|
@@ -59,6 +59,7 @@ public class ZooKeeperSaslClient {
|
|
|
private static final Logger LOG = LoggerFactory.getLogger(ZooKeeperSaslClient.class);
|
|
private static final Logger LOG = LoggerFactory.getLogger(ZooKeeperSaslClient.class);
|
|
|
private static Login login = null;
|
|
private static Login login = null;
|
|
|
private SaslClient saslClient;
|
|
private SaslClient saslClient;
|
|
|
|
|
+ private boolean isSASLConfigured = true;
|
|
|
|
|
|
|
|
private byte[] saslToken = new byte[0];
|
|
private byte[] saslToken = new byte[0];
|
|
|
|
|
|
|
@@ -92,12 +93,17 @@ public class ZooKeeperSaslClient {
|
|
|
String clientSection = System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client");
|
|
String clientSection = System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client");
|
|
|
// Note that 'Configuration' here refers to javax.security.auth.login.Configuration.
|
|
// Note that 'Configuration' here refers to javax.security.auth.login.Configuration.
|
|
|
AppConfigurationEntry entries[] = null;
|
|
AppConfigurationEntry entries[] = null;
|
|
|
- SecurityException securityException = null;
|
|
|
|
|
|
|
+ RuntimeException runtimeException = null;
|
|
|
try {
|
|
try {
|
|
|
entries = Configuration.getConfiguration().getAppConfigurationEntry(clientSection);
|
|
entries = Configuration.getConfiguration().getAppConfigurationEntry(clientSection);
|
|
|
} catch (SecurityException e) {
|
|
} catch (SecurityException e) {
|
|
|
// handle below: might be harmless if the user doesn't intend to use JAAS authentication.
|
|
// handle below: might be harmless if the user doesn't intend to use JAAS authentication.
|
|
|
- securityException = e;
|
|
|
|
|
|
|
+ runtimeException = e;
|
|
|
|
|
+ } catch (IllegalArgumentException e) {
|
|
|
|
|
+ // third party customized getAppConfigurationEntry could throw IllegalArgumentException when JAAS
|
|
|
|
|
+ // configuration isn't set. We can reevaluate whether to catch RuntimeException instead when more
|
|
|
|
|
+ // different types of RuntimeException found
|
|
|
|
|
+ runtimeException = e;
|
|
|
}
|
|
}
|
|
|
if (entries != null) {
|
|
if (entries != null) {
|
|
|
this.configStatus = "Will attempt to SASL-authenticate using Login Context section '" + clientSection + "'";
|
|
this.configStatus = "Will attempt to SASL-authenticate using Login Context section '" + clientSection + "'";
|
|
@@ -110,11 +116,11 @@ public class ZooKeeperSaslClient {
|
|
|
if (explicitClientSection != null) {
|
|
if (explicitClientSection != null) {
|
|
|
// If the user explicitly overrides the default Login Context, they probably expected SASL to
|
|
// If the user explicitly overrides the default Login Context, they probably expected SASL to
|
|
|
// succeed. But if we got here, SASL failed.
|
|
// succeed. But if we got here, SASL failed.
|
|
|
- if (securityException != null) {
|
|
|
|
|
|
|
+ if (runtimeException != null) {
|
|
|
throw new LoginException("Zookeeper client cannot authenticate using the " + explicitClientSection +
|
|
throw new LoginException("Zookeeper client cannot authenticate using the " + explicitClientSection +
|
|
|
" section of the supplied JAAS configuration: '" +
|
|
" section of the supplied JAAS configuration: '" +
|
|
|
System.getProperty(Environment.JAAS_CONF_KEY) + "' because of a " +
|
|
System.getProperty(Environment.JAAS_CONF_KEY) + "' because of a " +
|
|
|
- "SecurityException: " + securityException);
|
|
|
|
|
|
|
+ "RuntimeException: " + runtimeException);
|
|
|
} else {
|
|
} else {
|
|
|
throw new LoginException("Client cannot SASL-authenticate because the specified JAAS configuration " +
|
|
throw new LoginException("Client cannot SASL-authenticate because the specified JAAS configuration " +
|
|
|
"section '" + explicitClientSection + "' could not be found.");
|
|
"section '" + explicitClientSection + "' could not be found.");
|
|
@@ -123,21 +129,22 @@ public class ZooKeeperSaslClient {
|
|
|
// The user did not override the default context. It might be that they just don't intend to use SASL,
|
|
// The user did not override the default context. It might be that they just don't intend to use SASL,
|
|
|
// so log at INFO, not WARN, since they don't expect any SASL-related information.
