List of usage examples for org.apache.hadoop.security UserGroupInformation createProxyUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createProxyUser(String user, UserGroupInformation realUser)
From source file:azkaban.jobtype.HadoopJavaJobRunnerMain.java
License:Apache License
public HadoopJavaJobRunnerMain() throws Exception { Runtime.getRuntime().addShutdownHook(new Thread() { @Override/*from w ww . j av a2 s. c om*/ public void run() { cancelJob(); } }); try { _jobName = System.getenv(ProcessJob.JOB_NAME_ENV); String propsFile = System.getenv(ProcessJob.JOB_PROP_ENV); _logger = Logger.getRootLogger(); _logger.removeAllAppenders(); ConsoleAppender appender = new ConsoleAppender(DEFAULT_LAYOUT); appender.activateOptions(); _logger.addAppender(appender); _logger.setLevel(Level.INFO); //Explicitly setting level to INFO Properties props = new Properties(); props.load(new BufferedReader(new FileReader(propsFile))); HadoopConfigurationInjector.injectResources(new Props(null, props)); final Configuration conf = new Configuration(); UserGroupInformation.setConfiguration(conf); securityEnabled = UserGroupInformation.isSecurityEnabled(); _logger.info("Running job " + _jobName); String className = props.getProperty(JOB_CLASS); if (className == null) { throw new Exception("Class name is not set."); } _logger.info("Class name " + className); UserGroupInformation loginUser = null; UserGroupInformation proxyUser = null; if (shouldProxy(props)) { String userToProxy = props.getProperty("user.to.proxy"); if (securityEnabled) { String filelocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION); _logger.info("Found token file " + filelocation); _logger.info("Security enabled is " + UserGroupInformation.isSecurityEnabled()); _logger.info("Setting mapreduce.job.credentials.binary to " + filelocation); System.setProperty("mapreduce.job.credentials.binary", filelocation); _logger.info("Proxying enabled."); loginUser = UserGroupInformation.getLoginUser(); _logger.info("Current logged in user is " + loginUser.getUserName()); proxyUser = UserGroupInformation.createProxyUser(userToProxy, loginUser); for (Token<?> token : loginUser.getTokens()) { proxyUser.addToken(token); } } else { proxyUser = UserGroupInformation.createRemoteUser(userToProxy); } _logger.info("Proxied as user " + userToProxy); } // Create the object using proxy if (shouldProxy(props)) { _javaObject = getObjectAsProxyUser(props, _logger, _jobName, className, proxyUser); } else { _javaObject = getObject(_jobName, className, props, _logger); } if (_javaObject == null) { _logger.info("Could not create java object to run job: " + className); throw new Exception("Could not create running object"); } _logger.info("Got object " + _javaObject.toString()); _cancelMethod = props.getProperty(CANCEL_METHOD_PARAM, DEFAULT_CANCEL_METHOD); final String runMethod = props.getProperty(RUN_METHOD_PARAM, DEFAULT_RUN_METHOD); _logger.info("Invoking method " + runMethod); if (shouldProxy(props)) { _logger.info("Proxying enabled."); runMethodAsUser(props, _javaObject, runMethod, proxyUser); } else { _logger.info("Proxy check failed, not proxying run."); runMethod(_javaObject, runMethod); } _isFinished = true; // Get the generated properties and store them to disk, to be read // by ProcessJob. try { final Method generatedPropertiesMethod = _javaObject.getClass() .getMethod(GET_GENERATED_PROPERTIES_METHOD, new Class<?>[] {}); Object outputGendProps = generatedPropertiesMethod.invoke(_javaObject, new Object[] {}); if (outputGendProps != null) { final Method toPropertiesMethod = outputGendProps.getClass().getMethod("toProperties", new Class<?>[] {}); Properties properties = (Properties) toPropertiesMethod.invoke(outputGendProps, new Object[] {}); Props outputProps = new Props(null, properties); outputGeneratedProperties(outputProps); } else { _logger.info(GET_GENERATED_PROPERTIES_METHOD + " method returned null. No properties to pass along"); } } catch (NoSuchMethodException e) { _logger.info(String.format( "Apparently there isn't a method[%s] on object[%s], using " + "empty Props object instead.", GET_GENERATED_PROPERTIES_METHOD, _javaObject)); outputGeneratedProperties(new Props()); } } catch (Exception e) { _isFinished = true; throw e; } }
