited set of encryption type names, attempts to translate into a set of EncryptionType values.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

KERBEROS_ENV_LDAP_URL

public static final String KERBEROS_ENV_LDAP_URL

Kerberos-env configuration property name: ldap_url

See Also:

Constant Field Values

KERBEROS_ENV_PRINCIPAL_CONTAINER_DN

public static final String KERBEROS_ENV_PRINCIPAL_CONTAINER_DN

Kerberos-env configuration property name: container_dn

See Also:

Constant Field Values

KERBEROS_ENV_USER_PRINCIPAL_GROUP

public static final String KERBEROS_ENV_USER_PRINCIPAL_GROUP

Kerberos-env configuration property name: group

See Also:

Constant Field Values

KERBEROS_ENV_AD_CREATE_ATTRIBUTES_TEMPLATE

public static final String KERBEROS_ENV_AD_CREATE_ATTRIBUTES_TEMPLATE

Kerberos-env configuration property name: ad_create_attributes_template

See Also:

Constant Field Values

KERBEROS_ENV_KDC_CREATE_ATTRIBUTES

public static final String KERBEROS_ENV_KDC_CREATE_ATTRIBUTES

Kerberos-env configuration property name: kdc_create_attributes

See Also:

Constant Field Values

KERBEROS_ENV_ENCRYPTION_TYPES

public static final String KERBEROS_ENV_ENCRYPTION_TYPES

Kerberos-env configuration property name: encryption_types

See Also:

Constant Field Values

KERBEROS_ENV_KDC_HOSTS

public static final String KERBEROS_ENV_KDC_HOSTS

Kerberos-env configuration property name: kdc_hosts

See Also:

Constant Field Values

KERBEROS_ENV_ADMIN_SERVER_HOST

public static final String KERBEROS_ENV_ADMIN_SERVER_HOST

Kerberos-env configuration property name: admin_server_host

See Also:

Constant Field Values

KERBEROS_ENV_KADMIN_PRINCIPAL_NAME

public static final String KERBEROS_ENV_KADMIN_PRINCIPAL_NAME

Kerberos-env configuration property name: kadmin_principal_name

See Also:

Constant Field Values

KERBEROS_ENV_EXECUTABLE_SEARCH_PATHS

public static final String KERBEROS_ENV_EXECUTABLE_SEARCH_PATHS

Kerberos-env configuration property name: executable_search_paths

See Also:

Constant Field Values

Constructor Detail

KerberosOperationHandler

public KerberosOperationHandler()

Method Detail

open

public void open(PrincipalKeyCredential administratorCredential,
                 String defaultRealm,
                 Map<String,String> kerberosConfiguration)
          throws KerberosOperationException

Prepares and creates resources to be used by this KerberosOperationHandler.

It is expected that this KerberosOperationHandler will not be used before this call.

Parameters:

administratorCredential - a PrincipalKeyCredential containing the administrative credential for the relevant KDC

defaultRealm - a String declaring the default Kerberos realm (or domain)

kerberosConfiguration - a Map of key/value pairs containing data from the kerberos-env configuration set

Throws:

KerberosOperationException

close

public void close()
           throws KerberosOperationException

Closes and cleans up any resources used by this KerberosOperationHandler

It is expected that this KerberosOperationHandler will not be used after this call.

Throws:

KerberosOperationException

principalExists

public abstract boolean principalExists(String principal,
                                        boolean service)
                                 throws KerberosOperationException

Test to see if the specified principal exists in a previously configured KDC

The implementation is specific to a particular type of KDC.

Parameters:

principal - a String containing the principal to test

service - a boolean value indicating whether the principal is for a service or not

Returns:

true if the principal exists; false otherwise

Throws:

KerberosOperationException

createPrincipal

public abstract Integer createPrincipal(String principal,
                                        String password,
                                        boolean service)
                                 throws KerberosOperationException

Creates a new principal in a previously configured KDC

The implementation is specific to a particular type of KDC.

