List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:org.apache.falcon.regression.core.util.HiveUtil.java
License:Apache License
public static Connection getHiveJdbcConnection(final String jdbcUrl, final String user, final String password, final String hivePrincipal) throws ClassNotFoundException, SQLException, IOException, InterruptedException { final String transportMode = new HiveConf().get("hive.server2.transport.mode", "binary"); String connectionStringSuffix = ""; if (transportMode.equalsIgnoreCase("http")) { connectionStringSuffix += "transportMode=http;httpPath=cliservice;"; }/*from w w w . j a va2 s .co m*/ if (MerlinConstants.IS_SECURE) { connectionStringSuffix += String.format("principal=%s;kerberosAuthType=fromSubject;", hivePrincipal); } final String connectionStringSuffix2 = connectionStringSuffix; final UserGroupInformation ugi = KerberosHelper.getUGI(user); final Connection conn = ugi.doAs(new PrivilegedExceptionAction<Connection>() { @Override public Connection run() throws Exception { Class.forName(DRIVER_NAME); return DriverManager.getConnection(jdbcUrl + "/;" + connectionStringSuffix2, ugi.getShortUserName(), password); } }); return conn; }
From source file:org.apache.falcon.resource.channel.HTTPChannel.java
License:Apache License
@SuppressWarnings("unchecked") @Override/*from www.j a va 2s . c om*/ public <T> T invoke(String methodName, Object... args) throws FalconException { HttpServletRequest incomingRequest = null; try { Method method = getMethod(service, methodName, args); String urlPrefix = getFalconEndPoint(); final String url = urlPrefix + "/" + pathValue(method, args); LOG.debug("Executing {}", url); incomingRequest = getIncomingRequest(args); incomingRequest.getInputStream().reset(); String httpMethod = getHttpMethod(method); String mimeType = getConsumes(method); String accept = MediaType.WILDCARD; final String user = CurrentUser.getUser(); String doAsUser = incomingRequest.getParameter(DO_AS_PARAM); WebResource resource = getClient().resource(UriBuilder.fromUri(url).build().normalize()) .queryParam("user.name", user); if (doAsUser != null) { resource = resource.queryParam("doAs", doAsUser); } AuthenticatedURL.Token authenticationToken = null; if (SecurityUtil.isSecurityEnabled()) { UserGroupInformation ugiLoginUser = UserGroupInformation.getCurrentUser(); LOG.debug("Security is enabled. Using DoAs : " + ugiLoginUser.getUserName()); authenticationToken = ugiLoginUser.doAs(new PrivilegedExceptionAction<AuthenticatedURL.Token>() { @Override public AuthenticatedURL.Token run() throws Exception { return getToken(url + PseudoAuthenticator.USER_NAME + "=" + user, getClient()); } }); } ClientResponse response = resource.header("Cookie", AUTH_COOKIE_EQ + authenticationToken).accept(accept) .type(mimeType).method(httpMethod, ClientResponse.class, (isPost(httpMethod) ? incomingRequest.getInputStream() : null)); incomingRequest.getInputStream().reset(); Family status = response.getClientResponseStatus().getFamily(); if (status == Family.INFORMATIONAL || status == Family.SUCCESSFUL) { return (T) response.getEntity(method.getReturnType()); } else if (response.getClientResponseStatus().getStatusCode() == Response.Status.BAD_REQUEST .getStatusCode()) { LOG.error("Request failed: {}", response.getClientResponseStatus().getStatusCode()); throw FalconWebException.newAPIException(response.getEntity(APIResult.class).getMessage()); } else { LOG.error("Request failed: {}", response.getClientResponseStatus().getStatusCode()); throw new FalconException(response.getEntity(String.class)); } } catch (FalconWebException falconWebException) { LOG.error("Request failed", falconWebException); throw falconWebException; } catch (Throwable e) { LOG.error("Request failed", e); throw new FalconException(e); } finally { try { if (incomingRequest != null) { incomingRequest.getInputStream().reset(); } } catch (IOException e) { LOG.error("Error in HTTPChannel", e); } } }
From source file:org.apache.falcon.security.FalconAuthorizationToken.java
License:Apache License
private static void authenticate(String user, String protocol, String host, int port) throws IOException, AuthenticationException, InterruptedException { final URL url = new URL(String.format("%s://%s:%d/%s", protocol, host, port, AUTH_URL + "?" + PseudoAuthenticator.USER_NAME + "=" + user)); LOGGER.info("Authorize using url: " + url.toString()); final AuthenticatedURL.Token currentToken = new AuthenticatedURL.Token(); /*using KerberosAuthenticator which falls back to PsuedoAuthenticator instead of passing authentication type from the command line - bad factory*/ try {/* w w w . j a v a2 s . com*/ HttpsURLConnection.setDefaultSSLSocketFactory(BaseRequest.getSslContext().getSocketFactory()); } catch (Exception e) { throw new RuntimeException(e); } HttpsURLConnection.setDefaultHostnameVerifier(ALL_TRUSTING_HOSTNAME_VERIFIER); UserGroupInformation callerUGI = KerberosHelper.getUGI(user); callerUGI.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { new AuthenticatedURL(AUTHENTICATOR).openConnection(url, currentToken); return null; } }); String key = getKey(user, protocol, host, port); // initialize a hash map if its null. LOGGER.info("Authorization Token: " + currentToken.toString()); INSTANCE.tokens.put(key, currentToken); }
