List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:org.apache.flink.yarn.FlinkYarnClient.java
License:Apache License
public AbstractFlinkYarnCluster deploy() throws Exception { UserGroupInformation.setConfiguration(conf); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); if (UserGroupInformation.isSecurityEnabled()) { if (!ugi.hasKerberosCredentials()) { throw new YarnDeploymentException( "In secure mode. Please provide Kerberos credentials in order to authenticate. " + "You may use kinit to authenticate and request a TGT from the Kerberos server."); }// w ww. j a v a2 s. c o m return ugi.doAs(new PrivilegedExceptionAction<AbstractFlinkYarnCluster>() { @Override public AbstractFlinkYarnCluster run() throws Exception { return deployInternal(); } }); } else { return deployInternal(); } }
From source file:org.apache.flink.yarn.FlinkYarnClientBase.java
License:Apache License
@Override public AbstractFlinkYarnCluster deploy() throws Exception { UserGroupInformation.setConfiguration(conf); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); if (UserGroupInformation.isSecurityEnabled()) { if (!ugi.hasKerberosCredentials()) { throw new YarnDeploymentException( "In secure mode. Please provide Kerberos credentials in order to authenticate. " + "You may use kinit to authenticate and request a TGT from the Kerberos server."); }// w w w.j a v a 2s . com return ugi.doAs(new PrivilegedExceptionAction<AbstractFlinkYarnCluster>() { @Override public AbstractFlinkYarnCluster run() throws Exception { return deployInternal(); } }); } else { return deployInternal(); } }
From source file:org.apache.flink.yarn.YarnApplicationMasterRunner.java
License:Apache License
/** * The instance entry point for the YARN application master. Obtains user group * information and calls the main work method {@link #runApplicationMaster()} as a * privileged action.// w w w .j a v a 2 s .com * * @param args The command line arguments. * @return The process exit code. */ protected int run(String[] args) { try { LOG.debug("All environment variables: {}", ENV); final String yarnClientUsername = ENV.get(YarnConfigKeys.ENV_CLIENT_USERNAME); require(yarnClientUsername != null, "YARN client user name environment variable {} not set", YarnConfigKeys.ENV_CLIENT_USERNAME); final UserGroupInformation currentUser; try { currentUser = UserGroupInformation.getCurrentUser(); } catch (Throwable t) { throw new Exception("Cannot access UserGroupInformation information for current user", t); } LOG.info("YARN daemon runs as user {}. Running Flink Application Master/JobManager as user {}", currentUser.getShortUserName(), yarnClientUsername); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(yarnClientUsername); // transfer all security tokens, for example for authenticated HDFS and HBase access for (Token<?> token : currentUser.getTokens()) { ugi.addToken(token); } // run the actual work in a secured privileged action return ugi.doAs(new PrivilegedAction<Integer>() { @Override public Integer run() { return runApplicationMaster(); } }); } catch (Throwable t) { // make sure that everything whatever ends up in the log LOG.error("YARN Application Master initialization failed", t); return INIT_ERROR_EXIT_CODE; } }
From source file:org.apache.flink.yarn.YarnTaskManagerRunner.java
License:Apache License
public static void main(final String[] args) throws IOException { Map<String, String> envs = System.getenv(); final String yarnClientUsername = envs.get(Client.ENV_CLIENT_USERNAME); final String localDirs = envs.get(Environment.LOCAL_DIRS.key()); // configure local directory final String[] newArgs = Arrays.copyOf(args, args.length + 2); newArgs[newArgs.length - 2] = "-" + TaskManager.ARG_CONF_DIR; newArgs[newArgs.length - 1] = localDirs; LOG.info("Setting log path " + localDirs); LOG.info("YARN daemon runs as '" + UserGroupInformation.getCurrentUser().getShortUserName() + "' setting" + " user to execute Flink TaskManager to '" + yarnClientUsername + "'"); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(yarnClientUsername); for (Token<? extends TokenIdentifier> toks : UserGroupInformation.getCurrentUser().getTokens()) { ugi.addToken(toks);/*from w ww . j a v a 2 s.c o m*/ } ugi.doAs(new PrivilegedAction<Object>() { @Override public Object run() { try { TaskManager.main(newArgs); } catch (Exception e) { e.printStackTrace(); } return null; } }); }
