List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:azkaban.jobtype.HadoopSecureSparkWrapper.java
License:Apache License
/** * Entry point: a Java wrapper to the spark-submit command * /* w w w . j a v a 2s .c o m*/ * @param args * @throws Exception */ public static void main(final String[] args) throws Exception { Properties jobProps = HadoopSecureWrapperUtils.loadAzkabanProps(); HadoopConfigurationInjector.injectResources(new Props(null, jobProps)); if (HadoopSecureWrapperUtils.shouldProxy(jobProps)) { String tokenFile = System.getenv(HADOOP_TOKEN_FILE_LOCATION); UserGroupInformation proxyUser = HadoopSecureWrapperUtils.setupProxyUser(jobProps, tokenFile, logger); proxyUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { runSpark(args, new Configuration()); return null; } }); } else { runSpark(args, new Configuration()); } }
From source file:azkaban.security.HadoopSecurityManager_H_1_0.java
License:Apache License
@Override public FileSystem getFSAsUser(String user) throws HadoopSecurityManagerException { FileSystem fs;/*w ww . j a v a2s . co m*/ try { logger.info("Getting file system as " + user); UserGroupInformation ugi = getProxiedUser(user); if (ugi != null) { fs = ugi.doAs(new PrivilegedAction<FileSystem>() { @Override public FileSystem run() { try { return FileSystem.get(conf); } catch (IOException e) { throw new RuntimeException(e); } } }); } else { fs = FileSystem.get(conf); } } catch (Exception e) { throw new HadoopSecurityManagerException("Failed to get FileSystem. ", e); } return fs; }
From source file:azkaban.utils.AuthenticationUtils.java
License:Apache License
public static HttpURLConnection loginAuthenticatedURL(final URL url, final String keytabPrincipal, final String keytabPath) throws Exception { logger.info("Logging in URL: " + url.toString() + " using Principal: " + keytabPrincipal + ", Keytab: " + keytabPath);/*from w w w .j a v a2 s . c om*/ UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); if (loginUser == null) { UserGroupInformation.loginUserFromKeytab(keytabPrincipal, keytabPath); loginUser = UserGroupInformation.getLoginUser(); logger.info("Logged in with user " + loginUser); } else { logger.info("Login user (" + loginUser + ") already created, refreshing tgt."); loginUser.checkTGTAndReloginFromKeytab(); } final HttpURLConnection connection = loginUser.doAs((PrivilegedExceptionAction<HttpURLConnection>) () -> { final Token token = new Token(); return new AuthenticatedURL().openConnection(url, token); }); return connection; }
From source file:co.cask.cdap.security.impersonation.ImpersonationUtils.java
License:Apache License
/** * Helper function, to unwrap any exceptions that were wrapped * by {@link UserGroupInformation#doAs(PrivilegedExceptionAction)} *//* w ww .j ava 2s .c om*/ public static <T> T doAs(UserGroupInformation ugi, final Callable<T> callable) throws Exception { try { return ugi.doAs(new PrivilegedExceptionAction<T>() { @Override public T run() throws Exception { return callable.call(); } }); } catch (UndeclaredThrowableException e) { // UserGroupInformation#doAs will wrap any checked exceptions, so unwrap and rethrow here Throwable wrappedException = e.getUndeclaredThrowable(); Throwables.propagateIfPossible(wrappedException); if (wrappedException instanceof Exception) { throw (Exception) wrappedException; } // since PrivilegedExceptionAction#run can only throw Exception (besides runtime exception), // this should never happen LOG.warn("Unexpected exception while executing callable as {}.", ugi.getUserName(), wrappedException); throw Throwables.propagate(wrappedException); } }
From source file:com.alibaba.jstorm.hdfs.common.security.AutoHDFS.java
License:Apache License