Parameters:

principal - a String containing the principal to add

password - a String containing the password to use when creating the principal

service - a boolean value indicating whether the principal is to be created as a service principal or not

Returns:

an Integer declaring the generated key number

Throws:

KerberosOperationException

KerberosPrincipalAlreadyExistsException - if the principal already exists

setPrincipalPassword

public abstract Integer setPrincipalPassword(String principal,
                                             String password,
                                             boolean service)
                                      throws KerberosOperationException

Updates the password for an existing principal in a previously configured KDC

The implementation is specific to a particular type of KDC.

Parameters:

principal - a String containing the principal to update

password - a String containing the password to set

service - a boolean value indicating whether the principal is for a service or not

Returns:

an Integer declaring the new key number

Throws:

KerberosOperationException

KerberosPrincipalDoesNotExistException - if the principal does not exist

removePrincipal

public abstract boolean removePrincipal(String principal,
                                        boolean service)
                                 throws KerberosOperationException

Removes an existing principal in a previously configured KDC

The implementation is specific to a particular type of KDC.

Parameters:

principal - a String containing the principal to remove

service - a boolean value indicating whether the principal is for a service or not

Returns:

true if the principal was successfully removed; otherwise false

Throws:

KerberosOperationException

testAdministratorCredentials

public boolean testAdministratorCredentials()
                                     throws KerberosOperationException

Tests to ensure the connection information and credentials allow for administrative connectivity to the KDC

Returns:

true of successful; otherwise false

Throws:

KerberosOperationException - if a failure occurs while testing the administrator credentials

createKeytab

protected org.apache.directory.server.kerberos.shared.keytab.Keytab createKeytab(String principal,
                                                                                 String password,
                                                                                 Integer keyNumber)
                                                                          throws KerberosOperationException

Create a keytab using the specified principal and password.

Parameters:

principal - a String containing the principal to test

password - a String containing the password to use when creating the principal

keyNumber - a Integer indicating the key number for the keytab entries

Returns:

the created Keytab

Throws:

KerberosOperationException

createKeytabFile

protected boolean createKeytabFile(File sourceKeytabFile,
                                   File destinationKeytabFile)
                            throws KerberosOperationException

Create or append to a keytab file using keytab data from another keytab file.

If the destination keytab file contains keytab data, that data will be merged with the new data to create a composite set of keytab entries.

Parameters:

sourceKeytabFile - a File containing the absolute path to the file with the keytab data to store

destinationKeytabFile - a File containing the absolute path to where the keytab data is to be stored

Returns:

true if the keytab file was successfully created; false otherwise

Throws:

KerberosOperationException

See Also:

createKeytabFile(org.apache.directory.server.kerberos.shared.keytab.Keytab, java.io.File)

createKeytabFile

protected boolean createKeytabFile(String principal,
                                   String password,
                                   Integer keyNumber,
                                   File destinationKeytabFile)
                            throws KerberosOperationException

Create or append to a keytab file using the specified principal and password.

If the destination keytab file contains keytab data, that data will be merged with the new data to create a composite set of keytab entries.

Parameters:

principal - a String containing the principal to test

password - a String containing the password to use when creating the principal

keyNumber - an Integer declaring the relevant key number to use for the keytabs entries

destinationKeytabFile - a File containing the absolute path to where the keytab data is to be stored

Returns:

true if the keytab file was successfully created; false otherwise

Throws:

KerberosOperationException

See Also:

createKeytabFile(org.apache.directory.server.kerberos.shared.keytab.Keytab, java.io.File)

createKeytabFile

public boolean createKeytabFile(org.apache.directory.server.kerberos.shared.keytab.Keytab keytab,
                                File destinationKeytabFile)
                         throws KerberosOperationException

Create or append to a keytab file using the specified Keytab

If the destination keytab file contains keytab data, that data will be merged with the new data to create a composite set of keytab entries.