From source file:org.apache.flume.sink.kite.KerberosUtil.java
License:Apache License
/** * Allow methods to act with the privileges of a login. * * If the login is null, the current privileges will be used. * * @param <T> The return type of the action * @param login UserGroupInformation credentials to use for action * @param action A PrivilegedExceptionAction to perform as another user * @return the T value returned by action.run() *//* w w w . j av a2 s .com*/ public static <T> T runPrivileged(UserGroupInformation login, PrivilegedExceptionAction<T> action) { try { if (login == null) { return action.run(); } else { return login.doAs(action); } } catch (IOException ex) { throw new DatasetIOException("Privileged action failed", ex); } catch (InterruptedException ex) { Thread.interrupted(); throw new DatasetException(ex); } catch (Exception ex) { throw Throwables.propagate(ex); } }
From source file:org.apache.gobblin.compliance.HivePartitionVersionFinder.java
License:Apache License
private void setVersions(final String name, final State state) throws IOException { try {/* ww w.jav a2 s. c om*/ UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws IOException { synchronized (lock) { List<Partition> partitions = null; for (String tableName : ComplianceRetentionJob.tableNamesList) { for (String pattern : patterns) { if (tableName.contains(pattern)) { partitions = getPartitions(tableName); addPartitionsToVersions(versions, name, partitions); } } } } return null; } }); } catch (InterruptedException | IOException e) { throw new IOException(e); } }
From source file:org.apache.gobblin.util.hadoop.TokenUtils.java
License:Apache License
/** * Get Hadoop tokens (tokens for job history server, job tracker, hive and HDFS) using Kerberos keytab, * on behalf on a proxy user, embed tokens into a {@link UserGroupInformation} as returned result, persist in-memory * credentials if tokenFile specified/* w w w . j a va 2 s . c om*/ * * Note that when a super-user is fetching tokens for other users, * {@link #fetchHcatToken(String, HiveConf, String, IMetaStoreClient)} getDelegationToken} explicitly * contains a string parameter indicating proxy user, while other hadoop services require impersonation first. * * @param state A {@link State} object that should contain properties. * @param tokenFile If present, the file will store materialized credentials. * @param ugi The {@link UserGroupInformation} that used to impersonate into the proxy user by a "doAs block". * @param targetUser The user to be impersonated as, for fetching hadoop tokens. * @return A {@link UserGroupInformation} containing negotiated credentials. */ public static UserGroupInformation getHadoopAndHiveTokensForProxyUser(final State state, Optional<File> tokenFile, UserGroupInformation ugi, IMetaStoreClient client, String targetUser) throws IOException, InterruptedException { final Credentials cred = new Credentials(); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { getHadoopTokens(state, Optional.absent(), cred); return null; } }); ugi.getCredentials().addAll(cred); // Will add hive tokens into ugi in this method. getHiveToken(state, client, cred, targetUser, ugi); if (tokenFile.isPresent()) { persistTokens(cred, tokenFile.get()); } // at this point, tokens in ugi can be more than that in Credential object, // since hive token is not put in Credential object. return ugi; }
From source file:org.apache.hama.bsp.BSPApplicationMaster.java
License:Apache License