@SuppressWarnings("unchecked") protected byte[] getHadoopCredentials(Map conf) { try {/*ww w. jav a2 s . c om*/ if (UserGroupInformation.isSecurityEnabled()) { final Configuration configuration = new Configuration(); login(configuration); final String topologySubmitterUser = (String) conf.get(Config.TOPOLOGY_SUBMITTER_PRINCIPAL); final URI nameNodeURI = conf.containsKey(TOPOLOGY_HDFS_URI) ? new URI(conf.get(TOPOLOGY_HDFS_URI).toString()) : FileSystem.getDefaultUri(configuration); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); final UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(topologySubmitterUser, ugi); Credentials creds = (Credentials) proxyUser.doAs(new PrivilegedAction<Object>() { @Override public Object run() { try { FileSystem fileSystem = FileSystem.get(nameNodeURI, configuration); Credentials credential = proxyUser.getCredentials(); fileSystem.addDelegationTokens(hdfsPrincipal, credential); LOG.info("Delegation tokens acquired for user {}", topologySubmitterUser); return credential; } catch (IOException e) { throw new RuntimeException(e); } } }); ByteArrayOutputStream bao = new ByteArrayOutputStream(); ObjectOutputStream out = new ObjectOutputStream(bao); creds.write(out); out.flush(); out.close(); return bao.toByteArray(); } else { throw new RuntimeException("Security is not enabled for HDFS"); } } catch (Exception ex) { throw new RuntimeException("Failed to get delegation tokens.", ex); } }
From source file:com.blackberry.bdp.kaboom.Authenticator.java
License:Apache License
/** * Allow methods to act as another user (typically used for HDFS Kerberos) * * @param <T>/*from ww w .j a v a 2 s.c om*/ * @param action * @return * @throws IOException * @throws InterruptedException */ public <T> T runPrivileged(final String proxyUser, final PrivilegedExceptionAction<T> action) throws IOException, InterruptedException { UGIState state = null; synchronized (lock) { state = proxyUserMap.get(proxyUser); if (state == null) { authenticate(proxyUser); state = proxyUserMap.get(proxyUser); } } UserGroupInformation proxyTicket = state.ugi; if (proxyTicket != null) { LOG.debug("Using proxy ticket {}", proxyTicket); try { return proxyTicket.doAs(action); } catch (IOException e) { LOG.error("Caught IO exception while performing a privileged action. Reauthenticating.", e); reauthenticate(proxyUser); throw e; } catch (InterruptedException e) { LOG.error("Caught interrupted exception while performing a privileged action. Reauthenticating.", e); reauthenticate(proxyUser); throw e; } } else { try { return action.run(); } catch (IOException ex) { throw ex; } catch (InterruptedException ex) { throw ex; } catch (RuntimeException ex) { throw ex; } catch (Exception ex) { throw new RuntimeException("Unexpected exception.", ex); } } }
From source file:com.cloudera.beeswax.BeeswaxServiceImpl.java
License:Apache License
private <T> T doWithState(RunningQueryState state, PrivilegedExceptionAction<T> action) throws BeeswaxException { try {/* w ww . j av a 2 s. c om*/ UserGroupInformation ugi; if (UserGroupInformation.isSecurityEnabled()) ugi = UserGroupInformation.createProxyUser(state.query.hadoop_user, UserGroupInformation.getLoginUser()); else { ugi = UserGroupInformation.createRemoteUser(state.query.hadoop_user); } return ugi.doAs(action); } catch (UndeclaredThrowableException e) { if (e.getUndeclaredThrowable() instanceof PrivilegedActionException) { Throwable bwe = e.getUndeclaredThrowable().getCause(); if (bwe instanceof BeeswaxException) { LOG.error("Caught BeeswaxException", (BeeswaxException) bwe); throw (BeeswaxException) bwe; } } LOG.error("Caught unexpected exception.", e); throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle); } catch (IOException e) { LOG.error("Caught IOException", e); throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle); } catch (InterruptedException e) { LOG.error("Caught InterruptedException", e); throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle); } }
From source file:com.cloudera.hadoop.hdfs.nfs.nfs4.NFS4Handler.java
License:Apache License
