List of usage examples for org.apache.hadoop.security UserGroupInformation createRemoteUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createRemoteUser(String user)
From source file:org.apache.hama.bsp.JobImpl.java
License:Apache License
/** * * @param rpc// w w w. j a v a 2s . c om * @param nmToken * @param nodeId * @param user * @return */ protected ContainerManagementProtocol getContainerManagementProtocolProxy(final YarnRPC rpc, Token nmToken, NodeId nodeId, String user) { ContainerManagementProtocol proxy; UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); final InetSocketAddress addr = NetUtils.createSocketAddr(nodeId.getHost(), nodeId.getPort()); if (nmToken != null) { ugi.addToken(ConverterUtils.convertFromYarn(nmToken, addr)); } proxy = ugi.doAs(new PrivilegedAction<ContainerManagementProtocol>() { @Override public ContainerManagementProtocol run() { return (ContainerManagementProtocol) rpc.getProxy(ContainerManagementProtocol.class, addr, conf); } }); return proxy; }
From source file:org.apache.hama.ipc.ConnectionHeader.java
License:Apache License
@Override public void readFields(DataInput in) throws IOException { protocol = Text.readString(in); if (protocol.isEmpty()) { protocol = null;/*from w w w . j a v a 2 s. com*/ } boolean ugiUsernamePresent = in.readBoolean(); if (ugiUsernamePresent) { String username = in.readUTF(); boolean realUserNamePresent = in.readBoolean(); if (realUserNamePresent) { String realUserName = in.readUTF(); UserGroupInformation realUserUgi = UserGroupInformation.createRemoteUser(realUserName); ugi = UserGroupInformation.createProxyUser(username, realUserUgi); } else { ugi = UserGroupInformation.createRemoteUser(username); } } else { ugi = null; } }
From source file:org.apache.hawq.ranger.authorization.RangerHawqAuthorizer.java
License:Apache License
/** * Returns a set of groups the user belongs to * @param user user name//from w ww. ja va 2 s . c o m * @return set of groups for the user */ private Set<String> getUserGroups(String user) { String[] userGroups = null; try { UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); userGroups = ugi.getGroupNames(); if (LOG.isDebugEnabled()) { LOG.debug(String.format("Determined user=%s belongs to groups=%s", user, Arrays.toString(userGroups))); } } catch (Throwable e) { LOG.warn("Failed to determine groups for user=" + user, e); } return userGroups == null ? Collections.<String>emptySet() : new HashSet<String>(Arrays.asList(userGroups)); }
From source file:org.apache.hawq.ranger.authorization.RangerHawqAuthorizerTest.java
License:Apache License
@Test public void testAuthorize_allAllowed_group() throws Exception { UserGroupInformation mockUgi = mock(UserGroupInformation.class); when(mockUgi.getGroupNames()).thenReturn(new String[] { "foo", "bar" }); PowerMockito.mockStatic(UserGroupInformation.class); when(UserGroupInformation.createRemoteUser(TEST_USER)).thenReturn(mockUgi); when(mockRangerPlugin.isAccessAllowed(argThat(new UGIMatcher(TEST_USER, "foo", "bar")))) .thenReturn(mockRangerAccessResult); when(mockRangerAccessResult.getIsAllowed()).thenReturn(true); testRequest(TEST_RESOURCE_REQUEST, TEST_RESOURCE_RESPONSE_ALL_TRUE); }
From source file:org.apache.hcatalog.security.HdfsAuthorizationProvider.java
License:Apache License
/** * Checks the permissions for the given path and current user on Hadoop FS. If the given path * does not exists, it checks for it's parent folder. */// w w w. j av a 2 s .c o m protected static void checkPermissions(final Configuration conf, final Path path, final EnumSet<FsAction> actions) throws IOException, LoginException { if (path == null) { throw new IllegalArgumentException("path is null"); } HadoopShims shims = ShimLoader.getHadoopShims(); final UserGroupInformation ugi; if (conf.get(PROXY_USER_NAME) != null) { ugi = UserGroupInformation.createRemoteUser(conf.get(PROXY_USER_NAME)); } else { ugi = shims.getUGIForConf(conf); } final String user = shims.getShortUserName(ugi); final FileSystem fs = path.getFileSystem(conf); if (fs.exists(path)) { checkPermissions(fs, path, actions, user, ugi.getGroupNames()); } else if (path.getParent() != null) { // find the ancestor which exists to check it's permissions Path par = path.getParent(); while (par != null) { if (fs.exists(par)) { break; } par = par.getParent(); } checkPermissions(fs, par, actions, user, ugi.getGroupNames()); } }
