List of usage examples for org.apache.hadoop.security UserGroupInformation createProxyUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createProxyUser(String user, UserGroupInformation realUser)
From source file:com.intel.hadoopRPCBenchmark.BenchmarkEngineTokenIdentifier.java
License:Apache License
@Override public UserGroupInformation getUser() { if (realUser.toString().isEmpty()) { return UserGroupInformation.createRemoteUser(tokenid.toString()); } else {// w w w .j a v a 2s.c o m UserGroupInformation realUgi = UserGroupInformation.createRemoteUser(realUser.toString()); return UserGroupInformation.createProxyUser(tokenid.toString(), realUgi); } }
From source file:com.rim.logdriver.sawmill.Authenticator.java
License:Apache License
private boolean authenticate(String proxyUserName) { UserGroupInformation proxyTicket;//from w ww. ja va 2s. c om // logic for kerberos login boolean useSecurity = UserGroupInformation.isSecurityEnabled(); LOG.info("Hadoop Security enabled: " + useSecurity); if (useSecurity) { // sanity checking if (kerbConfPrincipal.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a principal to use for Kerberos auth."); return false; } if (kerbKeytab.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a keytab to use for Kerberos auth."); return false; } String principal; try { // resolves _HOST pattern using standard Hadoop search/replace // via DNS lookup when 2nd argument is empty principal = SecurityUtil.getServerPrincipal(kerbConfPrincipal, ""); } catch (IOException e) { LOG.error("Host lookup error resolving kerberos principal (" + kerbConfPrincipal + "). Exception follows.", e); return false; } Preconditions.checkNotNull(principal, "Principal must not be null"); KerberosUser prevUser = staticLogin.get(); KerberosUser newUser = new KerberosUser(principal, kerbKeytab); // be cruel and unusual when user tries to login as multiple principals // this isn't really valid with a reconfigure but this should be rare // enough to warrant a restart of the agent JVM // TODO: find a way to interrogate the entire current config state, // since we don't have to be unnecessarily protective if they switch all // HDFS sinks to use a different principal all at once. Preconditions.checkState(prevUser == null || prevUser.equals(newUser), "Cannot use multiple kerberos principals in the same agent. " + " Must restart agent to use new principal or keytab. " + "Previous = %s, New = %s", prevUser, newUser); // attempt to use cached credential if the user is the same // this is polite and should avoid flooding the KDC with auth requests UserGroupInformation curUser = null; if (prevUser != null && prevUser.equals(newUser)) { try { curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.warn("User unexpectedly had no active login. Continuing with " + "authentication", e); } } if (curUser == null || !curUser.getUserName().equals(principal)) { try { // static login kerberosLogin(this, principal, kerbKeytab); } catch (IOException e) { LOG.error("Authentication or file read error while attempting to " + "login as kerberos principal (" + principal + ") using " + "keytab (" + kerbKeytab + "). Exception follows.", e); return false; } } else { LOG.debug("{}: Using existing principal login: {}", this, curUser); } try { if (UserGroupInformation.getLoginUser().isFromKeytab() == false) { LOG.error("Not using a keytab for authentication. Shutting down."); System.exit(1); } } catch (IOException e) { LOG.error("Failed to get login user.", e); System.exit(1); } // we supposedly got through this unscathed... so store the static user staticLogin.set(newUser); } // hadoop impersonation works with or without kerberos security proxyTicket = null; if (!proxyUserName.isEmpty()) { try { proxyTicket = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); } catch (IOException e) { LOG.error("Unable to login as proxy user. Exception follows.", e); return false; } } UserGroupInformation ugi = null; if (proxyTicket != null) { ugi = proxyTicket; } else if (useSecurity) { try { ugi = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.error("Unexpected error: Unable to get authenticated user after " + "apparent successful login! Exception follows.", e); return false; } } if (ugi != null) { // dump login information AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); LOG.info("Auth method: {}", authMethod); LOG.info(" User name: {}", ugi.getUserName()); LOG.info(" Using keytab: {}", ugi.isFromKeytab()); if (authMethod == AuthenticationMethod.PROXY) { UserGroupInformation superUser; try { superUser = UserGroupInformation.getLoginUser(); LOG.info(" Superuser auth: {}", superUser.getAuthenticationMethod()); LOG.info(" Superuser name: {}", superUser.getUserName()); LOG.info(" Superuser using keytab: {}", superUser.isFromKeytab()); } catch (IOException e) { LOG.error("Unexpected error: unknown superuser impersonating proxy.", e); return false; } } LOG.info("Logged in as user {}", ugi.getUserName()); UGIState state = new UGIState(); state.ugi = proxyTicket; state.lastAuthenticated = System.currentTimeMillis(); proxyUserMap.put(proxyUserName, state); return true; } return true; }
