List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:org.apache.ranger.admin.client.RangerAdminJersey2RESTClient.java
License:Apache License
@Override public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminJersey2RESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + ")"); }/* www .j a v a2 s .c om*/ UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); String url = null; try { ServicePolicies servicePolicies = null; Response response = null; if (isSecureMode) { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated as user : " + user); } url = _utils.getSecureUrlForPolicyUpdate(_baseUrl, _serviceName); final String secureUrl = url; PrivilegedAction<Response> action = new PrivilegedAction<Response>() { public Response run() { return _client.target(secureUrl) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, _pluginId) .request(MediaType.APPLICATION_JSON_TYPE).get(); }; }; response = user.doAs(action); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated with old api call"); } url = _utils.getUrlForPolicyUpdate(_baseUrl, _serviceName); response = _client.target(url) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, _pluginId) .request(MediaType.APPLICATION_JSON_TYPE).get(); } int httpResponseCode = response == null ? -1 : response.getStatus(); String body = null; switch (httpResponseCode) { case 200: body = response.readEntity(String.class); if (LOG.isDebugEnabled()) { LOG.debug("Response from 200 server: " + body); } Gson gson = getGson(); servicePolicies = gson.fromJson(body, ServicePolicies.class); if (LOG.isDebugEnabled()) { LOG.debug("Deserialized response to: " + servicePolicies); } break; case 304: LOG.debug("Got response: 304. Ok. Returning null"); break; case -1: LOG.warn( "Unexpected: Null response from policy server while trying to get policies! Returning null!"); break; default: body = response.readEntity(String.class); LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, url)); break; } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminJersey2RESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + "): " + servicePolicies); } return servicePolicies; } catch (Exception ex) { LOG.error("Failed getting policies from server. url=" + url + ", pluginId=" + _pluginId + ", lastKnownVersion=" + lastKnownVersion); throw ex; } }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + ")"); }/*from w w w.j a va 2s . c om*/ ServicePolicies ret = null; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); ClientResponse response = null; if (isSecureMode) { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated as user : " + user); } PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); }; }; response = user.doAs(action); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated with old api call"); } WebResource webResource = createWebResource( RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); } if (response != null && response.getStatus() == 200) { ret = response.getEntity(ServicePolicies.class); } else if (response != null && response.getStatus() == 304) { // no change } else { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("Error getting policies. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp.toString() + ", serviceName=" + serviceName); throw new Exception(resp.getMessage()); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + "): " + ret); } return ret; }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public void grantAccess(final GrantRevokeRequest request) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.grantAccess(" + request + ")"); }// w ww . j a va 2s.c o m ClientResponse response = null; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( RangerRESTUtils.REST_URL_SECURE_SERVICE_GRANT_ACCESS + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); return secureWebResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .post(ClientResponse.class, restClient.toJson(request)); }; }; if (LOG.isDebugEnabled()) { LOG.debug("grantAccess as user " + user); } response = user.doAs(action); } else { WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SERVICE_GRANT_ACCESS + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .post(ClientResponse.class, restClient.toJson(request)); } if (response != null && response.getStatus() != 200) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("grantAccess() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == 401) { throw new AccessControlException(); } throw new Exception("HTTP " + response.getStatus() + " Error: " + resp.getMessage()); } else if (response == null) { throw new Exception("unknown error during grantAccess. serviceName=" + serviceName); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.grantAccess(" + request + ")"); } }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public void revokeAccess(final GrantRevokeRequest request) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.revokeAccess(" + request + ")"); }//from ww w . j a va 2s .co m ClientResponse response = null; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( RangerRESTUtils.REST_URL_SECURE_SERVICE_REVOKE_ACCESS + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); return secureWebResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .post(ClientResponse.class, restClient.toJson(request)); }; }; if (LOG.isDebugEnabled()) { LOG.debug("revokeAccess as user " + user); } response = user.doAs(action); } else { WebResource webResource = createWebResource( RangerRESTUtils.REST_URL_SERVICE_REVOKE_ACCESS + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .post(ClientResponse.class, restClient.toJson(request)); } if (response != null && response.getStatus() != 200) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("revokeAccess() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == 401) { throw new AccessControlException(); } throw new Exception("HTTP " + response.getStatus() + " Error: " + resp.getMessage()); } else if (response == null) { throw new Exception("unknown error. revokeAccess(). serviceName=" + serviceName); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.revokeAccess(" + request + ")"); } }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + "): "); }//from w w w . jav a2 s . com ServiceTags ret = null; ClientResponse response = null; WebResource webResource = null; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); }; }; if (LOG.isDebugEnabled()) { LOG.debug("getServiceTagsIfUpdated as user " + user); } response = user.doAs(action); } else { webResource = createWebResource(RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); } if (response != null && response.getStatus() == 200) { ret = response.getEntity(ServiceTags.class); } else if (response != null && response.getStatus() == 304) { // no change } else { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("Error getting taggedResources. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp.toString() + ", serviceName=" + serviceName + ", " + "lastKnownVersion=" + lastKnownVersion); throw new Exception(resp.getMessage()); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + "): "); } return ret; }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public List<String> getTagTypes(String pattern) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.getTagTypes(" + pattern + "): "); }/*from w w w . j av a 2 s. c om*/ List<String> ret = null; String emptyString = ""; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); final WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES) .queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName) .queryParam(RangerRESTUtils.PATTERN_PARAM, pattern); ClientResponse response = null; if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { return webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); }; }; if (LOG.isDebugEnabled()) { LOG.debug("getTagTypes as user " + user); } response = user.doAs(action); } else { response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); } if (response != null && response.getStatus() == 200) { ret = response.getEntity(getGenericType(emptyString)); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("Error getting taggedResources. request=" + webResource.toString() + ", response=" + resp.toString() + ", serviceName=" + serviceName + ", " + "pattern=" + pattern); throw new Exception(resp.getMessage()); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.getTagTypes(" + pattern + "): " + ret); } return ret; }
From source file:org.apache.ranger.audit.destination.HDFSAuditDestination.java
License:Apache License
@Override synchronized public boolean logJSON(final Collection<String> events) { logStatusIfRequired();/*from ww w . j a v a2 s . c o m*/ addTotalCount(events.size()); if (!initDone) { addDeferredCount(events.size()); return false; } if (isStopped) { addDeferredCount(events.size()); logError("log() called after stop was requested. name=" + getName()); return false; } try { if (logger.isDebugEnabled()) { logger.debug("UGI=" + MiscUtil.getUGILoginUser() + ". Will write to HDFS file=" + currentFileName); } PrivilegedExceptionAction<PrintWriter> action = new PrivilegedExceptionAction<PrintWriter>() { @Override public PrintWriter run() throws Exception { PrintWriter out = getLogFileStream(); for (String event : events) { out.println(event); } return out; }; }; PrintWriter out = null; UserGroupInformation ugi = MiscUtil.getUGILoginUser(); if (ugi != null) { out = ugi.doAs(action); } else { out = action.run(); } // flush and check the stream for errors if (out.checkError()) { // In theory, this count may NOT be accurate as part of the messages may have been successfully written. // However, in practice, since client does buffering, either all of none would succeed. addDeferredCount(events.size()); out.close(); logWriter = null; return false; } } catch (Throwable t) { addDeferredCount(events.size()); logError("Error writing to log file.", t); return false; } addSuccessCount(events.size()); return true; }
From source file:org.apache.ranger.audit.destination.SolrAuditDestination.java
License:Apache License
