List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:eu.stratosphere.yarn.YarnTaskManagerRunner.java
License:Apache License
public static void main(final String[] args) throws IOException { Map<String, String> envs = System.getenv(); final String yarnClientUsername = envs.get(Client.ENV_CLIENT_USERNAME); final String localDirs = envs.get(Environment.LOCAL_DIRS.key()); // configure local directory final String[] newArgs = Arrays.copyOf(args, args.length + 2); newArgs[newArgs.length - 2] = "-" + TaskManager.ARG_CONF_DIR; newArgs[newArgs.length - 1] = localDirs; LOG.info("Setting log path " + localDirs); LOG.info("YARN daemon runs as '" + UserGroupInformation.getCurrentUser().getShortUserName() + "' setting" + " user to execute Stratosphere TaskManager to '" + yarnClientUsername + "'"); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(yarnClientUsername); for (Token<? extends TokenIdentifier> toks : UserGroupInformation.getCurrentUser().getTokens()) { ugi.addToken(toks);/* w ww . j a v a2s .co m*/ } ugi.doAs(new PrivilegedAction<Object>() { @Override public Object run() { try { TaskManager.main(newArgs); } catch (Exception e) { e.printStackTrace(); } return null; } }); }
From source file:gobblin.compliance.HivePartitionVersionFinder.java
License:Apache License
private void setVersions(final String name, final State state) throws IOException { try {// w w w .j a va 2s . c o m UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws IOException { HiveDatasetFinder finder = new HiveDatasetFinder(fs, state.getProperties()); for (HiveDataset hiveDataset : finder.findDatasets()) { List<Partition> partitions = hiveDataset.getPartitionsFromDataset(); for (String pattern : patterns) { if (hiveDataset.getTable().getTableName().contains(pattern)) { addPartitionsToVersions(versions, name, hiveDataset, partitions); } } } return null; } }); } catch (InterruptedException | IOException e) { throw new IOException(e); } }
From source file:gobblin.compliance.HiveProxyQueryExecutor.java
License:Apache License
private synchronized void setProxiedConnection(final List<String> proxies) throws IOException, InterruptedException, TException { Preconditions.checkArgument(this.state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION), "Missing required property " + ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String superUser = this.state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String keytabLocation = this.state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String realm = this.state.getProp(ConfigurationKeys.KERBEROS_REALM); UserGroupInformation loginUser = UserGroupInformation.loginUserFromKeytabAndReturnUGI( HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override//from www . ja va2 s .co m public Void run() throws MetaException, SQLException, ClassNotFoundException { for (String proxy : proxies) { HiveConnection hiveConnection = getHiveConnection(Optional.fromNullable(proxy)); Statement statement = hiveConnection.createStatement(); statementMap.put(proxy, statement); connectionMap.put(proxy, hiveConnection); for (String setting : settings) { statement.execute(setting); } } return null; } }); }
From source file:gobblin.compliance.purger.HivePurgerPublisher.java
License:Apache License
public void initHiveMetastoreClient() throws Exception { if (this.state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION)) { String superUser = this.state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String realm = this.state.getProp(ConfigurationKeys.KERBEROS_REALM); String keytabLocation = this.state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); log.info("Establishing MetastoreClient connection using " + keytabLocation); UserGroupInformation.loginUserFromKeytab(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation);//from w w w . j ava2 s. c om UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws TException { HivePurgerPublisher.this.client = new HiveMetaStoreClient(new HiveConf()); return null; } }); } else { HivePurgerPublisher.this.client = new HiveMetaStoreClient(new HiveConf()); } }
From source file:gobblin.util.ProxiedFileSystemUtils.java
License:Apache License
/** * Create a {@link FileSystem} that can perform any operations allowed the by the specified userNameToProxyAs. The * method first proxies as userNameToProxyAs, and then adds the specified {@link Token} to the given * {@link UserGroupInformation} object. It then uses the {@link UserGroupInformation#doAs(PrivilegedExceptionAction)} * method to create a {@link FileSystem}. * * @param userNameToProxyAs The name of the user the super user should proxy as * @param userNameToken The {@link Token} to add to the proxied user's {@link UserGroupInformation}. * @param fsURI The {@link URI} for the {@link FileSystem} that should be created * @param conf The {@link Configuration} for the {@link FileSystem} that should be created * * @return a {@link FileSystem} that can execute commands on behalf of the specified userNameToProxyAs *///from w w w .j a v a 2 s . c o m static FileSystem createProxiedFileSystemUsingToken(@NonNull String userNameToProxyAs, @NonNull Token<?> userNameToken, URI fsURI, Configuration conf) throws IOException, InterruptedException { UserGroupInformation ugi = UserGroupInformation.createProxyUser(userNameToProxyAs, UserGroupInformation.getLoginUser()); ugi.addToken(userNameToken); return ugi.doAs(new ProxiedFileSystem(fsURI, conf)); }
From source file:gobblin.util.ProxiedFileSystemWrapper.java
License:Apache License