From source file:org.apache.hcatalog.templeton.DeleteDelegator.java
License:Apache License
public QueueStatusBean run(String user, String id) throws NotAuthorizedException, BadParam, IOException, InterruptedException { UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); TempletonJobTracker tracker = null;//from ww w . j ava 2s .c om JobState state = null; try { tracker = new TempletonJobTracker(appConf); JobID jobid = StatusDelegator.StringToJobID(id); if (jobid == null) throw new BadParam("Invalid jobid: " + id); tracker.killJob(jobid); state = new JobState(id, Main.getAppConfigInstance()); String childid = state.getChildId(); if (childid != null) tracker.killJob(StatusDelegator.StringToJobID(childid)); return StatusDelegator.makeStatus(tracker, jobid, state); } catch (IllegalStateException e) { throw new BadParam(e.getMessage()); } finally { if (tracker != null) tracker.close(); if (state != null) state.close(); } }
From source file:org.apache.hcatalog.templeton.ListDelegator.java
License:Apache License
public List<String> run(String user) throws NotAuthorizedException, BadParam, IOException, InterruptedException { UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); TempletonJobTracker tracker = null;//w w w . java 2 s . c o m try { tracker = new TempletonJobTracker(appConf); ArrayList<String> ids = new ArrayList<String>(); JobStatus[] jobs = tracker.getAllJobs(); if (jobs != null) { for (JobStatus job : jobs) { JobState state = null; try { String id = job.getJobID().toString(); state = new JobState(id, Main.getAppConfigInstance()); if (user.equals(state.getUser())) ids.add(id); } finally { if (state != null) { state.close(); } } } } return ids; } catch (IllegalStateException e) { throw new BadParam(e.getMessage()); } finally { if (tracker != null) tracker.close(); } }
From source file:org.apache.hive.hcatalog.templeton.Server.java
License:Apache License
/** * Get the user name from the security context, i.e. the user making the HTTP request. * With simple/pseudo security mode this should return the * value of user.name query param, in kerberos mode it's the kinit'ed user. */// ww w . j ava 2 s . com private String getRequestingUser() { if (theSecurityContext == null) { return null; } String userName = null; if (theSecurityContext.getUserPrincipal() == null) { userName = Main.UserNameHandler.getUserName(request); } else { userName = theSecurityContext.getUserPrincipal().getName(); } if (userName == null) { return null; } //map hue/foo.bar@something.com->hue since user group checks // and config files are in terms of short name return UserGroupInformation.createRemoteUser(userName).getShortUserName(); }
From source file:org.apache.hive.http.HttpServer.java
License:Apache License
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL./* w ww . ja v a 2s . co m*/ * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext.getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
From source file:org.apache.hive.service.auth.HiveAuthFactory.java
License:Apache License
public static void verifyProxyAccess(String realUser, String proxyUser, String ipAddress, HiveConf hiveConf) throws HiveSQLException { try {/*from www. j a va 2 s.c om*/ UserGroupInformation sessionUgi; if (UserGroupInformation.isSecurityEnabled()) { KerberosNameShim kerbName = ShimLoader.getHadoopShims().getKerberosNameShim(realUser); sessionUgi = UserGroupInformation.createProxyUser(kerbName.getServiceName(), UserGroupInformation.getLoginUser()); } else { sessionUgi = UserGroupInformation.createRemoteUser(realUser); } if (!proxyUser.equalsIgnoreCase(realUser)) { ProxyUsers.refreshSuperUserGroupsConfiguration(hiveConf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, sessionUgi), ipAddress, hiveConf); } } catch (IOException e) { throw new HiveSQLException("Failed to validate proxy privilege of " + realUser + " for " + proxyUser, "08S01", e); } }