From source file:azkaban.jobtype.HadoopSecureWrapperUtils.java
License:Apache License
/** * Perform all the magic required to get the proxyUser in a securitized grid * //from w w w .j ava 2s .c o m * @param userToProxy * @return a UserGroupInformation object for the specified userToProxy, which will also contain * the logged in user's tokens * @throws IOException */ private static UserGroupInformation createSecurityEnabledProxyUser(String userToProxy, String filelocation, Logger log) throws IOException { if (!new File(filelocation).exists()) { throw new RuntimeException("hadoop token file doesn't exist."); } log.info("Found token file. Setting " + HadoopSecurityManager.MAPREDUCE_JOB_CREDENTIALS_BINARY + " to " + filelocation); System.setProperty(HadoopSecurityManager.MAPREDUCE_JOB_CREDENTIALS_BINARY, filelocation); UserGroupInformation loginUser = null; loginUser = UserGroupInformation.getLoginUser(); log.info("Current logged in user is " + loginUser.getUserName()); UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(userToProxy, loginUser); for (Token<?> token : loginUser.getTokens()) { proxyUser.addToken(token); } return proxyUser; }
From source file:azkaban.security.commons.SecurityUtils.java
License:Apache License
/** * Create a proxied user based on the explicit user name, taking other * parameters necessary from properties file. */// ww w . j a v a 2 s . c om public static synchronized UserGroupInformation getProxiedUser(String toProxy, Properties prop, Logger log, Configuration conf) throws IOException { if (conf == null) { throw new IllegalArgumentException("conf can't be null"); } UserGroupInformation.setConfiguration(conf); if (toProxy == null) { throw new IllegalArgumentException("toProxy can't be null"); } if (loginUser == null) { log.info("No login user. Creating login user"); String keytab = verifySecureProperty(prop, PROXY_KEYTAB_LOCATION, log); String proxyUser = verifySecureProperty(prop, PROXY_USER, log); UserGroupInformation.loginUserFromKeytab(proxyUser, keytab); loginUser = UserGroupInformation.getLoginUser(); log.info("Logged in with user " + loginUser); } else { log.info("loginUser (" + loginUser + ") already created, refreshing tgt."); loginUser.checkTGTAndReloginFromKeytab(); } return UserGroupInformation.createProxyUser(toProxy, loginUser); }
From source file:azkaban.security.HadoopSecurityManager_H_1_0.java
License:Apache License
/** * Create a proxied user based on the explicit user name, taking other * parameters necessary from properties file. * * @throws IOException/*from w w w .j a v a 2 s. c o m*/ */ @Override public synchronized UserGroupInformation getProxiedUser(String userToProxy) throws HadoopSecurityManagerException { if (userToProxy == null) { throw new HadoopSecurityManagerException("userToProxy can't be null"); } UserGroupInformation ugi = userUgiMap.get(userToProxy); if (ugi == null) { logger.info("proxy user " + userToProxy + " not exist. Creating new proxy user"); if (shouldProxy) { try { ugi = UserGroupInformation.createProxyUser(userToProxy, UserGroupInformation.getLoginUser()); } catch (IOException e) { e.printStackTrace(); throw new HadoopSecurityManagerException("Failed to create proxy user", e); } } else { ugi = UserGroupInformation.createRemoteUser(userToProxy); } userUgiMap.putIfAbsent(userToProxy, ugi); } return ugi; }
From source file:azkaban.security.HadoopSecurityManager_H_2_0.java
License:Apache License
