org.apache.nifi.security.krb

Class StandardKeytabUser

java.lang.Object

org.apache.nifi.security.krb.StandardKeytabUser

All Implemented Interfaces:

KeytabUser

public class StandardKeytabUser
extends Object
implements KeytabUser

Used to authenticate and execute actions when Kerberos is enabled and a keytab is being used. Some of the functionality in this class is adapted from Hadoop's UserGroupInformation.

Field Summary

Fields

Modifier and Type	Field and Description
(package private) static String	DATE_FORMAT
private String	keytabFile
private AtomicBoolean	loggedIn
private static org.slf4j.Logger	LOGGER
private LoginContext	loginContext
private String	principal
private Subject	subject
(package private) static float	TICKET_RENEW_WINDOW Percentage of the ticket window to use before we renew the TGT.

Constructor Summary

Constructors

Constructor and Description
StandardKeytabUser(String principal, String keytabFile)

Method Summary

Modifier and Type	Method and Description
boolean	checkTGTAndRelogin() Re-login a user from keytab if TGT is expired or is close to expiry.
<T> T	doAs(PrivilegedAction<T> action) Executes the PrivilegedAction as this user.
<T> T	doAs(PrivilegedExceptionAction<T> action) Executes the PrivilegedAction as this user.
String	getKeytabFile()
String	getPrincipal()
private long	getRefreshTime(KerberosTicket tgt)
(package private) Subject	getSubject()
private KerberosTicket	getTGT() Get the Kerberos TGT.
boolean	isLoggedIn()
private boolean	isTGSPrincipal(KerberosPrincipal principal) TGS must have the server principal of the form "krbtgt/FOO@FOO".
void	login() Performs a login using the specified principal and keytab.
void	logout() Performs a logout of the current user.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOGGER

private static final org.slf4j.Logger LOGGER

DATE_FORMAT

static final String DATE_FORMAT

See Also:

Constant Field Values

TICKET_RENEW_WINDOW

static final float TICKET_RENEW_WINDOW

Percentage of the ticket window to use before we renew the TGT.

See Also:

Constant Field Values

principal

private final String principal

keytabFile

private final String keytabFile

loggedIn

private final AtomicBoolean loggedIn

subject

private Subject subject

loginContext

private LoginContext loginContext

Constructor Detail

StandardKeytabUser

public StandardKeytabUser(String principal,
                          String keytabFile)

Method Detail

login

public void login()
           throws LoginException

Performs a login using the specified principal and keytab.

Specified by:

login in interface KeytabUser

Throws:

LoginException - if the login fails

logout

public void logout()
            throws LoginException

Performs a logout of the current user.

Specified by:

logout in interface KeytabUser

Throws:

LoginException - if the logout fails

doAs

public <T> T doAs(PrivilegedAction<T> action)
           throws IllegalStateException

Executes the PrivilegedAction as this user.

Specified by:

doAs in interface KeytabUser

Type Parameters:

T - the type of result

Parameters:

action - the action to execute

Returns:

the result of the action

Throws:

IllegalStateException - if this method is called while not logged in

doAs

public <T> T doAs(PrivilegedExceptionAction<T> action)
           throws IllegalStateException,
                  PrivilegedActionException

Executes the PrivilegedAction as this user.

Specified by:

doAs in interface KeytabUser

Type Parameters:

T - the type of result

Parameters:

action - the action to execute

Returns:

the result of the action

Throws:

IllegalStateException - if this method is called while not logged in

PrivilegedActionException - if an exception is thrown from the action

checkTGTAndRelogin

public boolean checkTGTAndRelogin()
                           throws LoginException

Re-login a user from keytab if TGT is expired or is close to expiry.

Specified by:

checkTGTAndRelogin in interface KeytabUser

Returns:

true if a relogin was performed, false otherwise

Throws:

LoginException - if an error happens performing the re-login

getTGT

private KerberosTicket getTGT()

Get the Kerberos TGT.

Returns:

the user's TGT or null if none was found

isTGSPrincipal

private boolean isTGSPrincipal(KerberosPrincipal principal)

TGS must have the server principal of the form "krbtgt/FOO@FOO".

Parameters:

principal - the principal to check

Returns:

true if the principal is the TGS, false otherwise

getRefreshTime

private long getRefreshTime(KerberosTicket tgt)

isLoggedIn

public boolean isLoggedIn()

Specified by:

isLoggedIn in interface KeytabUser

Returns:

true if this user is currently logged in, false otherwise

getPrincipal

public String getPrincipal()

Specified by:

getPrincipal in interface KeytabUser

Returns:

the principal for this user

getKeytabFile

public String getKeytabFile()

Specified by:

getKeytabFile in interface KeytabUser

Returns:

the keytab file for this user

getSubject

Subject getSubject()