drill-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prog...@apache.org
Subject [5/9] drill git commit: DRILL-5820: Add support for libpam4j Pam Authenticator
Date Mon, 02 Oct 2017 17:30:47 GMT
DRILL-5820: Add support for libpam4j Pam Authenticator

closes #962


Project: http://git-wip-us.apache.org/repos/asf/drill/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/0cff5f7a
Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/0cff5f7a
Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/0cff5f7a

Branch: refs/heads/master
Commit: 0cff5f7a7cb4f35a836bf02df159d993df4bcb00
Parents: 4ae7885
Author: Sorabh Hamirwasia <shamirwasia@maprtech.com>
Authored: Wed Sep 20 17:38:08 2017 -0700
Committer: Paul Rogers <progers@maprtech.com>
Committed: Sat Sep 30 19:09:57 2017 -0700

----------------------------------------------------------------------
 .../src/resources/drill-override-example.conf   |  4 ++
 exec/java-exec/pom.xml                          |  8 +++
 .../user/security/Pam4jUserAuthenticator.java   | 73 ++++++++++++++++++++
 .../rpc/user/security/PamUserAuthenticator.java |  3 +-
 exec/jdbc-all/pom.xml                           |  4 ++
 5 files changed, 91 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/drill/blob/0cff5f7a/distribution/src/resources/drill-override-example.conf
----------------------------------------------------------------------
diff --git a/distribution/src/resources/drill-override-example.conf b/distribution/src/resources/drill-override-example.conf
index 0b66f68..986e4b6 100644
--- a/distribution/src/resources/drill-override-example.conf
+++ b/distribution/src/resources/drill-override-example.conf
@@ -133,6 +133,10 @@ drill.exec: {
   security.user.auth {
     enabled: false,
     packages += "org.apache.drill.exec.rpc.user.security",
+    # There are 2 implementations available out of the box with annotation UserAuthenticatorTemplate
+    # Annotation type "pam" is providing implementation using JPAM
+    # Annotation type "pam4j" is providing implementation using libpam4j
+    # Based on annotation type configured below corresponding authenticator is used.
     impl: "pam",
     pam_profiles: [ "sudo", "login" ]
   },

http://git-wip-us.apache.org/repos/asf/drill/blob/0cff5f7a/exec/java-exec/pom.xml
----------------------------------------------------------------------
diff --git a/exec/java-exec/pom.xml b/exec/java-exec/pom.xml
index 173a3ee..33c12ff 100644
--- a/exec/java-exec/pom.xml
+++ b/exec/java-exec/pom.xml
@@ -18,6 +18,9 @@
   </parent>
   <artifactId>drill-java-exec</artifactId>
   <name>exec/Java Execution Engine</name>
+  <properties>
+    <libpam4j.version>1.8-rev1</libpam4j.version>
+  </properties>
 
   <dependencies>
     <dependency>
@@ -519,6 +522,11 @@
       <version>1.0.4</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.kohsuke</groupId>
+      <artifactId>libpam4j</artifactId>
+      <version>${libpam4j.version}</version>
+    </dependency>
   </dependencies>
 
   <profiles>

http://git-wip-us.apache.org/repos/asf/drill/blob/0cff5f7a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/Pam4jUserAuthenticator.java
----------------------------------------------------------------------
diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/Pam4jUserAuthenticator.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/Pam4jUserAuthenticator.java
new file mode 100644
index 0000000..79aca00
--- /dev/null
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/Pam4jUserAuthenticator.java
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+import org.jvnet.libpam.PAM;
+import org.jvnet.libpam.PAMException;
+import org.jvnet.libpam.UnixUser;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * Implement {@link org.apache.drill.exec.rpc.user.security.UserAuthenticator} based on Pluggable
Authentication
+ * Module (PAM) configuration. Configure the PAM profiles using "drill.exec.security.user.auth.pam_profiles"
BOOT
+ * option. Ex. value  <i>[ "login", "sudo" ]</i> (value is an array of strings).
+ */
+@UserAuthenticatorTemplate(type = "pam4j")
+public class Pam4jUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+
+  private List<String> profiles;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+    profiles = drillConfig.getStringList(ExecConstants.PAM_AUTHENTICATOR_PROFILES);
+  }
+
+  @Override
+  public void authenticate(String user, String password) throws UserAuthenticationException
{
+    for (String profile : profiles) {
+      PAM pam = null;
+
+      try {
+        pam = new PAM(profile);
+        pam.authenticate(user, password);
+      } catch (PAMException ex) {
+        logger.error("PAM auth failed for user: {} against {} profile. Exception: {}", user,
profile, ex.getMessage());
+        throw new UserAuthenticationException(String.format("PAM auth failed for user: %s
using profile: %s",
+            user, profile));
+      } finally {
+        if (pam != null) {
+          pam.dispose();
+        }
+      }
+
+      // No need to check for null unixUser as in case of failure we will not reach here.
+      logger.trace("PAM authentication was successful for user: {} using profile: {}", user,
profile);
+    }
+  }
+
+  @Override
+  public void close() throws IOException {
+    // No-op as no resources are occupied by PAM authenticator.
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/drill/blob/0cff5f7a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/PamUserAuthenticator.java
----------------------------------------------------------------------
diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/PamUserAuthenticator.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/PamUserAuthenticator.java
index 492b140..a9e3f5b 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/PamUserAuthenticator.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/PamUserAuthenticator.java
@@ -59,7 +59,8 @@ public class PamUserAuthenticator implements UserAuthenticator {
     for (String pamProfile : profiles) {
       Pam pam = new Pam(pamProfile);
       if (!pam.authenticateSuccessful(user, password)) {
-        throw new UserAuthenticationException(String.format("PAM profile '%s' validation
failed", pamProfile));
+        throw new UserAuthenticationException(String.format("PAM profile '%s' validation
failed for user %s",
+            pamProfile, user));
       }
     }
   }

http://git-wip-us.apache.org/repos/asf/drill/blob/0cff5f7a/exec/jdbc-all/pom.xml
----------------------------------------------------------------------
diff --git a/exec/jdbc-all/pom.xml b/exec/jdbc-all/pom.xml
index 0a18c00..4f9fa5b 100644
--- a/exec/jdbc-all/pom.xml
+++ b/exec/jdbc-all/pom.xml
@@ -151,6 +151,10 @@
           <groupId>org.glassfish.jersey.media</groupId>
           <artifactId>jersey-media-json-jackson</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.kohsuke</groupId>
+          <artifactId>libpam4j</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>


Mime
View raw message