List of usage examples for org.apache.hadoop.security UserGroupInformation createProxyUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createProxyUser(String user, UserGroupInformation realUser)
From source file:com.cloudera.hue.SudoFsShell.java
License:Apache License
public static void main(String[] args) throws Exception { if (args.length < 1) { usage();//from w w w .ja va 2s. c o m System.exit(1); } String username = args[0]; final String shellArgs[] = new String[args.length - 1]; System.arraycopy(args, 1, shellArgs, 0, args.length - 1); UserGroupInformation sudoUgi; if (UserGroupInformation.isSecurityEnabled()) { sudoUgi = UserGroupInformation.createProxyUser(username, UserGroupInformation.getCurrentUser()); } else { sudoUgi = UserGroupInformation.createRemoteUser(username); } sudoUgi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { FsShell.main(shellArgs); return null; } }); }
From source file:com.cloudera.lib.service.hadoop.HadoopService.java
License:Open Source License
protected UserGroupInformation getUGI(String user) throws IOException { return UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); }
From source file:com.cloudera.llama.am.LlamaAMServiceImpl.java
License:Apache License
void checkAccess(String user, String queue, String requestedQueue) throws LlamaException { UserGroupInformation ugi;//from w w w. j a v a2 s. c om try { ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getCurrentUser()); } catch (IOException ex) { throw new LlamaException(ex, ErrorCode.INTERNAL_ERROR); } if (!allocConf.get().hasAccess(queue, QueueACL.SUBMIT_APPLICATIONS, ugi)) { throw new LlamaException(ErrorCode.RESERVATION_USER_NOT_ALLOWED_IN_QUEUE, user, requestedQueue, queue); } }
From source file:com.cloudera.llama.am.yarn.YarnRMConnector.java
License:Apache License
private UserGroupInformation createUGIForApp() throws Exception { String userName = getConf().get(HADOOP_USER_NAME_KEY, HADOOP_USER_NAME_DEFAULT); UserGroupInformation llamaUGI = UserGroupInformation.getLoginUser(); return UserGroupInformation.createProxyUser(userName, llamaUGI); }
From source file:com.datatorrent.stram.cli.ApexCli.java
License:Apache License
public static void main(final String[] args) throws Exception { final ApexCli shell = new ApexCli(); shell.preImpersonationInit(args);/*from w ww . j a va2s .c o m*/ String hadoopUserName = System.getenv("HADOOP_USER_NAME"); if (UserGroupInformation.isSecurityEnabled() && StringUtils.isNotBlank(hadoopUserName) && !hadoopUserName.equals(UserGroupInformation.getLoginUser().getUserName())) { LOG.info("You ({}) are running as user {}", UserGroupInformation.getLoginUser().getUserName(), hadoopUserName); UserGroupInformation ugi = UserGroupInformation.createProxyUser(hadoopUserName, UserGroupInformation.getLoginUser()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { shell.mainHelper(); return null; } }); } else { shell.mainHelper(); } }
From source file:com.datatorrent.stram.cli.DTCli.java
License:Apache License
public static void main(final String[] args) throws Exception { final DTCli shell = new DTCli(); shell.preImpersonationInit(args);//from ww w . j av a 2s . c om String hadoopUserName = System.getenv("HADOOP_USER_NAME"); if (UserGroupInformation.isSecurityEnabled() && StringUtils.isNotBlank(hadoopUserName) && !hadoopUserName.equals(UserGroupInformation.getLoginUser().getUserName())) { LOG.info("You ({}) are running as user {}", UserGroupInformation.getLoginUser().getUserName(), hadoopUserName); UserGroupInformation ugi = UserGroupInformation.createProxyUser(hadoopUserName, UserGroupInformation.getLoginUser()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { shell.mainHelper(); return null; } }); } else { shell.mainHelper(); } }
From source file:com.datatorrent.stram.client.StramClientUtils.java
License:Apache License
public static <T> T doAs(String userName, PrivilegedExceptionAction<T> action) throws Exception { if (StringUtils.isNotBlank(userName) && !userName.equals(UserGroupInformation.getLoginUser().getShortUserName())) { LOG.info("Executing command as {}", userName); UserGroupInformation ugi = UserGroupInformation.createProxyUser(userName, UserGroupInformation.getLoginUser()); return ugi.doAs(action); } else {/*from w w w . j ava2 s . com*/ LOG.info("Executing command as if there is no login info: {}", userName); return action.run(); } }
From source file:com.facebook.presto.hive.authentication.ImpersonatingHdfsAuthentication.java
License:Apache License
private UserGroupInformation createProxyUser(String user) { return UserGroupInformation.createProxyUser(user, hadoopAuthentication.getUserGroupInformation()); }
From source file:com.hortonworks.streamline.streams.cluster.service.metadata.HBaseMetadataService.java
License:Apache License