Parameters:

keytab - the Keytab containing the data to add to the keytab file

destinationKeytabFile - a File containing the absolute path to where the keytab data is to be stored

Returns:

true if the keytab file was successfully created; false otherwise

Throws:

KerberosOperationException

mergeKeytabs

protected org.apache.directory.server.kerberos.shared.keytab.Keytab mergeKeytabs(org.apache.directory.server.kerberos.shared.keytab.Keytab keytab,
                                                                                 org.apache.directory.server.kerberos.shared.keytab.Keytab updates)

Merge the keytab data from one keytab with the keytab data from a different keytab.

If similar key entries exist for the same principal, the updated values will be used

Parameters:

keytab - a Keytab with the base keytab data

updates - a Keytab containing the updated keytab data

Returns:

a Keytab with the merged data

readKeytabFile

protected org.apache.directory.server.kerberos.shared.keytab.Keytab readKeytabFile(File file)

Reads a file containing keytab data into a new Keytab

Parameters:

file - A File containing the path to the file from which to read keytab data

Returns:

a Keytab or null if the file was not readable

getAdministratorCredential

public PrincipalKeyCredential getAdministratorCredential()

Sets the KDC administrator credential.

Returns:

a credential

setAdministratorCredential

public void setAdministratorCredential(PrincipalKeyCredential administratorCredential)
                                throws KerberosAdminAuthenticationException

Sets the administrator credentials for this KerberosOperationHandler.

If the supplied PrincipalKeyCredential is not null, validates that the administrator principal and values are not null or empty. If the credential value does not validate, then a KerberosAdminAuthenticationException will be thrown.

Parameters:

administratorCredential - the KDC administrator credential

Throws:

KerberosAdminAuthenticationException - if the non-null Credential fails to contain a non-empty principal and password values.

getDefaultRealm

public String getDefaultRealm()

setDefaultRealm

public void setDefaultRealm(String defaultRealm)

getKeyEncryptionTypes

public Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType> getKeyEncryptionTypes()

Gets the encryption algorithms used to encrypt keys in keytab entries

Returns:

a Set of EncryptionKey values indicating which algorithms are to be used when encrypting keys for keytab entries.

setKeyEncryptionTypes

public void setKeyEncryptionTypes(Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType> keyEncryptionTypes)

Sets the encryption algorithms to use to encrypt keys in keytab entries

If set to null the default set of ciphers will be used. See DEFAULT_CIPHERS

Parameters:

keyEncryptionTypes - a Set of EncryptionKey values or null to indicate the default set

getExecutableSearchPaths

public String[] getExecutableSearchPaths()

Gets the ordered array of search paths used to find Kerberos-related executables.

Returns:

an array of String values indicating an order list of filesystem paths to search

setExecutableSearchPaths

public void setExecutableSearchPaths(String[] executableSearchPaths)

Sets the ordered array of search paths used to find Kerberos-related executables.

If null, a default set of paths will be assumed when searching:

• /usr/bin
• /usr/kerberos/bin
• /usr/sbin
• /usr/lib/mit/bin
• /usr/lib/mit/sbin

Parameters:

executableSearchPaths - an array of String values indicating an ordered list of filesystem paths to search

setExecutableSearchPaths

public void setExecutableSearchPaths(String delimitedExecutableSearchPaths)

Sets the ordered array of search paths used to find Kerberos-related executables.

If null, a default set of paths will be assumed when searching:

• /usr/bin
• /usr/kerberos/bin
• /usr/sbin

Parameters:

delimitedExecutableSearchPaths - a String containing a comma-delimited (ordered) list of filesystem paths to search

isOpen

public boolean isOpen()

Test this KerberosOperationHandler to see whether is was previously open or not

Returns:

a boolean value indicating whether this KerberosOperationHandler was open (true) or not (false)

setOpen

public void setOpen(boolean open)

Sets whether this KerberosOperationHandler is open or not.

Parameters:

open - a boolean value indicating whether this KerberosOperationHandler was open (true) or not (false)

createKeytabFile

protected File createKeytabFile(String keytabData)
                         throws KerberosOperationException

Given base64-encoded keytab data, decode the String to binary data and write it to a (temporary) file.