/** * Create a proxied user based on the explicit user name, taking other * parameters necessary from properties file. * * @throws IOException/*w w w .jav a2 s .com*/ */ @Override public synchronized UserGroupInformation getProxiedUser(String userToProxy) throws HadoopSecurityManagerException { if (userToProxy == null) { throw new HadoopSecurityManagerException("userToProxy can't be null"); } UserGroupInformation ugi = userUgiMap.get(userToProxy); if (ugi == null) { logger.info("proxy user " + userToProxy + " not exist. Creating new proxy user"); if (shouldProxy) { try { ugi = UserGroupInformation.createProxyUser(userToProxy, UserGroupInformation.getLoginUser()); } catch (IOException e) { throw new HadoopSecurityManagerException("Failed to create proxy user", e); } } else { ugi = UserGroupInformation.createRemoteUser(userToProxy); } userUgiMap.putIfAbsent(userToProxy, ugi); } return ugi; }
From source file:com.alibaba.jstorm.hdfs.common.security.AutoHDFS.java
License:Apache License
@SuppressWarnings("unchecked") protected byte[] getHadoopCredentials(Map conf) { try {/* w ww .jav a 2s . c om*/ if (UserGroupInformation.isSecurityEnabled()) { final Configuration configuration = new Configuration(); login(configuration); final String topologySubmitterUser = (String) conf.get(Config.TOPOLOGY_SUBMITTER_PRINCIPAL); final URI nameNodeURI = conf.containsKey(TOPOLOGY_HDFS_URI) ? new URI(conf.get(TOPOLOGY_HDFS_URI).toString()) : FileSystem.getDefaultUri(configuration); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); final UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(topologySubmitterUser, ugi); Credentials creds = (Credentials) proxyUser.doAs(new PrivilegedAction<Object>() { @Override public Object run() { try { FileSystem fileSystem = FileSystem.get(nameNodeURI, configuration); Credentials credential = proxyUser.getCredentials(); fileSystem.addDelegationTokens(hdfsPrincipal, credential); LOG.info("Delegation tokens acquired for user {}", topologySubmitterUser); return credential; } catch (IOException e) { throw new RuntimeException(e); } } }); ByteArrayOutputStream bao = new ByteArrayOutputStream(); ObjectOutputStream out = new ObjectOutputStream(bao); creds.write(out); out.flush(); out.close(); return bao.toByteArray(); } else { throw new RuntimeException("Security is not enabled for HDFS"); } } catch (Exception ex) { throw new RuntimeException("Failed to get delegation tokens.", ex); } }
From source file:com.blackberry.bdp.kaboom.Authenticator.java
License:Apache License
private boolean authenticate(String proxyUserName) { UserGroupInformation proxyTicket;// w w w . j av a2 s .co m // logic for kerberos login boolean useSecurity = UserGroupInformation.isSecurityEnabled(); LOG.info("Hadoop Security enabled: " + useSecurity); if (useSecurity) { // sanity checking if (kerbConfPrincipal.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a principal to use for Kerberos auth."); return false; } if (kerbKeytab.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a keytab to use for Kerberos auth."); return false; } String principal; try { // resolves _HOST pattern using standard Hadoop search/replace // via DNS lookup when 2nd argument is empty principal = SecurityUtil.getServerPrincipal(kerbConfPrincipal, ""); } catch (IOException e) { LOG.error("Host lookup error resolving kerberos principal (" + kerbConfPrincipal + "). Exception follows.", e); return false; } Preconditions.checkNotNull(principal, "Principal must not be null"); KerberosUser prevUser = staticLogin.get(); KerberosUser newUser = new KerberosUser(principal, kerbKeytab); // be cruel and unusual when user tries to login as multiple principals // this isn't really valid with a reconfigure but this should be rare // enough to warrant a restart of the agent JVM // TODO: find a way to interrogate the entire current config state, // since we don't have to be unnecessarily protective if they switch all // HDFS sinks to use a different principal all at once. Preconditions.checkState(prevUser == null || prevUser.equals(newUser), "Cannot use multiple kerberos principals in the same agent. " + " Must restart agent to use new principal or keytab. " + "Previous = %s, New = %s", prevUser, newUser); // attempt to use cached credential if the user is the same // this is polite and should avoid flooding the KDC with auth requests UserGroupInformation curUser = null; if (prevUser != null && prevUser.equals(newUser)) { try { LOG.info("Attempting login as {} with cached credentials", prevUser.getPrincipal()); curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.warn("User unexpectedly had no active login. Continuing with " + "authentication", e); } } if (curUser == null || !curUser.getUserName().equals(principal)) { try { // static login curUser = kerberosLogin(this, principal, kerbKeytab); LOG.info("Current user obtained from Kerberos login {}", curUser.getUserName()); } catch (IOException e) { LOG.error("Authentication or file read error while attempting to " + "login as kerberos principal (" + principal + ") using " + "keytab (" + kerbKeytab + "). Exception follows.", e); return false; } } else { LOG.debug("{}: Using existing principal login: {}", this, curUser); } try { if (UserGroupInformation.getLoginUser().isFromKeytab() == false) { LOG.warn("Using a keytab for authentication is {}", UserGroupInformation.getLoginUser().isFromKeytab()); LOG.warn("curUser.isFromKeytab(): {}", curUser.isFromKeytab()); LOG.warn("UserGroupInformation.getCurrentUser().isLoginKeytabBased(): {}", UserGroupInformation.getCurrentUser().isLoginKeytabBased()); LOG.warn("UserGroupInformation.isLoginKeytabBased(): {}", UserGroupInformation.isLoginKeytabBased()); LOG.warn("curUser.getAuthenticationMethod(): {}", curUser.getAuthenticationMethod()); //System.exit(1); } } catch (IOException e) { LOG.error("Failed to get login user.", e); System.exit(1); } // we supposedly got through this unscathed... so store the static user staticLogin.set(newUser); } // hadoop impersonation works with or without kerberos security proxyTicket = null; if (!proxyUserName.isEmpty()) { try { proxyTicket = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); } catch (IOException e) { LOG.error("Unable to login as proxy user. Exception follows.", e); return false; } } UserGroupInformation ugi = null; if (proxyTicket != null) { ugi = proxyTicket; } else if (useSecurity) { try { ugi = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.error("Unexpected error: Unable to get authenticated user after " + "apparent successful login! Exception follows.", e); return false; } } if (ugi != null) { // dump login information AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); LOG.info("Auth method: {}", authMethod); LOG.info(" User name: {}", ugi.getUserName()); LOG.info(" Using keytab: {}", ugi.isFromKeytab()); if (authMethod == AuthenticationMethod.PROXY) { UserGroupInformation superUser; try { superUser = UserGroupInformation.getLoginUser(); LOG.info(" Superuser auth: {}", superUser.getAuthenticationMethod()); LOG.info(" Superuser name: {}", superUser.getUserName()); LOG.info(" Superuser using keytab: {}", superUser.isFromKeytab()); } catch (IOException e) { LOG.error("Unexpected error: unknown superuser impersonating proxy.", e); return false; } } LOG.info("Logged in as user {}", ugi.getUserName()); UGIState state = new UGIState(); state.ugi = proxyTicket; state.lastAuthenticated = System.currentTimeMillis(); proxyUserMap.put(proxyUserName, state); return true; } return true; }
From source file:com.cloudera.beeswax.BeeswaxServiceImpl.java
License:Apache License
private <T> T doWithState(RunningQueryState state, PrivilegedExceptionAction<T> action) throws BeeswaxException { try {//from w w w .java 2 s . co m UserGroupInformation ugi; if (UserGroupInformation.isSecurityEnabled()) ugi = UserGroupInformation.createProxyUser(state.query.hadoop_user, UserGroupInformation.getLoginUser()); else { ugi = UserGroupInformation.createRemoteUser(state.query.hadoop_user); } return ugi.doAs(action); } catch (UndeclaredThrowableException e) { if (e.getUndeclaredThrowable() instanceof PrivilegedActionException) { Throwable bwe = e.getUndeclaredThrowable().getCause(); if (bwe instanceof BeeswaxException) { LOG.error("Caught BeeswaxException", (BeeswaxException) bwe); throw (BeeswaxException) bwe; } } LOG.error("Caught unexpected exception.", e); throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle); } catch (IOException e) { LOG.error("Caught IOException", e); throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle); } catch (InterruptedException e) { LOG.error("Caught InterruptedException", e); throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle); } }
