List of usage examples for org.apache.hadoop.security UserGroupInformation addToken
public boolean addToken(Token<? extends TokenIdentifier> token)
From source file:org.apache.hawq.pxf.service.utilities.SecuredHDFS.java
License:Apache License
/** * The function will verify the token with NameNode if available and will * create a UserGroupInformation.//from w w w. j a va 2s . c om * * Code in this function is copied from JspHelper.getTokenUGI * * @param identifier Delegation token identifier * @param password Delegation token password * @param kind the kind of token * @param service the service for this token * @param servletContext Jetty servlet context which contains the NN address * * @throws SecurityException Thrown when authentication fails */ private static void verifyToken(byte[] identifier, byte[] password, Text kind, Text service, ServletContext servletContext) { try { Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(identifier, password, kind, service); ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.readFields(in); final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(servletContext); if (nn != null) { nn.getNamesystem().verifyToken(id, token.getPassword()); } UserGroupInformation userGroupInformation = id.getUser(); userGroupInformation.addToken(token); LOG.debug("user " + userGroupInformation.getUserName() + " (" + userGroupInformation.getShortUserName() + ") authenticated"); // re-login if necessary userGroupInformation.checkTGTAndReloginFromKeytab(); } catch (IOException e) { throw new SecurityException("Failed to verify delegation token " + e, e); } }
From source file:org.apache.hive.service.cli.session.SessionUtils.java
License:Apache License
/** * Create a delegation token object for the given token string and service. Add the token to given * UGI// ww w . j a v a 2 s. c o m * * @param ugi * @param tokenStr * @param tokenService * @throws IOException */ public static void setTokenStr(UserGroupInformation ugi, String tokenStr, String tokenService) throws IOException { Token<DelegationTokenIdentifier> delegationToken = createToken(tokenStr, tokenService); ugi.addToken(delegationToken); }
From source file:org.apache.hoya.core.launch.ContainerLauncher.java
License:Apache License
/** * This code is in the dist shell examples -it's been moved here * so that if it is needed, it's still here * @return a remote user with a token to access the container. *///from w w w. j a v a 2 s . c o m public UserGroupInformation setupUGI() { UserGroupInformation user = UserGroupInformation.createRemoteUser(container.getId().toString()); String cmIpPortStr = container.getNodeId().getHost() + ":" + container.getNodeId().getPort(); final InetSocketAddress cmAddress = NetUtils.createSocketAddr(cmIpPortStr); org.apache.hadoop.yarn.api.records.Token containerToken = container.getContainerToken(); if (containerToken != null) { Token<ContainerTokenIdentifier> token = ConverterUtils.convertFromYarn(containerToken, cmAddress); user.addToken(token); } return user; }
From source file:org.apache.hoya.yarn.appmaster.rpc.RpcBinder.java
License:Apache License
public static HoyaClusterProtocol getProxy(final Configuration conf, ApplicationReport application, final int rpcTimeout) throws IOException, HoyaException, InterruptedException { String host = application.getHost(); int port = application.getRpcPort(); String address = host + ":" + port; if (host == null || 0 == port) { throw new HoyaException(HoyaExitCodes.EXIT_CONNECTIVITY_PROBLEM, "Hoya YARN instance " + application.getName() + " isn't providing a valid address for the" + " Hoya RPC protocol: " + address); }/*from ww w . ja v a2 s . c om*/ UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); final UserGroupInformation newUgi = UserGroupInformation.createRemoteUser(currentUser.getUserName()); final InetSocketAddress serviceAddr = NetUtils.createSocketAddrForHost(application.getHost(), application.getRpcPort()); HoyaClusterProtocol realProxy; log.debug("Connecting