Upon success, a new file is created. The caller is expected to clean up this file when done with it.

Parameters:

keytabData - a String containing base64-encoded keytab data

Returns:

a File pointing to the decoded keytab file or null if not successful

Throws:

KerberosOperationException

executeCommand

protected ShellCommandUtil.Result executeCommand(String[] command,
                                                 Map<String,String> envp,
                                                 ShellCommandUtil.InteractiveHandler interactiveHandler)
                                          throws KerberosOperationException

Executes a shell command.

See org.apache.ambari.server.utils.ShellCommandUtil#runCommand(String[], Map)

Parameters:

command - an array of String value representing the command and its arguments

envp - a map of string, string of environment variables

interactiveHandler - a handler to provide responses to queries from the command, or null if no queries are expected

Returns:

a ShellCommandUtil.Result declaring the result of the operation

Throws:

KerberosOperationException

executeCommand

protected ShellCommandUtil.Result executeCommand(String[] command)
                                          throws KerberosOperationException

Executes a shell command.

See ShellCommandUtil.runCommand(String[])

Parameters:

command - an array of String value representing the command and its arguments

Returns:

a ShellCommandUtil.Result declaring the result of the operation

Throws:

KerberosOperationException

See Also:

executeCommand(String[], Map, ShellCommandUtil.InteractiveHandler)

executeCommand

protected ShellCommandUtil.Result executeCommand(String[] command,
                                                 ShellCommandUtil.InteractiveHandler interactiveHandler)
                                          throws KerberosOperationException

Executes a shell command.

See ShellCommandUtil.runCommand(String[])

Parameters:

command - an array of String value representing the command and its arguments

interactiveHandler - a handler to provide responses to queries from the command, or null if no queries are expected

Returns:

a ShellCommandUtil.Result declaring the result of the operation

Throws:

KerberosOperationException

See Also:

executeCommand(String[], Map, ShellCommandUtil.InteractiveHandler)

createDeconstructPrincipal

protected DeconstructedPrincipal createDeconstructPrincipal(String principal)
                                                     throws KerberosOperationException

Given a principal, attempt to create a new DeconstructedPrincipal

Parameters:

principal - a String containing the principal to deconstruct

Returns:

a DeconstructedPrincipal

Throws:

KerberosOperationException

translateEncryptionType

protected Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType> translateEncryptionType(String name)

Given a cipher (or algorithm) name, attempts to translate it into an EncryptionType value.

If a translation is not able to be made, EncryptionType.UNKNOWN is returned.

Parameters:

name - a String containing the name of the cipher to translate

Returns:

an EncryptionType

translateEncryptionTypes

protected Set<org.apache.directory.shared.kerberos.codec.types.EncryptionType> translateEncryptionTypes(String names,
                                                                                                        String delimiter)
                                                                                                 throws KerberosOperationException

Given a delimited set of encryption type names, attempts to translate into a set of EncryptionType values.

Parameters:

names - a String containing a delimited list of encryption type names

delimiter - a String declaring the delimiter to use to split names, if null, " " is used.

Returns:

a Set of EncryptionType values

Throws:

KerberosOperationException - When all the encryption type names are not supported

escapeCharacters

protected String escapeCharacters(String string,
                                  Set<Character> charactersToEscape,
                                  Character escapeCharacter)

Iterates through the characters in a string to escape special characters

Parameters:

string - the String to process

charactersToEscape - a Set of characters declaring the special characters to escape

escapeCharacter - a character to use for escaping

Returns:

the string with escaped characters

getExecutable

protected String getExecutable(String executable)

Given the name of an executable, searches the configured executable search path for an executable file with that name.

Parameters:

executable - a String declaring the name of the executable to find within the search path

Returns:

the absolute path of the found execute or the name of the executable if not found within the search path

See Also:

setExecutableSearchPaths(String), setExecutableSearchPaths(String[])