/** * Creates secure {@link HBaseMetadataService} which delegates to {@link Admin} * instantiated with with the {@link Configuration} provided using the first parameter *//* w ww .j av a 2s . c om*/ public static HBaseMetadataService newInstance(Configuration hbaseConfig, SecurityContext securityContext, Subject subject, Component hbaseMaster, Collection<ComponentProcess> hbaseMasterProcesses) throws IOException, EntityNotFoundException { if (SecurityUtil.isKerberosAuthenticated(securityContext)) { UserGroupInformation.setConfiguration(hbaseConfig); // Sets Kerberos rules final UserGroupInformation ugiFromSubject = UserGroupInformation.getUGIFromSubject(subject); // Adds User principal to the subject final UserGroupInformation proxyUserForImpersonation = UserGroupInformation .createProxyUser(securityContext.getUserPrincipal().getName(), ugiFromSubject); final User user = User.create(proxyUserForImpersonation); return new HBaseMetadataService(ConnectionFactory.createConnection(hbaseConfig, user).getAdmin(), securityContext, subject, user, hbaseMaster, hbaseMasterProcesses); } else { return newInstance(hbaseConfig); } }
From source file:com.huayu.metis.flume.sink.hdfs.HDFSEventSink.java
License:Apache License
private boolean authenticate() { // logic for kerberos login boolean useSecurity = UserGroupInformation.isSecurityEnabled(); LOG.info("Hadoop Security enabled: " + useSecurity); if (useSecurity) { // sanity checking if (kerbConfPrincipal.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a principal to use for Kerberos auth."); return false; }/*from w w w . j ava 2 s . com*/ if (kerbKeytab.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a keytab to use for Kerberos auth."); return false; } else { //If keytab is specified, user should want it take effect. //HDFSEventSink will halt when keytab file is non-exist or unreadable File kfile = new File(kerbKeytab); if (!(kfile.isFile() && kfile.canRead())) { throw new IllegalArgumentException( "The keyTab file: " + kerbKeytab + " is nonexistent or can't read. " + "Please specify a readable keytab file for Kerberos auth."); } } String principal; try { // resolves _HOST pattern using standard Hadoop search/replace // via DNS lookup when 2nd argument is empty principal = SecurityUtil.getServerPrincipal(kerbConfPrincipal, ""); } catch (IOException e) { LOG.error("Host lookup error resolving kerberos principal (" + kerbConfPrincipal + "). Exception follows.", e); return false; } Preconditions.checkNotNull(principal, "Principal must not be null"); KerberosUser prevUser = staticLogin.get(); KerberosUser newUser = new KerberosUser(principal, kerbKeytab); // be cruel and unusual when user tries to login as multiple principals // this isn't really valid with a reconfigure but this should be rare // enough to warrant a restart of the agent JVM // TODO: find a way to interrogate the entire current config state, // since we don't have to be unnecessarily protective if they switch all // HDFS sinks to use a different principal all at once. Preconditions.checkState(prevUser == null || prevUser.equals(newUser), "Cannot use multiple kerberos principals in the same agent. " + " Must restart agent to use new principal or keytab. " + "Previous = %s, New = %s", prevUser, newUser); // attempt to use cached credential if the user is the same // this is polite and should avoid flooding the KDC with auth requests UserGroupInformation curUser = null; if (prevUser != null && prevUser.equals(newUser)) { try { curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.warn("User unexpectedly had no active login. Continuing with " + "authentication", e); } } if (curUser == null || !curUser.getUserName().equals(principal)) { try { // static login kerberosLogin(this, principal, kerbKeytab); } catch (IOException e) { LOG.error("Authentication or file read error while attempting to " + "login as kerberos principal (" + principal + ") using " + "keytab (" + kerbKeytab + "). Exception follows.", e); return false; } } else { LOG.debug("{}: Using existing principal login: {}", this, curUser); } // we supposedly got through this unscathed... so store the static user staticLogin.set(newUser); } // hadoop impersonation works with or without kerberos security proxyTicket = null; if (!proxyUserName.isEmpty()) { try { proxyTicket = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); } catch (IOException e) { LOG.error("Unable to login as proxy user. Exception follows.", e); return false; } } UserGroupInformation ugi = null; if (proxyTicket != null) { ugi = proxyTicket; } else if (useSecurity) { try { ugi = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.error("Unexpected error: Unable to get authenticated user after " + "apparent successful login! Exception follows.", e); return false; } } if (ugi != null) { // dump login information AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); LOG.info("Auth method: {}", authMethod); LOG.info(" User name: {}", ugi.getUserName()); LOG.info(" Using keytab: {}", ugi.isFromKeytab()); if (authMethod == AuthenticationMethod.PROXY) { UserGroupInformation superUser; try { superUser = UserGroupInformation.getLoginUser(); LOG.info(" Superuser auth: {}", superUser.getAuthenticationMethod()); LOG.info(" Superuser name: {}", superUser.getUserName()); LOG.info(" Superuser using keytab: {}", superUser.isFromKeytab()); } catch (IOException e) { LOG.error("Unexpected error: unknown superuser impersonating proxy.", e); return false; } } LOG.info("Logged in as user {}", ugi.getUserName()); return true; } return true; }