|
|
// so log at INFO, not WARN, since they don't expect any SASL-related information.
|
|
|
String msg = "Will not attempt to authenticate using SASL ";
|
|
String msg = "Will not attempt to authenticate using SASL ";
|
|
|
- if (securityException != null) {
|
|
|
|
|
- msg += "(" + securityException.getLocalizedMessage() + ")";
|
|
|
|
|
|
|
+ if (runtimeException != null) {
|
|
|
|
|
+ msg += "(" + runtimeException + ")";
|
|
|
} else {
|
|
} else {
|
|
|
msg += "(unknown error)";
|
|
msg += "(unknown error)";
|
|
|
}
|
|
}
|
|
|
this.configStatus = msg;
|
|
this.configStatus = msg;
|
|
|
|
|
+ this.isSASLConfigured = false;
|
|
|
}
|
|
}
|
|
|
if (System.getProperty(Environment.JAAS_CONF_KEY) != null) {
|
|
if (System.getProperty(Environment.JAAS_CONF_KEY) != null) {
|
|
|
// Again, the user explicitly set something SASL-related, so they probably expected SASL to succeed.
|
|
// Again, the user explicitly set something SASL-related, so they probably expected SASL to succeed.
|
|
|
- if (securityException != null) {
|
|
|
|
|
|
|
+ if (runtimeException != null) {
|
|
|
throw new LoginException("Zookeeper client cannot authenticate using the '" +
|
|
throw new LoginException("Zookeeper client cannot authenticate using the '" +
|
|
|
System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") +
|
|
System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") +
|
|
|
"' section of the supplied JAAS configuration: '" +
|
|
"' section of the supplied JAAS configuration: '" +
|
|
|
System.getProperty(Environment.JAAS_CONF_KEY) + "' because of a " +
|
|
System.getProperty(Environment.JAAS_CONF_KEY) + "' because of a " +
|
|
|
- "SecurityException: " + securityException);
|
|
|
|
|
|
|
+ "RuntimeException: " + runtimeException);
|
|
|
} else {
|
|
} else {
|
|
|
throw new LoginException("No JAAS configuration section named '" +
|
|
throw new LoginException("No JAAS configuration section named '" +
|
|
|
System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") +
|
|
System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") +
|
|
@@ -147,7 +154,7 @@ public class ZooKeeperSaslClient {
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
/**
|
|
/**
|
|
|
* @return informational message indicating the current configuration status.
|
|
* @return informational message indicating the current configuration status.
|
|
|
*/
|
|
*/
|
|
@@ -480,6 +487,9 @@ public class ZooKeeperSaslClient {
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
public boolean clientTunneledAuthenticationInProgress() {
|
|
public boolean clientTunneledAuthenticationInProgress() {
|
|
|
|
|
+ if (!isSASLConfigured) {
|
|
|
|
|
+ return false;
|
|
|
|
|
+ }
|
|
|
// TODO: Rather than checking a disjunction here, should be a single member
|
|
// TODO: Rather than checking a disjunction here, should be a single member
|
|
|
// variable or method in this class to determine whether the client is
|
|
// variable or method in this class to determine whether the client is
|
|
|
// configured to use SASL. (see also ZOOKEEPER-1455).
|
|
// configured to use SASL. (see also ZOOKEEPER-1455).
|
Mahadev Konar