big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加客户端认证注释

Browse Source
This commit is contained in:
LingZhaoHui 2024-09-01 23:23:01 +08:00
parent ddc50a86f7
commit dfc2c04eea
Signed by: zeekling
GPG Key ID: D96E4E75267CA2CC
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
View File

@ -200,9 +200,11 @@ public void authenticate(URL url, AuthenticatedURL.Token token)
needFallback = true; needFallback = true;
} }
if (!needFallback && isNegotiate(conn)) { if (!needFallback && isNegotiate(conn)) {
// 对于普通的HTTP的kerberos认证(SPNEGO)需要现在客户端登录KDC服务
LOG.debug("Performing our own SPNEGO sequence."); LOG.debug("Performing our own SPNEGO sequence.");
doSpnegoSequence(token); doSpnegoSequence(token);
} else { } else {
// 当前主要适用于对认证方式需要扩展的场景
LOG.debug("Using fallback authenticator sequence."); LOG.debug("Using fallback authenticator sequence.");
Authenticator auth = getFallBackAuthenticator(); Authenticator auth = getFallBackAuthenticator();
// Make sure that the fall back authenticator have the same // Make sure that the fall back authenticator have the same
@ -301,6 +303,7 @@ private void doSpnegoSequence(final AuthenticatedURL.Token token)
subject = new Subject(); subject = new Subject();
LoginContext login = new LoginContext("", subject, LoginContext login = new LoginContext("", subject,
null, new KerberosConfiguration()); null, new KerberosConfiguration());
// 登录KDC服务
login.login(); login.login();
} }
@ -314,12 +317,14 @@ public Void run() throws Exception {
GSSContext gssContext = null; GSSContext gssContext = null;
try { try {
GSSManager gssManager = GSSManager.getInstance(); GSSManager gssManager = GSSManager.getInstance();
// 设置服务端的域名由于是HTTP协议所以当前要求principal的格式为HTTP/HOST_NAME的方式
String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
KerberosAuthenticator.this.url.getHost()); KerberosAuthenticator.this.url.getHost());
Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID; Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
GSSName serviceName = gssManager.createName(servicePrincipal, GSSName serviceName = gssManager.createName(servicePrincipal,
oid); oid);
oid = KerberosUtil.GSS_KRB5_MECH_OID; oid = KerberosUtil.GSS_KRB5_MECH_OID;
// 创建获取token的上下文信息
gssContext = gssManager.createContext(serviceName, oid, null, gssContext = gssManager.createContext(serviceName, oid, null,
GSSContext.DEFAULT_LIFETIME); GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true); gssContext.requestCredDeleg(true);
@ -333,14 +338,19 @@ public Void run() throws Exception {
while (!established) { while (!established) {
HttpURLConnection conn = HttpURLConnection conn =
token.openConnection(url, connConfigurator); token.openConnection(url, connConfigurator);
outToken = gssContext.initSecContext(inToken, 0, inToken.length); // 获取客户端的token对于第一次的场景inToken为空
// 对于中间过程需要将服务端给的token传进去校验
outToken = gssContext.initSecContext(inToken, 0, inToken.length);
if (outToken != null) { if (outToken != null) {
// 将token发送给服务端
sendToken(conn, outToken); sendToken(conn, outToken);
} }
if (!gssContext.isEstablished()) { if (!gssContext.isEstablished()) {
inToken = readToken(conn); // 读取服务端发送的token
inToken = readToken(conn);
} else { } else {
// 认证完成,认证结束
established = true; established = true;
} }
} }