service/auth/LdapAuthenticationProviderImpl.java

0001 /**
0002  * Licensed to the Apache Software Foundation (ASF) under one
0003  * or more contributor license agreements.  See the NOTICE file
0004  * distributed with this work for additional information
0005  * regarding copyright ownership.  The ASF licenses this file
0006  * to you under the Apache License, Version 2.0 (the
0007  * "License"); you may not use this file except in compliance
0008  * with the License.  You may obtain a copy of the License at
0009  *
0010  *     http://www.apache.org/licenses/LICENSE-2.0
0011  *
0012  * Unless required by applicable law or agreed to in writing, software
0013  * distributed under the License is distributed on an "AS IS" BASIS,
0014  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
0015  * See the License for the specific language governing permissions and
0016  * limitations under the License.
0017  */
0018 package org.apache.hive.service.auth;
0019
0020 import java.util.Hashtable;
0021 import javax.naming.Context;
0022 import javax.naming.NamingException;
0023 import javax.naming.directory.InitialDirContext;
0024 import javax.security.sasl.AuthenticationException;
0025
0026 import org.apache.hadoop.hive.conf.HiveConf;
0027 import org.apache.hive.service.ServiceUtils;
0028
0029 public class LdapAuthenticationProviderImpl implements PasswdAuthenticationProvider {
0030
0031   private final String ldapURL;
0032   private final String baseDN;
0033   private final String ldapDomain;
0034
0035   LdapAuthenticationProviderImpl() {
0036     HiveConf conf = new HiveConf();
0037     ldapURL = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_URL);
0038     baseDN = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN);
0039     ldapDomain = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_DOMAIN);
0040   }
0041
0042   @Override
0043   public void Authenticate(String user, String password) throws AuthenticationException {
0044
0045     Hashtable<String, Object> env = new Hashtable<String, Object>();
0046     env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
0047     env.put(Context.PROVIDER_URL, ldapURL);
0048
0049     // If the domain is available in the config, then append it unless domain is
0050     // already part of the username. LDAP providers like Active Directory use a
0051     // fully qualified user name like foo@bar.com.
0052     if (!hasDomain(user) && ldapDomain != null) {
0053       user  = user + "@" + ldapDomain;
0054     }
0055
0056     if (password == null || password.isEmpty() || password.getBytes()[0] == 0) {
0057       throw new AuthenticationException("Error validating LDAP user:" +
0058           " a null or blank password has been provided");
0059     }
0060
0061     // setup the security principal
0062     String bindDN;
0063     if (baseDN == null) {
0064       bindDN = user;
0065     } else {
0066       bindDN = "uid=" + user + "," + baseDN;
0067     }
0068     env.put(Context.SECURITY_AUTHENTICATION, "simple");
0069     env.put(Context.SECURITY_PRINCIPAL, bindDN);
0070     env.put(Context.SECURITY_CREDENTIALS, password);
0071
0072     try {
0073       // Create initial context
0074       Context ctx = new InitialDirContext(env);
0075       ctx.close();
0076     } catch (NamingException e) {
0077       throw new AuthenticationException("Error validating LDAP user", e);
0078     }
0079   }
0080
0081   private boolean hasDomain(String userName) {
0082     return (ServiceUtils.indexOfDomainMatch(userName) > 0);
0083   }
0084 }