|
Impala
Impalaistheopensource,nativeanalyticdatabaseforApacheHadoop.
|
|
Impala
Impalaistheopensource,nativeanalyticdatabaseforApacheHadoop.
|
#include <auth-provider.h>
Public Member Functions | |
| SaslAuthProvider (bool is_internal) | |
| virtual Status | Start () |
| virtual Status | WrapClientTransport (const std::string &hostname, boost::shared_ptr< apache::thrift::transport::TTransport > raw_transport, const std::string &service_name, boost::shared_ptr< apache::thrift::transport::TTransport > *wrapped_transport) |
| virtual Status | GetServerTransportFactory (boost::shared_ptr< apache::thrift::transport::TTransportFactory > *factory) |
| virtual bool | is_sasl () |
| Returns true if this provider uses Sasl at the transport layer. More... | |
| Status | InitKerberos (const std::string &principal, const std::string &keytab_path) |
| void | InitLdap () |
| const std::string & | principal () const |
| Used for testing. More... | |
| const std::string & | service_name () const |
| const std::string & | hostname () const |
| const std::string & | realm () const |
| bool | has_ldap () |
Private Member Functions | |
| void | RunKinit (Promise< Status > *first_kinit) |
| Status | InitKerberosEnv () |
| One-time kerberos-specific environment variable setup. Called by InitKerberos(). More... | |
Private Attributes | |
| bool | has_ldap_ |
| Do we (the server side only) support ldap for this connnection? More... | |
| std::string | hostname_ |
| bool | is_internal_ |
| True if internal, false if external. More... | |
| std::string | principal_ |
| All the rest of these private items are Kerberos-specific. More... | |
| std::string | keytab_file_ |
| The full path to the keytab where the above principal can be found. More... | |
| std::string | service_name_ |
| std::string | realm_ |
| Principal's realm, again derived from principal. More... | |
| bool | needs_kinit_ |
| boost::scoped_ptr< Thread > | kinit_thread_ |
| Runs "RunKinit" below if needs_kinit_ is true. More... | |
Static Private Attributes | |
| static bool | env_setup_complete_ = false |
| We use this to ensure that we only set up environment variables one time. More... | |
If either (or both) Kerberos and LDAP auth are desired, we use Sasl for the communication. This "wraps" the underlying communication, in thrift-speak. This is used for both client and server contexts; there is one for internal and one for external communication.
Definition at line 61 of file auth-provider.h.
|
inline |
Definition at line 63 of file auth-provider.h.
|
virtual |
This sets up a mapping between auth types (PLAIN and GSSAPI) and callbacks. When a connection comes in, thrift will see one of the above on the wire, do a table lookup, and associate the appropriate callbacks with the connection. Then presto! You've got authentication for the connection.
Implements impala::AuthProvider.
Definition at line 813 of file authentication.cc.
References apache::thrift::transport::TSaslServerTransport::Factory::addServerDefinition(), impala::KERB_EXT_CALLBACKS, impala::KERB_INT_CALLBACKS, impala::KERBEROS_MECHANISM, impala::LDAP_EXT_CALLBACKS, impala::OK, impala::PLAIN_MECHANISM, and VLOG_RPC.
|
inline |
Definition at line 102 of file auth-provider.h.
References has_ldap_.
|
inline |
| Status impala::SaslAuthProvider::InitKerberos | ( | const std::string & | principal, |
| const std::string & | keytab_path | ||
| ) |
Initializes kerberos items and checks for sanity. Failures can occur on a malformed principal or when setting some environment variables. Called prior to Start().
Definition at line 628 of file authentication.cc.
References impala::CheckReplayCacheDirPermissions(), impala::GetHostname(), impala::HOSTNAME_PATTERN, impala::OK, and RETURN_IF_ERROR.
Referenced by impala::AuthManager::Init(), and impala::TEST().
|
private |
One-time kerberos-specific environment variable setup. Called by InitKerberos().
Definition at line 699 of file authentication.cc.
References impala::EnvAppend(), impala::GetStrErrMsg(), impala::OK, and RETURN_IF_ERROR.
|
inline |
Initializes ldap - just record that we're going to use it. Called prior to Start().
Definition at line 95 of file auth-provider.h.
References has_ldap_.
Referenced by impala::AuthManager::Init().
|
inlinevirtual |
Returns true if this provider uses Sasl at the transport layer.
Implements impala::AuthProvider.
Definition at line 86 of file auth-provider.h.
|
inline |
Used for testing.
Definition at line 98 of file auth-provider.h.
References principal_.
Referenced by impala::TEST().
|
inline |
Periodically (roughly once every FLAGS_kerberos_reinit_interval minutes) calls kinit to get a ticket granting ticket from the kerberos server for principal_, which is kept in the kerberos cache associated with this process. This ensures that we have valid kerberos credentials when operating as a client. Once the first attempt to obtain a ticket has completed, first_kinit is Set() with the status of the operation. Additionally, if the first attempt fails, this method will return.
Definition at line 440 of file authentication.cc.
References impala::OK, impala::RunShellProcess(), impala::Promise< T >::Set(), and impala::SleepForMs().
|
inline |
Definition at line 99 of file auth-provider.h.
References service_name_.
Referenced by impala::TEST().
|
virtual |
Performs initialization of external state. If we're using kerberos and need to kinit, start that thread. If we're using ldap, set up appropriate certificate usage.
Implements impala::AuthProvider.
Definition at line 769 of file authentication.cc.
References impala::GetHostname(), impala::OK, and RETURN_IF_ERROR.
Referenced by impala::TEST().
|
virtual |
Wrap the client transport with a new TSaslClientTransport. This is only for internal connections. Since, as a daemon, we only do Kerberos and not LDAP, we can go straight to Kerberos.
Implements impala::AuthProvider.
Definition at line 851 of file authentication.cc.
References impala::KERB_INT_CALLBACKS, impala::KERBEROS_MECHANISM, impala::OK, and VLOG_RPC.
|
staticprivate |
We use this to ensure that we only set up environment variables one time.
Definition at line 149 of file auth-provider.h.
|
private |
Do we (the server side only) support ldap for this connnection?
Definition at line 106 of file auth-provider.h.
Referenced by has_ldap(), and InitLdap().
|
private |
Hostname of this machine - if kerberos, derived from principal. If there is no kerberos, but LDAP is used, then acquired via GetHostname().
Definition at line 110 of file auth-provider.h.
Referenced by hostname().
|
private |
True if internal, false if external.
Definition at line 113 of file auth-provider.h.
|
private |
The full path to the keytab where the above principal can be found.
Definition at line 122 of file auth-provider.h.
|
private |
Runs "RunKinit" below if needs_kinit_ is true.
Definition at line 138 of file auth-provider.h.
|
private |
True if tickets for this principal should be obtained. This is true if we're an auth provider for an "internal" connection, because we may function as a client.
Definition at line 135 of file auth-provider.h.
|
private |
All the rest of these private items are Kerberos-specific.
The Kerberos principal. If is_internal_ is true and –be_principal was supplied, this is –be_principal. In all other cases this is –principal.
Definition at line 119 of file auth-provider.h.
Referenced by principal().
|
private |
Principal's realm, again derived from principal.
Definition at line 130 of file auth-provider.h.
Referenced by realm().
|
private |
The service name, deduced from the principal. Used by servers to indicate what service a principal must have a ticket for in order to be granted access to this service.
Definition at line 127 of file auth-provider.h.
Referenced by service_name().
1.8.6 
