[SKV-670] feat(security): Support to use the principal of Unix accoun…

…t for authentication (apache#1569)
GehaFearless · Aug 17, 2023 · 908d364 · 908d364
1 parent 58db7e8
commit 908d364
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/src/rdsn/src/runtime/security/init.cpp b/src/rdsn/src/runtime/security/init.cpp
@@ -21,11 +21,14 @@
 
 #include <dsn/dist/fmt_logging.h>
 #include <dsn/utility/flags.h>
+#include <dsn/utility/strings.h>
 
 namespace dsn {
 namespace security {
+DSN_DECLARE_bool(enable_auth);
 DSN_DECLARE_string(krb5_config);
 DSN_DECLARE_string(krb5_keytab);
+DSN_DECLARE_string(krb5_principal);
 
 /***
  * set kerberos envs(for more details:
@@ -41,6 +44,12 @@ void set_krb5_env(bool is_server)
 
 error_s init_kerberos(bool is_server)
 {
+    // When FLAGS_enable_auth is set but lacks of necessary parameters to execute kinit by itself,
+    // then try to obtain the principal under the current Unix account for identity
+    // authentication automatically.
+    if (FLAGS_enable_auth && 0 == strlen(FLAGS_krb5_keytab) && 0 == strlen(FLAGS_krb5_principal)) {
+        return run_get_principal_without_kinit();
+    }
     // set kerberos env
     set_krb5_env(is_server);
 

diff --git a/src/rdsn/src/runtime/security/kinit_context.cpp b/src/rdsn/src/runtime/security/kinit_context.cpp
@@ -80,6 +80,9 @@ class kinit_context : public utils::singleton<kinit_context>
 public:
     // implementation of 'kinit -k -t <keytab_file> <principal>'
     error_s kinit();
+    // If kinit has been executed outside the program, then directly obtain the principal
+    // information of the unix account for permission verification.
+    error_s get_principal_without_kinit();
     const std::string &username() const { return _user_name; }
 
 private:
@@ -161,6 +164,26 @@ error_s kinit_context::kinit()
     return error_s::ok();
 }
 
+// obtain _principal info under the current unix account for permission verification.
+error_s kinit_context::get_principal_without_kinit()
+{
+    // get krb5_ctx
+    init_krb5_ctx();
+
+    // acquire credential cache handle
+    KRB5_RETURN_NOT_OK(krb5_cc_default(_krb5_context, &_ccache),
+                       "couldn't acquire credential cache handle");
+
+    // get '_principal' from '_ccache'
+    KRB5_RETURN_NOT_OK(krb5_cc_get_principal(_krb5_context, _ccache, &_principal),
+                       "get principal from cache failed");
+
+    // get '_user_name' from '_principal'
+    RETURN_NOT_OK(parse_username_from_principal());
+
+    return error_s::ok();
+}
+
 void kinit_context::init_krb5_ctx()
 {
     static std::once_flag once;
@@ -320,6 +343,11 @@ error_s kinit_context::wrap_krb5_err(krb5_error_code krb5_err, const std::string
 
 error_s run_kinit() { return kinit_context::instance().kinit(); }
 
+error_s run_get_principal_without_kinit()
+{
+    return kinit_context::instance().get_principal_without_kinit();
+}
+
 const std::string &get_username() { return kinit_context::instance().username(); }
 } // namespace security
 } // namespace dsn
diff --git a/src/rdsn/src/runtime/security/kinit_context.h b/src/rdsn/src/runtime/security/kinit_context.h
@@ -22,6 +22,7 @@
 namespace dsn {
 namespace security {
 extern error_s run_kinit();
+extern error_s run_get_principal_without_kinit();
 extern const std::string &get_username();
 } // namespace security
 } // namespace dsn