org.apache.accumulo.server.rpc

Class TCredentialsUpdatingInvocationHandler<I>

java.lang.Object

org.apache.accumulo.server.rpc.TCredentialsUpdatingInvocationHandler<I>

All Implemented Interfaces:

InvocationHandler

public class TCredentialsUpdatingInvocationHandler<I>
extends Object
implements InvocationHandler

Extracts the TCredentials object from the RPC argument list and asserts that the Accumulo principal is equal to the Kerberos 'primary' component of the Kerberos principal (e.g. Accumulo principal of "frank" equals "frank" from "frank/hostname@DOMAIN").

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	TCredentialsUpdatingInvocationHandler(I serverInstance, AccumuloConfiguration conf)

Method Summary

Modifier and Type	Method and Description
protected ConcurrentHashMap<String,Class<? extends AuthenticationToken>>	getTokenCache() Visibile for testing
protected Class<? extends AuthenticationToken>	getTokenClassFromName(String tokenClassName)
Object	invoke(Object proxy, Method method, Object[] args)
protected void	principalMismatch(String expected, String actual)
protected void	updateArgs(Object[] args) Try to find a TCredentials object in the argument list, and, when the AuthenticationToken is a KerberosToken, set the principal from the SASL server as the TCredentials principal.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TCredentialsUpdatingInvocationHandler

protected TCredentialsUpdatingInvocationHandler(I serverInstance,
                                                AccumuloConfiguration conf)

Method Detail

invoke

public Object invoke(Object proxy,
                     Method method,
                     Object[] args)
              throws Throwable

Specified by:

invoke in interface InvocationHandler

Throws:

Throwable

updateArgs

protected void updateArgs(Object[] args)
                   throws ThriftSecurityException

Try to find a TCredentials object in the argument list, and, when the AuthenticationToken is a KerberosToken, set the principal from the SASL server as the TCredentials principal. This ensures that users can't spoof a different principal into the Credentials than what they used to authenticate.

Throws:

ThriftSecurityException

principalMismatch

protected void principalMismatch(String expected,
                                 String actual)
                          throws ThriftSecurityException

Throws:

ThriftSecurityException

getTokenClassFromName

protected Class<? extends AuthenticationToken> getTokenClassFromName(String tokenClassName)

getTokenCache

protected ConcurrentHashMap<String,Class<? extends AuthenticationToken>> getTokenCache()

Visibile for testing