/** * Process a CompoundRequest and return a CompoundResponse. *///from ww w . j a v a 2 s . co m public CompoundResponse process(final RPCRequest rpcRequest, final CompoundRequest compoundRequest, final InetAddress clientAddress, final String sessionID) { Credentials creds = (Credentials) compoundRequest.getCredentials(); // FIXME below is a hack regarding CredentialsUnix if (creds == null || !(creds instanceof AuthenticatedCredentials)) { CompoundResponse response = new CompoundResponse(); response.setStatus(NFS4ERR_WRONGSEC); return response; } try { UserGroupInformation sudoUgi; String username = creds.getUsername(mConfiguration); if (UserGroupInformation.isSecurityEnabled()) { sudoUgi = UserGroupInformation.createProxyUser(username, UserGroupInformation.getCurrentUser()); } else { sudoUgi = UserGroupInformation.createRemoteUser(username); } final NFS4Handler server = this; final Session session = new Session(rpcRequest.getXid(), compoundRequest, mConfiguration, clientAddress, sessionID); return sudoUgi.doAs(new PrivilegedExceptionAction<CompoundResponse>() { public CompoundResponse run() throws Exception { String username = UserGroupInformation.getCurrentUser().getShortUserName(); int lastStatus = NFS4_OK; List<OperationResponse> responses = Lists.newArrayList(); for (OperationRequest request : compoundRequest.getOperations()) { if (LOGGER.isDebugEnabled()) { LOGGER.debug(sessionID + " " + request.getClass().getSimpleName() + " for " + username); } OperationRequestHandler<OperationRequest, OperationResponse> handler = OperationFactory .getHandler(request.getID()); OperationResponse response = handler.handle(server, session, request); responses.add(response); lastStatus = response.getStatus(); if (lastStatus != NFS4_OK) { LOGGER.warn(sessionID + " Quitting due to " + lastStatus + " on " + request.getClass().getSimpleName() + " for " + username); break; } server.incrementMetric("NFS_" + request.getClass().getSimpleName(), 1); server.incrementMetric("NFS_OPERATIONS", 1); } CompoundResponse response = new CompoundResponse(); response.setStatus(lastStatus); response.setOperations(responses); server.incrementMetric("NFS_COMMANDS", 1); return response; } }); } catch (Exception ex) { if (ex instanceof UndeclaredThrowableException && ex.getCause() != null) { Throwable throwable = ex.getCause(); if (throwable instanceof Exception) { ex = (Exception) throwable; } else if (throwable instanceof Error) { // something really bad happened LOGGER.error(sessionID + " Unhandled Error", throwable); throw (Error) throwable; } else { LOGGER.error(sessionID + " Unhandled Throwable", throwable); throw new RuntimeException(throwable); } } LOGGER.warn(sessionID + " Unhandled Exception", ex); CompoundResponse response = new CompoundResponse(); if (ex instanceof NFS4Exception) { response.setStatus(((NFS4Exception) ex).getError()); } else if (ex instanceof UnsupportedOperationException) { response.setStatus(NFS4ERR_NOTSUPP); } else { LOGGER.warn(sessionID + " Setting SERVERFAULT for " + clientAddress + " for " + compoundRequest.getOperations()); response.setStatus(NFS4ERR_SERVERFAULT); } return response; } }
From source file:com.cloudera.hoop.client.fs.TestHoopFileSystem.java
License:Open Source License
@Test(dataProvider = "Operations") @TestDir/*from ww w.ja v a2s . c om*/ @TestServlet @TestHadoop public void testOperationDoAs(final Operation op) throws Exception { createHoopServer(); UserGroupInformation ugi = UserGroupInformation.createProxyUser(getHadoopUsers()[0], UserGroupInformation.getCurrentUser()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { operation(op); return null; } }); }
From source file:com.cloudera.hue.SudoFsShell.java
License:Apache License
public static void main(String[] args) throws Exception { if (args.length < 1) { usage();// www . ja v a2 s .co m System.exit(1); } String username = args[0]; final String shellArgs[] = new String[args.length - 1]; System.arraycopy(args, 1, shellArgs, 0, args.length - 1); UserGroupInformation sudoUgi; if (UserGroupInformation.isSecurityEnabled()) { sudoUgi = UserGroupInformation.createProxyUser(username, UserGroupInformation.getCurrentUser()); } else { sudoUgi = UserGroupInformation.createRemoteUser(username); } sudoUgi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { FsShell.main(shellArgs); return null; } }); }