List of usage examples for org.apache.hadoop.security SaslRpcServer splitKerberosName
public static String[] splitKerberosName(String fullName)
From source file:org.apache.sentry.service.thrift.HiveSimpleConnectionFactory.java
License:Apache License
/** * Initialize the Factory./* ww w .j av a2 s .c o m*/ * For insecure connections there is nothing to initialize. * For Kerberos connections sets up ticket renewal thread. * @throws IOException * @throws LoginException */ public void init() throws IOException, LoginException { if (insecure) { LOGGER.info("Using insecure connection to HMS"); return; } LOGGER.info("Using secured connection to HMS"); int port = conf.getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT); String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), "%s is required", ServerConfig.PRINCIPAL); String principal = SecurityUtil.getServerPrincipal(rawPrincipal, NetUtils .createSocketAddr(conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT), port) .getAddress()); LOGGER.debug("Opening kerberos connection to HMS using kerberos principal {}", principal); String[] principalParts = SaslRpcServer.splitKerberosName(principal); Preconditions.checkArgument(principalParts.length == 3, "Kerberos principal %s should have 3 parts", principal); String keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB), "Configuration is missing required %s paraeter", ServerConfig.KEY_TAB); File keytabFile = new File(keytab); Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(), "Keytab %s does not exist or is not readable", keytab); // Instantiating SentryKerberosContext in non-server mode handles the ticket renewal. kerberosContext = new SentryKerberosContext(principal, keytab, false); UserGroupInformation.setConfiguration(conf); LOGGER.info("Using secure connection to HMS"); }
From source file:org.apache.sentry.service.thrift.SentryService.java
License:Apache License
public SentryService(Configuration conf) throws Exception { this.conf = conf; int port = conf.getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT); if (port == 0) { port = findFreePort();//w ww .j a va 2 s.c om conf.setInt(ServerConfig.RPC_PORT, port); } this.address = NetUtils .createSocketAddr(conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT), port); LOGGER.info("Configured on address {}", address); kerberos = ServerConfig.SECURITY_MODE_KERBEROS .equalsIgnoreCase(conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim()); maxThreads = conf.getInt(ServerConfig.RPC_MAX_THREADS, ServerConfig.RPC_MAX_THREADS_DEFAULT); minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS, ServerConfig.RPC_MIN_THREADS_DEFAULT); maxMessageSize = conf.getLong(ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE, ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE_DEFAULT); if (kerberos) { // Use Hadoop libraries to translate the _HOST placeholder with actual hostname try { String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required"); principal = SecurityUtil.getServerPrincipal(rawPrincipal, address.getAddress()); } catch (IOException io) { throw new RuntimeException("Can't translate kerberos principal'", io); } LOGGER.info("Using kerberos principal: {}", principal); principalParts = SaslRpcServer.splitKerberosName(principal); Preconditions.checkArgument(principalParts.length == 3, "Kerberos principal should have 3 parts: " + principal); keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB), ServerConfig.KEY_TAB + " is required"); File keytabFile = new File(keytab); Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(), "Keytab %s does not exist or is not readable.", keytab); } else { principal = null; principalParts = null; keytab = null; } ThreadFactory sentryServiceThreadFactory = new ThreadFactoryBuilder() .setNameFormat(SENTRY_SERVICE_THREAD_NAME).build(); serviceExecutor = Executors.newSingleThreadExecutor(sentryServiceThreadFactory); this.sentryStore = getSentryStore(conf); sentryStore.setPersistUpdateDeltas(SentryServiceUtil.isHDFSSyncEnabled(conf)); this.leaderMonitor = LeaderStatusMonitor.getLeaderStatusMonitor(conf); status = Status.NOT_STARTED; // Enable signal handler for HA leader/follower status if configured String sigName = conf.get(ServerConfig.SERVER_HA_STANDBY_SIG); if ((sigName != null) && !sigName.isEmpty()) { LOGGER.info("Registering signal handler {} for HA", sigName); try { registerSigListener(sigName, this); } catch (Exception e) { LOGGER.error("Failed to register signal", e); } } }
From source file:org.trustedanalytics.auth.gateway.sentry.SentryClient.java
License:Apache License
public SentryClient(Builder builder) throws IOException { this.address = builder.getAddress(); this.port = builder.getPort(); this.principal = builder.getPrincipal(); this.realm = builder.getRealm(); this.ugi = builder.getUgi(); this.superUser = builder.getSuperUser(); // Resolve server host in the same way as they are doing on server side String sentryPrincipalPattern = principal + HOST_PLACEHOLDER + realm; String serverPrincipal = SecurityUtil.getServerPrincipal(sentryPrincipalPattern, address); String[] serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal); transport = new SaslClientTransport( serverPrincipalParts[Preconditions.checkElementIndex(0, 3, "Not found principal name in sentry service principal" + serverPrincipal)], serverPrincipalParts[Preconditions.checkElementIndex(1, 3, "Not found host in sentry service principal" + serverPrincipal)]).withUGI(this.ugi); try {/*from ww w .ja va 2s.co m*/ transport.open(); } catch (TTransportException e) { throw new IOException("Transport exception while opening transport: " + e.getMessage(), e); } TProtocol tProtocol = new TBinaryProtocol(transport); TMultiplexedProtocol protocol = new TMultiplexedProtocol(tProtocol, SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME); client = new SentryPolicyService.Client(protocol); }