From source file:com.cloudera.hadoop.hdfs.nfs.nfs4.NFS4Handler.java
License:Apache License
/** * Process a CompoundRequest and return a CompoundResponse. *//*from ww w . j a v a 2 s .c o m*/ public CompoundResponse process(final RPCRequest rpcRequest, final CompoundRequest compoundRequest, final InetAddress clientAddress, final String sessionID) { Credentials creds = (Credentials) compoundRequest.getCredentials(); // FIXME below is a hack regarding CredentialsUnix if (creds == null || !(creds instanceof AuthenticatedCredentials)) { CompoundResponse response = new CompoundResponse(); response.setStatus(NFS4ERR_WRONGSEC); return response; } try { UserGroupInformation sudoUgi; String username = creds.getUsername(mConfiguration); if (UserGroupInformation.isSecurityEnabled()) { sudoUgi = UserGroupInformation.createProxyUser(username, UserGroupInformation.getCurrentUser()); } else { sudoUgi = UserGroupInformation.createRemoteUser(username); } final NFS4Handler server = this; final Session session = new Session(rpcRequest.getXid(), compoundRequest, mConfiguration, clientAddress, sessionID); return sudoUgi.doAs(new PrivilegedExceptionAction<CompoundResponse>() { public CompoundResponse run() throws Exception { String username = UserGroupInformation.getCurrentUser().getShortUserName(); int lastStatus = NFS4_OK; List<OperationResponse> responses = Lists.newArrayList(); for (OperationRequest request : compoundRequest.getOperations()) { if (LOGGER.isDebugEnabled()) { LOGGER.debug(sessionID + " " + request.getClass().getSimpleName() + " for " + username); } OperationRequestHandler<OperationRequest, OperationResponse> handler = OperationFactory .getHandler(request.getID()); OperationResponse response = handler.handle(server, session, request); responses.add(response); lastStatus = response.getStatus(); if (lastStatus != NFS4_OK) { LOGGER.warn(sessionID + " Quitting due to " + lastStatus + " on " + request.getClass().getSimpleName() + " for " + username); break; } server.incrementMetric("NFS_" + request.getClass().getSimpleName(), 1); server.incrementMetric("NFS_OPERATIONS", 1); } CompoundResponse response = new CompoundResponse(); response.setStatus(lastStatus); response.setOperations(responses); server.incrementMetric("NFS_COMMANDS", 1); return response; } }); } catch (Exception ex) { if (ex instanceof UndeclaredThrowableException && ex.getCause() != null) { Throwable throwable = ex.getCause(); if (throwable instanceof Exception) { ex = (Exception) throwable; } else if (throwable instanceof Error) { // something really bad happened LOGGER.error(sessionID + " Unhandled Error", throwable); throw (Error) throwable; } else { LOGGER.error(sessionID + " Unhandled Throwable", throwable); throw new RuntimeException(throwable); } } LOGGER.warn(sessionID + " Unhandled Exception", ex); CompoundResponse response = new CompoundResponse(); if (ex instanceof NFS4Exception) { response.setStatus(((NFS4Exception) ex).getError()); } else if (ex instanceof UnsupportedOperationException) { response.setStatus(NFS4ERR_NOTSUPP); } else { LOGGER.warn(sessionID + " Setting SERVERFAULT for " + clientAddress + " for " + compoundRequest.getOperations()); response.setStatus(NFS4ERR_SERVERFAULT); } return response; } }
From source file:com.cloudera.hoop.client.fs.TestHoopFileSystem.java
License:Open Source License
@Test(dataProvider = "Operations") @TestDir/*from w w w. j av a 2s . c om*/ @TestServlet @TestHadoop public void testOperationDoAs(final Operation op) throws Exception { createHoopServer(); UserGroupInformation ugi = UserGroupInformation.createProxyUser(getHadoopUsers()[0], UserGroupInformation.getCurrentUser()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { operation(op); return null; } }); }