List of usage examples for org.apache.hadoop.security UserGroupInformation createProxyUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createProxyUser(String user, UserGroupInformation realUser)
From source file:org.apache.hawq.pxf.service.servlet.SecurityServletFilter.java
License:Apache License
/** * If user impersonation is configured, examines the request for the presense of the expected security headers * and create a proxy user to execute further request chain. Responds with an HTTP error if the header is missing * or the chain processing throws an exception. * * @param request http request/* w w w . j av a2s .c o m*/ * @param response http response * @param chain filter chain */ @Override public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { if (SecureLogin.isUserImpersonationEnabled()) { // retrieve user header and make sure header is present and is not empty final String user = ((HttpServletRequest) request).getHeader(USER_HEADER); if (user == null) { throw new IllegalArgumentException(MISSING_HEADER_ERROR); } else if (user.trim().isEmpty()) { throw new IllegalArgumentException(EMPTY_HEADER_ERROR); } // TODO refresh Kerberos token when security is enabled // prepare pivileged action to run on behalf of proxy user PrivilegedExceptionAction<Boolean> action = new PrivilegedExceptionAction<Boolean>() { @Override public Boolean run() throws IOException, ServletException { LOG.debug("Performing request chain call for proxy user = " + user); chain.doFilter(request, response); return true; } }; // create proxy user UGI from the UGI of the logged in user and execute the servlet chain as that user UserGroupInformation proxyUGI = null; try { LOG.debug("Creating proxy user = " + user); proxyUGI = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); proxyUGI.doAs(action); } catch (UndeclaredThrowableException ute) { // unwrap the real exception thrown by the action throw new ServletException(ute.getCause()); } catch (InterruptedException ie) { throw new ServletException(ie); } finally { try { if (proxyUGI != null) { LOG.debug("Closing FileSystem for proxy user = " + proxyUGI.getUserName()); FileSystem.closeAllForUGI(proxyUGI); } } catch (Throwable t) { LOG.warn("Error closing FileSystem for proxy user = " + proxyUGI.getUserName()); } } } else { // no user impersonation is configured chain.doFilter(request, response); } }
From source file:org.apache.hawq.pxf.service.UGIProvider.java
License:Apache License
/** * Wrapper for {@link UserGroupInformation} creation * * @param effectiveUser the name of the user that we want to impersonate * @return a {@link UserGroupInformation} for impersonation. * @throws IOException// w w w .j av a2s . c o m */ UserGroupInformation createProxyUGI(String effectiveUser) throws IOException { return UserGroupInformation.createProxyUser(effectiveUser, UserGroupInformation.getLoginUser()); }
From source file:org.apache.hcatalog.templeton.UgiFactory.java
License:Apache License
static UserGroupInformation getUgi(String user) throws IOException { UserGroupInformation ugi = userUgiMap.get(user); if (ugi == null) { //create new ugi and add to map final UserGroupInformation newUgi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); //if another thread adds an entry before the check in this one // the one created here will not be added. userUgiMap.putIfAbsent(user, newUgi); //use the UGI object that got added return userUgiMap.get(user); }/* ww w .j a v a2 s . c o m*/ return ugi; }
From source file:org.apache.hive.hcatalog.streaming.HiveEndPoint.java
License:Apache License
private static UserGroupInformation getUserGroupInfo(String user) throws ImpersonationFailed { try {//w w w .ja v a 2s . com return UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); } catch (IOException e) { LOG.error("Unable to get UserGroupInfo for user : " + user, e); throw new ImpersonationFailed(user, e); } }
From source file:org.apache.hive.hcatalog.templeton.UgiFactory.java
License:Apache License
public static UserGroupInformation getUgi(String user) throws IOException { UserGroupInformation ugi = userUgiMap.get(user); if (ugi == null) { //create new ugi and add to map final UserGroupInformation newUgi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); //if another thread adds an entry before the check in this one // the one created here will not be added. userUgiMap.putIfAbsent(user, newUgi); //use the UGI object that got added return userUgiMap.get(user); }/*from w ww . ja va 2 s. c o m*/ return ugi; }
From source file:org.apache.hive.service.auth.HiveAuthFactory.java
License:Apache License
public static void verifyProxyAccess(String realUser, String proxyUser, String ipAddress, HiveConf hiveConf) throws HiveSQLException { try {// www . j a va2s . c o m UserGroupInformation sessionUgi; if (UserGroupInformation.isSecurityEnabled()) { KerberosNameShim kerbName = ShimLoader.getHadoopShims().getKerberosNameShim(realUser); sessionUgi = UserGroupInformation.createProxyUser(kerbName.getServiceName(), UserGroupInformation.getLoginUser()); } else { sessionUgi = UserGroupInformation.createRemoteUser(realUser); } if (!proxyUser.equalsIgnoreCase(realUser)) { ProxyUsers.refreshSuperUserGroupsConfiguration(hiveConf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, sessionUgi), ipAddress, hiveConf); } } catch (IOException e) { throw new HiveSQLException("Failed to validate proxy privilege of " + realUser + " for " + proxyUser, "08S01", e); } }
From source file:org.apache.hive.service.cli.session.HiveSessionImplwithUGI.java
License:Apache License
public void setSessionUGI(String owner) throws HiveSQLException { if (owner == null) { throw new HiveSQLException("No username provided for impersonation"); }// ww w . j a v a 2s . c o m if (UserGroupInformation.isSecurityEnabled()) { try { sessionUgi = UserGroupInformation.createProxyUser(owner, UserGroupInformation.getLoginUser()); } catch (IOException e) { throw new HiveSQLException("Couldn't setup proxy user", e); } } else { sessionUgi = UserGroupInformation.createRemoteUser(owner); } }
From source file:org.apache.hive.service.cli.thrift.DisconnectCleanupEventHandler.java
License:Apache License
private void closeSessionDoAs() throws IOException, InterruptedException { UserGroupInformation.createProxyUser(getUser(), UserGroupInformation.getLoginUser()) .doAs(new PrivilegedExceptionAction<Boolean>() { public Boolean run() throws HiveSQLException { cleanupSession();// w ww. ja v a2 s .c o m return true; // We don't care about any return values for now } }); }
From source file:org.apache.ignite.internal.processors.hadoop.impl.delegate.HadoopKerberosFileSystemFactoryDelegate.java
License:Apache License
/** {@inheritDoc} */ @Override/*w w w. jav a 2s. c om*/ protected FileSystem create(String usrName) throws IOException, InterruptedException { UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(usrName, UserGroupInformation.getLoginUser()); return proxyUgi.doAs(new PrivilegedExceptionAction<FileSystem>() { @Override public FileSystem run() throws Exception { FileSystem fs = FileSystem.get(fullUri, cfg); if (workDir != null) fs.setWorkingDirectory(workDir); return fs; } }); }
From source file:org.apache.oozie.action.hadoop.HbaseCredentials.java
License:Apache License
private void obtainToken(final JobConf jobConf, Context context) throws IOException, InterruptedException { String user = context.getWorkflow().getUser(); UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); User u = User.create(ugi);//from ww w .ja v a2 s . c om // A direct doAs is required here vs. User#obtainAuthTokenForJob(...) // See OOZIE-2419 for more Token<AuthenticationTokenIdentifier> token = u .runAs(new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() { public Token<AuthenticationTokenIdentifier> run() throws Exception { return TokenUtil.obtainToken(jobConf); } }); jobConf.getCredentials().addToken(token.getService(), token); }