def wrap(self, message):
encoded = self.sasl.wrap(message)
sasl_message = RpcSaslProto()
sasl_message.state = 5 # WRAP
sasl_message.token = encoded
self._send_sasl_message(sasl_message)
def wrap(self, message):
ret, encoded = self.sasl.encode(message)
if not ret:
raise Exception("Cannot encode message: %s" % (self.sasl.getError()))
sasl_message = RpcSaslProto()
sasl_message.state = 5 # WRAP
sasl_message.token = encoded
self._send_sasl_message(sasl_message)
def wrap(self, message):
ret, encoded = self.sasl.encode(message)
if not ret:
raise Exception("Cannot encode message: %s" %
(self.sasl.getError()))
sasl_message = RpcSaslProto()
sasl_message.state = 5 # WRAP
sasl_message.token = encoded
self._send_sasl_message(sasl_message)
def wrap(self, message):
ret, encoded = self.sasl.encode(message)
if not ret:
raise Exception("Cannot encode message: %s" % (self.sasl.getError()))
sasl_message = RpcSaslProto()
sasl_message.state = 5 # WRAP
# Java follows RFC2222 meanwhile Cyrus Sasl follows 4422
# To make the two implementation to work, the first 4 bytes from
# the encrypted token are stripped.
# More info https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003002.html
sasl_message.token = encoded[4:]
self._send_sasl_message(sasl_message)
def connect(self):
# use service name component from principal
try:
service, host, realm = re.split("[\/@]", str(HDFSConfig.hdfs_namenode_principal))
if host.lower() == "_host":
host = self._trans.host
except ValueError:
raise Exception("Error parsing kerberos principal: %s" % repr(HDFSConfig.hdfs_namenode_principal))
negotiate = RpcSaslProto()
negotiate.state = 1
self._send_sasl_message(negotiate)
self.sasl = sasl.Client()
self.sasl.setAttr("service", service)
self.sasl.setAttr("host", host)
self.sasl.init()
# do while true
while True:
res = self._recv_sasl_message()
# TODO: check mechanisms
if res.state == 1:
mechs = []
for auth in res.auths:
mechs.append(auth.mechanism)
log.debug("Available mechs: %s" % (",".join(mechs)))
s_mechs = str(",".join(mechs))
ret, chosen_mech, initial_response = self.sasl.start(s_mechs)
if not ret:
raise Exception("Sasl failed to start: %s" % self.sasl.getError())
log.debug("Chosen mech: %s" % chosen_mech)
initiate = RpcSaslProto()
initiate.state = 2
initiate.token = initial_response
for auth in res.auths:
if auth.mechanism == chosen_mech:
auth_method = initiate.auths.add()
auth_method.mechanism = chosen_mech
auth_method.method = auth.method
auth_method.protocol = auth.protocol
auth_method.serverId = auth.serverId
self._send_sasl_message(initiate)
continue
if res.state == 3:
res_token = self._evaluate_token(res)
response = RpcSaslProto()
response.token = res_token
response.state = 4
self._send_sasl_message(response)
continue
if res.state == 0:
return True
def connect(self):
# use service name component from principal
service = re.split('[\/@]', str(self.hdfs_namenode_principal))[0]
negotiate = RpcSaslProto()
negotiate.state = 1
self._send_sasl_message(negotiate)
self.sasl = sasl.Client()
self.sasl.setAttr("service", service)
self.sasl.setAttr("host", self._trans.host)
self.sasl.init()
# do while true
while True:
res = self._recv_sasl_message()
# TODO: check mechanisms
if res.state == 1:
mechs = []
for auth in res.auths:
mechs.append(auth.mechanism)
log.debug("Available mechs: %s" % (",".join(mechs)))
s_mechs = str(",".join(mechs))
ret, chosen_mech, initial_response = self.sasl.start(s_mechs)
log.debug("Chosen mech: %s" % chosen_mech)
initiate = RpcSaslProto()
initiate.state = 2
initiate.token = initial_response
for auth in res.auths:
if auth.mechanism == chosen_mech:
auth_method = initiate.auths.add()
auth_method.mechanism = chosen_mech
auth_method.method = auth.method
auth_method.protocol = auth.protocol
auth_method.serverId = self._trans.host
self._send_sasl_message(initiate)
continue
if res.state == 3:
res_token = self._evaluate_token(res)
response = RpcSaslProto()
response.token = res_token
response.state = 4
self._send_sasl_message(response)
continue
if res.state == 0:
return True
def connect(self):
# use service name component from principal
service = re.split('[\/@]', str(self.hdfs_namenode_principal))[0]
if not self.sasl:
self.sasl = SASLClient(self._trans.host, service)
negotiate = RpcSaslProto()
negotiate.state = 1
self._send_sasl_message(negotiate)
# do while true
while True:
res = self._recv_sasl_message()
# TODO: check mechanisms
if res.state == 1:
mechs = []
for auth in res.auths:
mechs.append(auth.mechanism)
log.debug("Available mechs: %s" % (",".join(mechs)))
self.sasl.choose_mechanism(mechs, allow_anonymous=False)
log.debug("Chosen mech: %s" % self.sasl.mechanism)
initiate = RpcSaslProto()
initiate.state = 2
initiate.token = self.sasl.process()
for auth in res.auths:
if auth.mechanism == self.sasl.mechanism:
auth_method = initiate.auths.add()
auth_method.mechanism = self.sasl.mechanism