From source file:org.apache.flink.mesos.runtime.clusterframework.MesosApplicationMasterRunner.java
License:Apache License
/** * The instance entry point for the Mesos AppMaster. Obtains user group * information and calls the main work method {@link #runPrivileged()} as a * privileged action./*ww w. j av a 2s . c o m*/ * * @param args The command line arguments. * @return The process exit code. */ protected int run(String[] args) { try { LOG.debug("All environment variables: {}", ENV); final UserGroupInformation currentUser; try { currentUser = UserGroupInformation.getCurrentUser(); } catch (Throwable t) { throw new Exception("Cannot access UserGroupInformation information for current user", t); } LOG.info("Running Flink as user {}", currentUser.getShortUserName()); // run the actual work in a secured privileged action return currentUser.doAs(new PrivilegedAction<Integer>() { @Override public Integer run() { return runPrivileged(); } }); } catch (Throwable t) { // make sure that everything whatever ends up in the log LOG.error("Mesos AppMaster initialization failed", t); return INIT_ERROR_EXIT_CODE; } }
From source file:org.apache.flink.mesos.runtime.clusterframework.MesosTaskManagerRunner.java
License:Apache License
public static void runTaskManager(String[] args, final Class<? extends TaskManager> taskManager) throws IOException { EnvironmentInformation.logEnvironmentInfo(LOG, taskManager.getSimpleName(), args); org.apache.flink.runtime.util.SignalHandler.register(LOG); // try to parse the command line arguments final Configuration configuration; try {/*from w w w . j av a2s .c o m*/ configuration = TaskManager.parseArgsAndLoadConfig(args); // add dynamic properties to TaskManager configuration. final Configuration dynamicProperties = FlinkMesosSessionCli .decodeDynamicProperties(ENV.get(MesosConfigKeys.ENV_DYNAMIC_PROPERTIES)); LOG.debug("Mesos dynamic properties: {}", dynamicProperties); configuration.addAll(dynamicProperties); } catch (Throwable t) { LOG.error("Failed to load the TaskManager configuration and dynamic properties.", t); System.exit(TaskManager.STARTUP_FAILURE_RETURN_CODE()); return; } // read the environment variables final Map<String, String> envs = System.getenv(); final String effectiveUsername = envs.get(MesosConfigKeys.ENV_CLIENT_USERNAME); final String tmpDirs = envs.get(MesosConfigKeys.ENV_FLINK_TMP_DIR); // configure local directory String flinkTempDirs = configuration.getString(ConfigConstants.TASK_MANAGER_TMP_DIR_KEY, null); if (flinkTempDirs != null) { LOG.info( "Overriding Mesos temporary file directories with those " + "specified in the Flink config: {}", flinkTempDirs); } else if (tmpDirs != null) { LOG.info("Setting directories for temporary files to: {}", tmpDirs); configuration.setString(ConfigConstants.TASK_MANAGER_TMP_DIR_KEY, tmpDirs); } LOG.info("Mesos task runs as '{}', setting user to execute Flink TaskManager to '{}'", UserGroupInformation.getCurrentUser().getShortUserName(), effectiveUsername); // tell akka to die in case of an error configuration.setBoolean(ConfigConstants.AKKA_JVM_EXIT_ON_FATAL_ERROR, true); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(effectiveUsername); for (Token<? extends TokenIdentifier> toks : UserGroupInformation.getCurrentUser().getTokens()) { ugi.addToken(toks); } // Infer the resource identifier from the environment variable String containerID = Preconditions.checkNotNull(envs.get(MesosConfigKeys.ENV_FLINK_CONTAINER_ID)); final ResourceID resourceId = new ResourceID(containerID); LOG.info("ResourceID assigned for this container: {}", resourceId); ugi.doAs(new PrivilegedAction<Object>() { @Override public Object run() { try { TaskManager.selectNetworkInterfaceAndRunTaskManager(configuration, resourceId, taskManager); } catch (Throwable t) { LOG.error("Error while starting the TaskManager", t); System.exit(TaskManager.STARTUP_FAILURE_RETURN_CODE()); } return null; } }); }
From source file:org.apache.flink.runtime.clusterframework.overlays.HadoopUserOverlayTest.java
License:Apache License
@Test public void testBuilderFromEnvironment() throws Exception { final Configuration conf = new Configuration(); final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test"); ugi.doAs(new PrivilegedAction<Object>() { @Override//from w w w . j a v a 2 s.co m public Object run() { try { HadoopUserOverlay.Builder builder = HadoopUserOverlay.newBuilder().fromEnvironment(conf); assertEquals(ugi, builder.ugi); return null; } catch (Exception ex) { throw new AssertionError(ex); } } }); }