/** * Connects to the Resource Manager.//from ww w .j a va 2s . co m * * @param yarnConf * @return a new RPC connection to the Resource Manager. */ private ApplicationMasterProtocol getYarnRPCConnection(Configuration yarnConf) throws IOException { // Connect to the Scheduler of the ResourceManager. UserGroupInformation currentUser = UserGroupInformation.createRemoteUser(appAttemptId.toString()); Credentials credentials = UserGroupInformation.getCurrentUser().getCredentials(); final InetSocketAddress rmAddress = NetUtils.createSocketAddr(yarnConf .get(YarnConfiguration.RM_SCHEDULER_ADDRESS, YarnConfiguration.DEFAULT_RM_SCHEDULER_ADDRESS)); Token<? extends TokenIdentifier> amRMToken = setupAndReturnAMRMToken(rmAddress, credentials.getAllTokens()); currentUser.addToken(amRMToken); final Configuration conf = yarnConf; ApplicationMasterProtocol client = currentUser.doAs(new PrivilegedAction<ApplicationMasterProtocol>() { @Override public ApplicationMasterProtocol run() { return (ApplicationMasterProtocol) yarnRPC.getProxy(ApplicationMasterProtocol.class, rmAddress, conf); } }); LOG.info("Connecting to ResourceManager at " + rmAddress); return client; }
From source file:org.apache.hama.bsp.JobImpl.java
License:Apache License
/** * * @param rpc/*from w w w.ja v a 2 s. c o m*/ * @param nmToken * @param nodeId * @param user * @return */ protected ContainerManagementProtocol getContainerManagementProtocolProxy(final YarnRPC rpc, Token nmToken, NodeId nodeId, String user) { ContainerManagementProtocol proxy; UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); final InetSocketAddress addr = NetUtils.createSocketAddr(nodeId.getHost(), nodeId.getPort()); if (nmToken != null) { ugi.addToken(ConverterUtils.convertFromYarn(nmToken, addr)); } proxy = ugi.doAs(new PrivilegedAction<ContainerManagementProtocol>() { @Override public ContainerManagementProtocol run() { return (ContainerManagementProtocol) rpc.getProxy(ContainerManagementProtocol.class, addr, conf); } }); return proxy; }
From source file:org.apache.hawq.pxf.service.servlet.SecurityServletFilter.java
License:Apache License
/** * If user impersonation is configured, examines the request for the presense of the expected security headers * and create a proxy user to execute further request chain. Responds with an HTTP error if the header is missing * or the chain processing throws an exception. * * @param request http request//from ww w . j a va 2s. c o m * @param response http response * @param chain filter chain */ @Override public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { if (SecureLogin.isUserImpersonationEnabled()) { // retrieve user header and make sure header is present and is not empty final String user = ((HttpServletRequest) request).getHeader(USER_HEADER); if (user == null) { throw new IllegalArgumentException(MISSING_HEADER_ERROR); } else if (user.trim().isEmpty()) { throw new IllegalArgumentException(EMPTY_HEADER_ERROR); } // TODO refresh Kerberos token when security is enabled // prepare pivileged action to run on behalf of proxy user PrivilegedExceptionAction<Boolean> action = new PrivilegedExceptionAction<Boolean>() { @Override public Boolean run() throws IOException, ServletException { LOG.debug("Performing request chain call for proxy user = " + user); chain.doFilter(request, response); return true; } }; // create proxy user UGI from the UGI of the logged in user and execute the servlet chain as that user UserGroupInformation proxyUGI = null; try { LOG.debug("Creating proxy user = " + user); proxyUGI = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); proxyUGI.doAs(action); } catch (UndeclaredThrowableException ute) { // unwrap the real exception thrown by the action throw new ServletException(ute.getCause()); } catch (InterruptedException ie) { throw new ServletException(ie); } finally { try { if (proxyUGI != null) { LOG.debug("Closing FileSystem for proxy user = " + proxyUGI.getUserName()); FileSystem.closeAllForUGI(proxyUGI); } } catch (Throwable t) { LOG.warn("Error closing FileSystem for proxy user = " + proxyUGI.getUserName()); } } } else { // no user impersonation is configured chain.doFilter(request, response); } }