to {}", serviceAddr); if (UserGroupInformation.isSecurityEnabled()) { org.apache.hadoop.yarn.api.records.Token clientToAMToken = application.getClientToAMToken(); Token<ClientToAMTokenIdentifier> token = ConverterUtils.convertFromYarn(clientToAMToken, serviceAddr); newUgi.addToken(token); realProxy = newUgi.doAs(new PrivilegedExceptionAction<HoyaClusterProtocol>() { @Override public HoyaClusterProtocol run() throws IOException { return connectToServer(serviceAddr, newUgi, conf, rpcTimeout); } }); } else { return connectToServer(serviceAddr, newUgi, conf, rpcTimeout); } return realProxy; }
From source file:org.apache.lens.server.auth.DelegationTokenAuthenticationFilter.java
License:Apache License
@Override public void filter(ContainerRequestContext requestContext) throws IOException { Principal userPrincipal = requestContext.getSecurityContext().getUserPrincipal(); if (userPrincipal != null) { log.info("Authentication already done for principal {}, skipping this filter...", userPrincipal.getName()); return;// w w w . java 2 s .c o m } // only authenticate when @Authenticate is present on resource if (resourceInfo.getResourceClass() == null || resourceInfo.getResourceMethod() == null) { return; } if (!(resourceInfo.getResourceClass().isAnnotationPresent(Authenticate.class) || resourceInfo.getResourceMethod().isAnnotationPresent(Authenticate.class))) { return; } String delegationToken = requestContext.getHeaderString(HDFS_DELEGATION_TKN_HEADER); if (StringUtils.isBlank(delegationToken)) { return; } Token<AbstractDelegationTokenIdentifier> dt = new Token(); dt.decodeFromUrlString(delegationToken); UserGroupInformation user = dt.decodeIdentifier().getUser(); user.addToken(dt); log.info("Received delegation token for user: {}", user.getUserName()); try { user.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws IOException { try (FileSystem fs = FileSystem.get(new Configuration())) { fs.exists(PATH_TO_CHECK); // dummy hdfs call requestContext.setSecurityContext(createSecurityContext(user.getUserName(), AUTH_SCHEME)); return null; } } }); } catch (InterruptedException | IOException e) { log.error("Error while doing HDFS op: ", e); throw new NotAuthorizedException(Response.status(401).entity("Invalid HDFS delegation token").build()); } }
From source file:org.apache.oozie.dependency.HCatURIHandler.java
License:Apache License
private HCatClientWithToken getHCatClient(URI uri, Configuration conf, String user) throws HCatAccessorException { final HiveConf hiveConf = getHiveConf(uri, conf); String delegationToken = null; try {//w w w . ja v a2s .c o m // Get UGI to doAs() as the specified user UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); // Define the label for the Delegation Token for the HCat instance. hiveConf.set("hive.metastore.token.signature", "HCatTokenSignature"); if (hiveConf.getBoolean(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL.varname, false)) { HCatClient tokenClient = null; try { // Retrieve Delegation token for HCatalog tokenClient = HCatClient.create(hiveConf); delegationToken = tokenClient.getDelegationToken(user, UserGroupInformation.getLoginUser().getUserName()); // Store Delegation token in the UGI Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(); token.decodeFromUrlString(delegationToken); token.setService(new Text(hiveConf.get("hive.metastore.token.signature"))); ugi.addToken(token); } finally { if (tokenClient != null) { tokenClient.close(); } } } XLog.getLog(HCatURIHandler.class).info( "Creating HCatClient for user [{0}] login_user [{1}] and server [{2}] ", user, UserGroupInformation.getLoginUser(), hiveConf.get(HiveConf.ConfVars.METASTOREURIS.varname)); HCatClient hcatClient = ugi.doAs(new PrivilegedExceptionAction<HCatClient>() { @Override public HCatClient run() throws Exception { HCatClient client = HCatClient.create(hiveConf); return client; } }); HCatClientWithToken clientWithToken = new HCatClientWithToken(hcatClient, delegationToken); return clientWithToken; } catch (IOException e) { throw new HCatAccessorException(ErrorCode.E1501, e.getMessage()); } catch (Exception e) { throw new HCatAccessorException(ErrorCode.E1501, e.getMessage()); } }