From source file:com.streamsets.datacollector.security.HadoopSecurityUtil.java
License:Apache License
public static UserGroupInformation getProxyUser(String user, UserGroupInformation loginUser) { AccessControlContext accessContext = AccessController.getContext(); synchronized (SecurityUtil.getSubjectDomainLock(accessContext)) { return UserGroupInformation.createProxyUser(user, loginUser); }/*from w ww .j a v a 2 s. com*/ }
From source file:com.streamsets.pipeline.stage.destination.hbase.HBaseTarget.java
License:Apache License
private UserGroupInformation getUGI() { return (hbaseUser.isEmpty()) ? loginUgi : UserGroupInformation.createProxyUser(hbaseUser, loginUgi); }
From source file:com.streamsets.pipeline.stage.destination.hdfs.HdfsTarget.java
License:Apache License
private UserGroupInformation getUGI() { return (hdfsUser.isEmpty()) ? loginUgi : UserGroupInformation.createProxyUser(hdfsUser, loginUgi); }
From source file:com.streamsets.pipeline.stage.origin.hdfs.cluster.ClusterHdfsSource.java
License:Apache License
private UserGroupInformation getUGI() { return (hdfsUser == null || hdfsUser.isEmpty()) ? loginUgi : UserGroupInformation.createProxyUser(hdfsUser, loginUgi); }
From source file:com.thinkbiganalytics.kerberos.TestKerberosKinit.java
License:Apache License
private void testHdfsWithUserImpersonation(final String configResources, final String keytab, final String principal, String proxyUser, final String environment, final String hdfsUrl) { final String path = "/user"; try {//from w ww.j a v a 2s. c o m final Configuration configuration = TestKerberosKinit.createConfigurationFromList(configResources); UserGroupInformation realugi = TestKerberosKinit.generateKerberosTicket(configuration, keytab, principal); System.out.println(" "); System.out.println("Sucessfully got a kerberos ticket in the JVM"); System.out.println("current user is: " + realugi.getUserName()); UserGroupInformation ugiProxy = UserGroupInformation.createProxyUser(proxyUser, realugi); System.out.println("proxy user is: " + ugiProxy.getUserName()); ugiProxy.doAs(new PrivilegedExceptionAction<Object>() { public Object run() { try { searchHDFS(configuration, environment, path, hdfsUrl); } catch (Exception e) { throw new RuntimeException("Error testing HDFS with Kerberos Hive Impersonation", e); } return null; } }); } catch (Exception e) { System.out.println("Error testing HDFS\n\n"); e.printStackTrace(); } }
From source file:com.trendmicro.hdfs.webdav.HDFSResource.java
License:Apache License
public void setProxyUser(final String user) throws IOException { if (user != null) { this.user = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); }/*ww w. java 2s . c o m*/ if (this.user == null) { this.user = UserGroupInformation.getCurrentUser(); } }
From source file:gobblin.hadoop.token.TokenUtils.java
License:Open Source License
private static void getFsAndJtTokens(final State state, final Configuration conf, final Optional<String> userToProxy, final Credentials cred) throws IOException, InterruptedException { if (userToProxy.isPresent()) { UserGroupInformation.createProxyUser(userToProxy.get(), UserGroupInformation.getLoginUser()) .doAs(new PrivilegedExceptionAction<Void>() { @Override//w ww . j a v a 2 s . c om public Void run() throws Exception { getFsAndJtTokensImpl(state, conf, cred); return null; } }); } else { getFsAndJtTokensImpl(state, conf, cred); } }
From source file:gobblin.util.ProxiedFileSystemUtils.java
License:Apache License
/** * Create a {@link FileSystem} that can perform any operations allowed the by the specified userNameToProxyAs. The * method first proxies as userNameToProxyAs, and then adds the specified {@link Token} to the given * {@link UserGroupInformation} object. It then uses the {@link UserGroupInformation#doAs(PrivilegedExceptionAction)} * method to create a {@link FileSystem}. * * @param userNameToProxyAs The name of the user the super user should proxy as * @param userNameToken The {@link Token} to add to the proxied user's {@link UserGroupInformation}. * @param fsURI The {@link URI} for the {@link FileSystem} that should be created * @param conf The {@link Configuration} for the {@link FileSystem} that should be created * * @return a {@link FileSystem} that can execute commands on behalf of the specified userNameToProxyAs */// ww w . j ava2 s. c om static FileSystem createProxiedFileSystemUsingToken(@NonNull String userNameToProxyAs, @NonNull Token<?> userNameToken, URI fsURI, Configuration conf) throws IOException, InterruptedException { UserGroupInformation ugi = UserGroupInformation.createProxyUser(userNameToProxyAs, UserGroupInformation.getLoginUser()); ugi.addToken(userNameToken); return ugi.doAs(new ProxiedFileSystem(fsURI, conf)); }