synchronized void connect() { SolrClient me = solrClient;/*from w w w. j av a2 s.c o m*/ if (me == null) { synchronized (SolrAuditDestination.class) { me = solrClient; if (solrClient == null) { String urls = MiscUtil.getStringProperty(props, propPrefix + "." + PROP_SOLR_URLS); if (urls != null) { urls = urls.trim(); } if (urls != null && urls.equalsIgnoreCase("NONE")) { urls = null; } List<String> solrURLs = new ArrayList<String>(); String zkHosts = null; solrURLs = MiscUtil.toArray(urls, ","); zkHosts = MiscUtil.getStringProperty(props, propPrefix + "." + PROP_SOLR_ZK); if (zkHosts != null && zkHosts.equalsIgnoreCase("NONE")) { zkHosts = null; } String collectionName = MiscUtil.getStringProperty(props, propPrefix + "." + PROP_SOLR_COLLECTION); if (collectionName == null || collectionName.equalsIgnoreCase("none")) { collectionName = DEFAULT_COLLECTION_NAME; } LOG.info("Solr zkHosts=" + zkHosts + ", solrURLs=" + urls + ", collectionName=" + collectionName); if (zkHosts != null && !zkHosts.isEmpty()) { LOG.info("Connecting to solr cloud using zkHosts=" + zkHosts); try { // Instantiate HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer()); final String zkhosts = zkHosts; PrivilegedExceptionAction<CloudSolrClient> action = new PrivilegedExceptionAction<CloudSolrClient>() { @Override public CloudSolrClient run() throws Exception { CloudSolrClient solrCloudClient = new CloudSolrClient(zkhosts); return solrCloudClient; }; }; CloudSolrClient solrCloudClient = null; UserGroupInformation ugi = MiscUtil.getUGILoginUser(); if (ugi != null) { solrCloudClient = ugi.doAs(action); } else { solrCloudClient = action.run(); } solrCloudClient.setDefaultCollection(collectionName); me = solrClient = solrCloudClient; } catch (Throwable t) { LOG.fatal("Can't connect to Solr server. ZooKeepers=" + zkHosts, t); } finally { resetInitializerInSOLR(); } } else if (solrURLs != null && !solrURLs.isEmpty()) { try { LOG.info("Connecting to Solr using URLs=" + solrURLs); HttpClientUtil.setConfigurer(new Krb5HttpClientConfigurer()); final List<String> solrUrls = solrURLs; PrivilegedExceptionAction<LBHttpSolrClient> action = new PrivilegedExceptionAction<LBHttpSolrClient>() { @Override public LBHttpSolrClient run() throws Exception { LBHttpSolrClient lbSolrClient = new LBHttpSolrClient(solrUrls.get(0)); return lbSolrClient; }; }; LBHttpSolrClient lbSolrClient = null; UserGroupInformation ugi = MiscUtil.getUGILoginUser(); if (ugi != null) { lbSolrClient = ugi.doAs(action); } else { lbSolrClient = action.run(); } lbSolrClient.setConnectionTimeout(1000); for (int i = 1; i < solrURLs.size(); i++) { lbSolrClient.addSolrServer(solrURLs.get(i)); } me = solrClient = lbSolrClient; } catch (Throwable t) { LOG.fatal("Can't connect to Solr server. URL=" + solrURLs, t); } finally { resetInitializerInSOLR(); } } } } } }
From source file:org.apache.ranger.audit.destination.SolrAuditDestination.java
License:Apache License
@Override public boolean log(Collection<AuditEventBase> events) { try {/*from w w w.ja va 2 s. c om*/ logStatusIfRequired(); addTotalCount(events.size()); if (solrClient == null) { connect(); if (solrClient == null) { // Solr is still not initialized. So need return error addDeferredCount(events.size()); return false; } } final Collection<SolrInputDocument> docs = new ArrayList<SolrInputDocument>(); for (AuditEventBase event : events) { AuthzAuditEvent authzEvent = (AuthzAuditEvent) event; // Convert AuditEventBase to Solr document SolrInputDocument document = toSolrDoc(authzEvent); docs.add(document); } try { PrivilegedExceptionAction<UpdateResponse> action = new PrivilegedExceptionAction<UpdateResponse>() { @Override public UpdateResponse run() throws Exception { UpdateResponse response = solrClient.add(docs); return response; }; }; UpdateResponse response = null; UserGroupInformation ugi = MiscUtil.getUGILoginUser(); if (ugi != null) { response = ugi.doAs(action); } else { response = action.run(); } if (response.getStatus() != 0) { addFailedCount(events.size()); logFailedEvent(events, response.toString()); } else { addSuccessCount(events.size()); } } catch (SolrException ex) { addFailedCount(events.size()); logFailedEvent(events, ex); } } catch (Throwable t) { addDeferredCount(events.size()); logError("Error sending message to Solr", t); return false; } return true; }
From source file:org.apache.ranger.audit.provider.kafka.KafkaAuditProvider.java
License:Apache License
@Override public void init(Properties props) { LOG.info("init() called"); super.init(props); topic = MiscUtil.getStringProperty(props, AUDIT_KAFKA_TOPIC_NAME); if (topic == null || topic.isEmpty()) { topic = "ranger_audits"; }// w w w . j a va 2 s . co m try { if (!initDone) { String brokerList = MiscUtil.getStringProperty(props, AUDIT_KAFKA_BROKER_LIST); if (brokerList == null || brokerList.isEmpty()) { brokerList = "localhost:9092"; } final Map<String, Object> kakfaProps = new HashMap<String, Object>(); kakfaProps.put("metadata.broker.list", brokerList); kakfaProps.put("serializer.class", "kafka.serializer.StringEncoder"); // kakfaProps.put("partitioner.class", // "example.producer.SimplePartitioner"); kakfaProps.put("request.required.acks", "1"); LOG.info("Connecting to Kafka producer using properties:" + kakfaProps.toString()); PrivilegedAction<Producer<String, String>> action = new PrivilegedAction<Producer<String, String>>() { @Override public Producer<String, String> run() { Producer<String, String> producer = new KafkaProducer<String, String>(kakfaProps); return producer; }; }; UserGroupInformation ugi = MiscUtil.getUGILoginUser(); if (ugi != null) { producer = ugi.doAs(action); } else { producer = action.run(); } initDone = true; } } catch (Throwable t) { LOG.fatal("Error initializing kafka:", t); } }