From source file:org.apache.reef.bridge.client.SecurityTokensReader.java
License:Apache License
/** * Read tokens from a file and add them to the user's credentials. * @param ugi user's credentials to add tokens to. * @throws IOException if there are errors in reading the tokens' file. *//*from www .jav a2 s. c o m*/ void addTokensFromFile(final UserGroupInformation ugi) throws IOException { LOG.log(Level.FINE, "Reading security tokens from file: {0}", this.securityTokensFile); try (final FileInputStream stream = new FileInputStream(securityTokensFile)) { final BinaryDecoder decoder = decoderFactory.binaryDecoder(stream, null); while (!decoder.isEnd()) { final SecurityToken token = tokenDatumReader.read(null, decoder); final Token<TokenIdentifier> yarnToken = new Token<>(token.getKey().array(), token.getPassword().array(), new Text(token.getKind().toString()), new Text(token.getService().toString())); LOG.log(Level.FINE, "addToken for {0}", yarnToken.getKind()); ugi.addToken(yarnToken); } } }
From source file:org.apache.reef.bridge.client.YarnJobSubmissionClient.java
License:Apache License
private static void writeSecurityTokenToUserCredential(final YarnClusterSubmissionFromCS yarnSubmission) throws IOException { final UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); final REEFFileNames fileNames = new REEFFileNames(); final String securityTokenIdentifierFile = fileNames.getSecurityTokenIdentifierFile(); final String securityTokenPasswordFile = fileNames.getSecurityTokenPasswordFile(); final Text tokenKind = new Text(yarnSubmission.getTokenKind()); final Text tokenService = new Text(yarnSubmission.getTokenService()); byte[] identifier = Files.readAllBytes(Paths.get(securityTokenIdentifierFile)); byte[] password = Files.readAllBytes(Paths.get(securityTokenPasswordFile)); Token token = new Token(identifier, password, tokenKind, tokenService); currentUser.addToken(token); }
From source file:org.apache.reef.runtime.yarn.driver.unmanaged.UnmanagedAmTest.java
License:Apache License
private static void addToken(final Token<AMRMTokenIdentifier> token) throws IOException { final UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); ugi.addToken(token); }
From source file:org.apache.slider.server.appmaster.rpc.RpcBinder.java
License:Apache License
public static SliderClusterProtocol getProxy(final Configuration conf, ApplicationReport application, final int rpcTimeout) throws IOException, SliderException, InterruptedException { String host = application.getHost(); int port = application.getRpcPort(); String address = host + ":" + port; if (host == null || 0 == port) { throw new SliderException(SliderExitCodes.EXIT_CONNECTIVITY_PROBLEM, "Slider instance " + application.getName() + " isn't providing a valid address for the" + " Slider RPC protocol: " + address); }//from w ww . j a va 2 s .com UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); final UserGroupInformation newUgi = UserGroupInformation.createRemoteUser(currentUser.getUserName()); final InetSocketAddress serviceAddr = NetUtils.createSocketAddrForHost(application.getHost(), application.getRpcPort()); SliderClusterProtocol realProxy; log.debug("Connecting to {}", serviceAddr); if (UserGroupInformation.isSecurityEnabled()) { org.apache.hadoop.yarn.api.records.Token clientToAMToken = application.getClientToAMToken(); Token<ClientToAMTokenIdentifier> token = ConverterUtils.convertFromYarn(clientToAMToken, serviceAddr); newUgi.addToken(token); realProxy = newUgi.doAs(new PrivilegedExceptionAction<SliderClusterProtocol>() { @Override public SliderClusterProtocol run() throws IOException { return connectToServer(serviceAddr, newUgi, conf, rpcTimeout); } }); } else { return connectToServer(serviceAddr, newUgi, conf, rpcTimeout); } return realProxy; }