auth_method.method = auth.method
auth_method.protocol = auth.protocol
auth_method.serverId = self._trans.host
self._send_sasl_message(initiate)
continue
if res.state == 3:
res_token = self._evaluate_token(res)
response = RpcSaslProto()
response.token = res_token
response.state = 4
self._send_sasl_message(response)
continue
if res.state == 0:
return True
def connect(self):
negotiate = RpcSaslProto()
negotiate.state = 1
self._send_sasl_message(negotiate)
self.sasl = sasl.Client()
self.sasl.setAttr("service", "hdfs")
self.sasl.setAttr("host", self._trans.host)
self.sasl.init()
# do while true
while True:
res = self._recv_sasl_message()
# TODO: check mechanisms
if res.state == 1:
mechs = []
for auth in res.auths:
mechs.append(auth.mechanism)
log.debug("Available mechs: %s" % (",".join(mechs)))
s_mechs = str(",".join(mechs))
ret, chosen_mech, initial_response = self.sasl.start(s_mechs)
log.debug("Chosen mech: %s" % chosen_mech)
initiate = RpcSaslProto()
initiate.state = 2
initiate.token = initial_response
for auth in res.auths:
if auth.mechanism == chosen_mech:
auth_method = initiate.auths.add()
auth_method.mechanism = chosen_mech
auth_method.method = auth.method
auth_method.protocol = auth.protocol
auth_method.serverId = self._trans.host
self._send_sasl_message(initiate)
continue
if res.state == 3:
res_token = self._evaluate_token(res)
response = RpcSaslProto()
response.token = res_token
response.state = 4
self._send_sasl_message(response)
continue
if res.state == 0:
return True
def negotiate_sasl(self, token):
log.debug("##############NEGOTIATING SASL#####################")
# Prepares negotiate request
header_bytes = self.create_sasl_header().SerializeToString()
negotiate_request = RpcSaslProto()
negotiate_request.state = RpcSaslProto.NEGOTIATE
negotiate_request.version = 0
sasl_bytes = negotiate_request.SerializeToString()
total_length = (
len(header_bytes)
+ len(sasl_bytes)
+ encoder._VarintSize(len(header_bytes))
+ encoder._VarintSize(len(sasl_bytes))
)
# Sends negotiate request
self.write(struct.pack("!I", total_length))
self.write_delimited(header_bytes)
self.write_delimited(sasl_bytes)
# Gets negotiate response
bytes = self.recv_rpc_message()
resp = self.parse_response(bytes, RpcSaslProto)
chosen_auth = None
for auth in resp.auths:
if auth.method == "TOKEN" and auth.mechanism == "DIGEST-MD5":
chosen_auth = auth
if chosen_auth is None:
raise IOError("Token digest-MD5 authentication not supported by server")
# Prepares initiate request
self.sasl = SASLClient(
chosen_auth.serverId,
chosen_auth.protocol,
mechanism=chosen_auth.mechanism,
username=base64.b64encode(token["identifier"]),
password=base64.b64encode(token["password"]),
)
challenge_resp = self.sasl.process(chosen_auth.challenge)
auth = RpcSaslProto.SaslAuth()
auth.method = chosen_auth.method
auth.mechanism = chosen_auth.mechanism
auth.protocol = chosen_auth.protocol
auth.serverId = chosen_auth.serverId
initiate_request = RpcSaslProto()
initiate_request.state = RpcSaslProto.INITIATE
initiate_request.version = 0
initiate_request.auths.extend([auth])
initiate_request.token = challenge_resp
sasl_bytes = initiate_request.SerializeToString()
total_length = (
len(header_bytes)
+ len(sasl_bytes)
+ encoder._VarintSize(len(header_bytes))
+ encoder._VarintSize(len(sasl_bytes))
)
# Sends initiate request
self.write(struct.pack("!I", total_length))
self.write_delimited(header_bytes)
self.write_delimited(sasl_bytes)
bytes = self.recv_rpc_message()
resp = self.parse_response(bytes, RpcSaslProto)
def connect(self):
# use service name component from principal
service = re.split('[\/@]', str(self.hdfs_namenode_principal))[0]
negotiate = RpcSaslProto()
negotiate.state = 1
self._send_sasl_message(negotiate)
if not self.sasl:
self.sasl = sasl.Client()
self.sasl.setAttr("service", service)
self.sasl.setAttr("host", self._trans.host)
self.sasl.init()
while True:
res = self._recv_sasl_message()
if res.state == 1:
mechs = []
for auth in res.auths:
mechs.append(auth.mechanism)
log.debug("Available mechs: %s" % (",".join(mechs)))
s_mechs = str(",".join(mechs))
ret, chosen_mech, initial_response = self.sasl.start(s_mechs)
log.debug("Chosen mech: %s" % chosen_mech)
initiate = RpcSaslProto()
initiate.state = 2
initiate.token = initial_response
for auth in res.auths:
if auth.mechanism == chosen_mech.decode():
log.debug("chosen_mech.decode(): " + chosen_mech.decode())
auth_method = initiate.auths.add()
auth_method.mechanism = chosen_mech.decode()
auth_method.method = auth.method
auth_method.protocol = auth.protocol
auth_method.serverId = self._trans.host
self._send_sasl_message(initiate)
continue
if res.state == 3:
res_token = self._evaluate_token(res)
response = RpcSaslProto()
response.token = res_token
response.state = 4
self._send_sasl_message(response)
continue
if res.state == 0:
return True
