in mr/src/main/java/org/elasticsearch/hadoop/rest/commonshttp/CommonsHttpTransport.java [297:394]
private void addHttpAuth(Settings settings, SecureSettings secureSettings, Object[] authSettings) {
List<String> authPrefs = new ArrayList<String>();
if (StringUtils.hasText(settings.getNetworkHttpAuthUser())) {
HttpState state = (authSettings[1] != null ? (HttpState) authSettings[1] : new HttpState());
authSettings[1] = state;
// TODO: Limit this by hosts and ports
AuthScope scope = new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM, AuthPolicy.BASIC);
Credentials usernamePassword = new UsernamePasswordCredentials(settings.getNetworkHttpAuthUser(),
secureSettings.getSecureProperty(ConfigurationOptions.ES_NET_HTTP_AUTH_PASS));
state.setCredentials(scope, usernamePassword);
if (log.isDebugEnabled()) {
log.debug("Using detected HTTP Auth credentials...");
}
authPrefs.add(AuthPolicy.BASIC);
client.getParams().setAuthenticationPreemptive(true); // Preemptive auth only if there's basic creds.
}
// Try auth schemes based on currently logged in user:
if (userProvider != null) {
User user = userProvider.getUser();
// Add ApiKey Authentication if a key is present
if (log.isDebugEnabled()) {
log.debug("checking for token using cluster name [" + clusterName + "]");
}
if (user.getEsToken(clusterName) != null) {
HttpState state = (authSettings[1] != null ? (HttpState) authSettings[1] : new HttpState());
authSettings[1] = state;
// TODO: Limit this by hosts and ports
AuthScope scope = new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM, EsHadoopAuthPolicies.APIKEY);
Credentials tokenCredentials = new EsApiKeyCredentials(userProvider, clusterName);
state.setCredentials(scope, tokenCredentials);
if (log.isDebugEnabled()) {
log.debug("Using detected Token credentials...");
}
EsHadoopAuthPolicies.registerAuthSchemes();
authPrefs.add(EsHadoopAuthPolicies.APIKEY);
} else if (userProvider.isEsKerberosEnabled()) {
// Add SPNEGO auth if a kerberos principal exists on the user and the elastic principal is set
// Only do this if a token does not exist on the current user.
// The auth mode may say that it is Kerberos, but the client
// could be running in a remote JVM that does not have the
// Kerberos credentials available.
if (!StringUtils.hasText(settings.getNetworkSpnegoAuthElasticsearchPrincipal())) {
throw new EsHadoopIllegalArgumentException("Missing Elasticsearch Kerberos Principal name. " +
"Specify one with [" + ConfigurationOptions.ES_NET_SPNEGO_AUTH_ELASTICSEARCH_PRINCIPAL + "]");
}
// Pick the appropriate user provider to get credentials from for SPNEGO auth
UserProvider credentialUserProvider;
if (user.isProxyUser()) {
// If the user is a proxy user, get a provider for the real
// user and capture the proxy user's name to impersonate
proxyUserProvider = user.getRealUserProvider();
runAsUser = user.getUserName();
// Ensure that this real user even has Kerberos Creds:
User realUser = proxyUserProvider.getUser();
KerberosPrincipal realPrincipal = realUser.getKerberosPrincipal();
if (realPrincipal == null) {
throw new EsHadoopIllegalArgumentException("Could not locate Kerberos Principal on real user [" +
realUser.getUserName() + "] underneath proxy user [" + runAsUser + "]");
}
if (log.isDebugEnabled()) {
log.debug("Using detected SPNEGO credentials for real user [" + realUser.getUserName() + "] to proxy as [" +
runAsUser + "]...");
}
credentialUserProvider = proxyUserProvider;
} else if (user.getKerberosPrincipal() != null) {
// Ensure that the user principal exists
if (log.isDebugEnabled()) {
log.debug("Using detected SPNEGO credentials for user [" + user.getUserName() + "]...");
}
credentialUserProvider = userProvider;
} else {
throw new EsHadoopIllegalArgumentException("Could not locate Kerberos Principal on currently logged in user.");
}
// Add the user provider to credentials
HttpState state = (authSettings[1] != null ? (HttpState) authSettings[1] : new HttpState());
authSettings[1] = state;
// TODO: Limit this by hosts and ports
AuthScope scope = new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM, EsHadoopAuthPolicies.NEGOTIATE);
// TODO: This should just pass in the user provider instead of getting the user principal at this point.
Credentials credential = new SpnegoCredentials(credentialUserProvider, settings.getNetworkSpnegoAuthElasticsearchPrincipal());
state.setCredentials(scope, credential);
EsHadoopAuthPolicies.registerAuthSchemes();
authPrefs.add(EsHadoopAuthPolicies.NEGOTIATE);
}
} else {
if (log.isDebugEnabled()) {
log.debug("No UserProvider configured. Skipping Kerberos/Token auth settings");
}
}
if (log.isDebugEnabled()) {
log.debug("Using auth prefs: [" + authPrefs + "]");
}
client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPrefs);
}