/*
* Copyright © 2014 Cask Data, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
package co.cask.cdap.security.runtime;
import co.cask.cdap.common.ServiceBindException;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.conf.Constants;
import co.cask.cdap.common.guice.ConfigModule;
import co.cask.cdap.common.guice.DiscoveryRuntimeModule;
import co.cask.cdap.common.guice.IOModule;
import co.cask.cdap.common.guice.ZKClientModule;
import co.cask.cdap.common.kerberos.SecurityUtil;
import co.cask.cdap.common.runtime.DaemonMain;
import co.cask.cdap.security.guice.SecurityModules;
import co.cask.cdap.security.server.ExternalAuthenticationServer;
import com.google.common.base.Throwables;
import com.google.common.util.concurrent.Futures;
import com.google.inject.Guice;
import com.google.inject.Injector;
import org.apache.twill.internal.Services;
import org.apache.twill.zookeeper.ZKClientService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Server for authenticating clients accessing CDAP. When a client authenticates successfully, it is issued
* an access token containing a verifiable representation of the client's identity. Other CDAP services
* (such as the router) can independently verify client identities based on the token contents.
*/
public class AuthenticationServerMain extends DaemonMain {
private static final Logger LOG = LoggerFactory.getLogger(AuthenticationServerMain.class);
private ZKClientService zkClientService;
private ExternalAuthenticationServer authServer;
private CConfiguration configuration;
@Override
public void init(String[] args) {
Injector injector = Guice.createInjector(new ConfigModule(),
new IOModule(),
new SecurityModules().getDistributedModules(),
new DiscoveryRuntimeModule().getDistributedModules(),
new ZKClientModule());
configuration = injector.getInstance(CConfiguration.class);
if (configuration.getBoolean(Constants.Security.ENABLED)) {
this.zkClientService = injector.getInstance(ZKClientService.class);
this.authServer = injector.getInstance(ExternalAuthenticationServer.class);
}
}
@Override
public void start() {
if (authServer != null) {
try {
LOG.info("Starting AuthenticationServer.");
// Enable Kerberos login
SecurityUtil.enableKerberosLogin(configuration);
Services.chainStart(zkClientService, authServer);
} catch (Exception e) {
Throwable rootCause = Throwables.getRootCause(e);
if (rootCause instanceof ServiceBindException) {
LOG.error("Failed to start Authentication Server: {}", rootCause.getMessage());
} else {
// exception stack trace will be logged by
// UncaughtExceptionIdleService.UNCAUGHT_EXCEPTION_HANDLER
LOG.error("Failed to start Authentication Server");
}
}
} else {
String warning = "AuthenticationServer not started since security is disabled." +
" To enable security, set \"security.enabled\" = \"true\" in cdap-site.xml" +
" and edit the appropriate configuration.";
LOG.warn(warning);
}
}
@Override
public void stop() {
if (authServer != null) {
LOG.info("Stopping AuthenticationServer.");
Futures.getUnchecked(Services.chainStop(authServer, zkClientService));
}
}
@Override
public void destroy() {
}
public static void main(String[] args) throws Exception {
new AuthenticationServerMain().doMain(args);
}
}