From source file:org.apache.flink.runtime.security.SecurityUtils.java
License:Apache License
public static <T> T runSecured(final FlinkSecuredRunner<T> runner) throws Exception { UserGroupInformation.setConfiguration(hdConf); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); if (!ugi.hasKerberosCredentials()) { LOG.error("Security is enabled but no Kerberos credentials have been found. " + "You may authenticate using the kinit command."); }/*w ww . j a v a 2s.c o m*/ return ugi.doAs(new PrivilegedExceptionAction<T>() { @Override public T run() throws Exception { return runner.run(); } }); }
From source file:org.apache.flink.yarn.ApplicationMaster.java
License:Apache License
public static void main(String[] args) throws Exception { final String yarnClientUsername = System.getenv(Client.ENV_CLIENT_USERNAME); LOG.info("YARN daemon runs as '" + UserGroupInformation.getCurrentUser().getShortUserName() + "' setting" + " user to execute Flink ApplicationMaster/JobManager to '" + yarnClientUsername + "'"); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(yarnClientUsername); for (Token<? extends TokenIdentifier> toks : UserGroupInformation.getCurrentUser().getTokens()) { ugi.addToken(toks);/* ww w .j av a 2 s .c om*/ } ugi.doAs(new PrivilegedAction<Object>() { @Override public Object run() { try { new ApplicationMaster().run(); } catch (Exception e) { e.printStackTrace(); } return null; } }); }
From source file:org.apache.flink.yarn.appMaster.ApplicationMaster.java
License:Apache License
public static void main(String[] args) throws Exception { // execute Application Master using the client's user final String yarnClientUsername = System.getenv(Client.ENV_CLIENT_USERNAME); LOG.info("YARN daemon runs as '" + UserGroupInformation.getCurrentUser().getShortUserName() + "' setting" + " user to execute Flink ApplicationMaster/JobManager to '" + yarnClientUsername + "'"); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(yarnClientUsername); for (Token<? extends TokenIdentifier> toks : UserGroupInformation.getCurrentUser().getTokens()) { ugi.addToken(toks);/* w w w . j a v a 2 s . c om*/ } ugi.doAs(new PrivilegedAction<Object>() { @Override public Object run() { AMRMClient<ContainerRequest> rmClient = null; ApplicationMaster am = null; try { Configuration conf = Utils.initializeYarnConfiguration(); rmClient = AMRMClient.createAMRMClient(); rmClient.init(conf); rmClient.start(); // run the actual Application Master am = new ApplicationMaster(conf); am.generateConfigurationFile(); am.startJobManager(); am.setRMClient(rmClient); am.run(); } catch (Throwable e) { LOG.error("Error while running the application master", e); // the AM is not available. Report error through the unregister function. if (rmClient != null && am == null) { try { rmClient.unregisterApplicationMaster(FinalApplicationStatus.FAILED, "Flink YARN Application master" + " stopped unexpectedly with an exception.\n" + StringUtils.stringifyException(e), ""); } catch (Exception e1) { LOG.error("Unable to fail the application master", e1); } LOG.info("AM unregistered from RM"); return null; } if (rmClient == null) { LOG.error("Unable to unregister AM since the RM client is not available"); } if (am != null) { LOG.info("Writing error into internal message system"); am.setFailed(true); am.addMessage(new Message("The application master failed with an exception:\n" + StringUtils.stringifyException(e))); am.keepRPCAlive(); } } return null; } }); }
From source file:org.apache.flink.yarn.appMaster.YarnTaskManagerRunner.java
License:Apache License
public static void main(final String[] args) throws IOException { Map<String, String> envs = System.getenv(); final String yarnClientUsername = envs.get(Client.ENV_CLIENT_USERNAME); final String localDirs = envs.get(Environment.LOCAL_DIRS.key()); // configure local directory final String[] newArgs = Arrays.copyOf(args, args.length + 2); newArgs[newArgs.length - 2] = "-" + TaskManager.ARG_CONF_DIR; newArgs[newArgs.length - 1] = localDirs; LOG.info("Setting log path " + localDirs); LOG.info("YARN daemon runs as '" + UserGroupInformation.getCurrentUser().getShortUserName() + "' setting" + " user to execute Flink TaskManager to '" + yarnClientUsername + "'"); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(yarnClientUsername); for (Token<? extends TokenIdentifier> toks : UserGroupInformation.getCurrentUser().getTokens()) { ugi.addToken(toks);/*from w w w.jav a 2 s . c o m*/ } ugi.doAs(new PrivilegedAction<Object>() { @Override public Object run() { try { TaskManager.main(newArgs); } catch (Exception e) { LOG.error("Error while running the TaskManager", e); } return null; } }); }