/** * Getter for proxiedFs, using the passed parameters to create an instance of a proxiedFs. * @param properties/*www . j a v a 2 s .c o m*/ * @param authType is either TOKEN or KEYTAB. * @param authPath is the KEYTAB location if the authType is KEYTAB; otherwise, it is the token file. * @param uri File system URI. * @throws IOException * @throws InterruptedException * @throws URISyntaxException * @return proxiedFs */ public FileSystem getProxiedFileSystem(State properties, AuthType authType, String authPath, String uri, final Configuration conf) throws IOException, InterruptedException, URISyntaxException { Preconditions.checkArgument( StringUtils.isNotBlank(properties.getProp(ConfigurationKeys.FS_PROXY_AS_USER_NAME)), "State does not contain a proper proxy user name"); String proxyUserName = properties.getProp(ConfigurationKeys.FS_PROXY_AS_USER_NAME); UserGroupInformation proxyUser; switch (authType) { case KEYTAB: // If the authentication type is KEYTAB, log in a super user first before creating a proxy user. Preconditions.checkArgument( StringUtils .isNotBlank(properties.getProp(ConfigurationKeys.SUPER_USER_NAME_TO_PROXY_AS_OTHERS)), "State does not contain a proper proxy token file name"); String superUser = properties.getProp(ConfigurationKeys.SUPER_USER_NAME_TO_PROXY_AS_OTHERS); UserGroupInformation.loginUserFromKeytab(superUser, authPath); proxyUser = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); break; case TOKEN: // If the authentication type is TOKEN, create a proxy user and then add the token to the user. proxyUser = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); Optional<Token<?>> proxyToken = getTokenFromSeqFile(authPath, proxyUserName); if (proxyToken.isPresent()) { proxyUser.addToken(proxyToken.get()); } else { LOG.warn("No delegation token found for the current proxy user."); } break; default: LOG.warn( "Creating a proxy user without authentication, which could not perform File system operations."); proxyUser = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); break; } final URI fsURI = URI.create(uri); proxyUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws IOException { LOG.debug("Now performing file system operations as :" + UserGroupInformation.getCurrentUser()); proxiedFs = FileSystem.get(fsURI, conf); return null; } }); return this.proxiedFs; }
From source file:io.druid.security.kerberos.KerberosEscalator.java
License:Apache License
@Override public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient( org.eclipse.jetty.client.HttpClient baseClient) { baseClient.getAuthenticationStore().addAuthentication(new Authentication() { @Override/*from w w w . j av a 2 s . c o m*/ public boolean matches(String type, URI uri, String realm) { return true; } @Override public Result authenticate(final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context) { return new Result() { @Override public URI getURI() { return request.getURI(); } @Override public void apply(Request request) { try { // No need to set cookies as they are handled by Jetty Http Client itself. URI uri = request.getURI(); if (DruidKerberosUtil.needToSendCredentials(baseClient.getCookieStore(), uri)) { log.debug( "No Auth Cookie found for URI[%s]. Existing Cookies[%s] Authenticating... ", uri, baseClient.getCookieStore().getCookies()); final String host = request.getHost(); DruidKerberosUtil.authenticateIfRequired(internalClientPrincipal, internalClientKeytab); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); String challenge = currentUser.doAs(new PrivilegedExceptionAction<String>() { @Override public String run() throws Exception { return DruidKerberosUtil.kerberosChallenge(host); } }); request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Negotiate " + challenge); } else { log.debug("Found Auth Cookie found for URI[%s].", uri); } } catch (Throwable e) { Throwables.propagate(e); } } }; } }); return baseClient; }
From source file:io.druid.security.kerberos.KerberosHttpClient.java
License:Apache License
private <Intermediate, Final> void inner_go(final Request request, final HttpResponseHandler<Intermediate, Final> httpResponseHandler, final Duration duration, final SettableFuture<Final> future) { try {// w ww . jav a2 s. c o m final String host = request.getUrl().getHost(); final URI uri = request.getUrl().toURI(); Map<String, List<String>> cookieMap = cookieManager.get(uri, Collections.<String, List<String>>emptyMap()); for (Map.Entry<String, List<String>> entry : cookieMap.entrySet()) { request.addHeaderValues(entry.getKey(), entry.getValue()); } final boolean should_retry_on_unauthorized_response; if (DruidKerberosUtil.needToSendCredentials(cookieManager.getCookieStore(), uri)) { // No Cookies for requested URI, authenticate user and add authentication header log.debug("No Auth Cookie found for URI[%s]. Existing Cookies[%s] Authenticating... ", uri, cookieManager.getCookieStore().getCookies()); DruidKerberosUtil.authenticateIfRequired(config); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); String challenge = currentUser.doAs(new PrivilegedExceptionAction<String>() { @Override public String run() throws Exception { return DruidKerberosUtil.kerberosChallenge(host); } }); request.setHeader(HttpHeaders.Names.AUTHORIZATION, "Negotiate " + challenge); should_retry_on_unauthorized_response = false; } else { should_retry_on_unauthorized_response = true; log.debug("Found Auth Cookie found for URI[%s].", uri); } ListenableFuture<RetryResponseHolder<Final>> internalFuture = delegate.go(request, new RetryIfUnauthorizedResponseHandler<Intermediate, Final>(new ResponseCookieHandler( request.getUrl().toURI(), cookieManager, httpResponseHandler)), duration); Futures.addCallback(internalFuture, new FutureCallback<RetryResponseHolder<Final>>() { @Override public void onSuccess(RetryResponseHolder<Final> result) { if (should_retry_on_unauthorized_response && result.shouldRetry()) { log.info("Preparing for Retry"); // remove Auth cookie DruidKerberosUtil.removeAuthCookie(cookieManager.getCookieStore(), uri); // clear existing cookie request.setHeader("Cookie", ""); inner_go(request.copy(), httpResponseHandler, duration, future); } else { log.info("Not retrying and returning future response"); future.set(result.getObj()); } } @Override public void onFailure(Throwable t) { future.setException(t); } }, exec); } catch (Throwable e) { throw Throwables.propagate(e); } }
From source file:io.druid.security.kerberos.KerberosJettyHttpClientProvider.java
License:Apache License
@Override public HttpClient get() { final HttpClient httpClient = delegateProvider.get(); httpClient.getAuthenticationStore().addAuthentication(new Authentication() { @Override/*from w ww. j a v a2s . c om*/ public boolean matches(String type, URI uri, String realm) { return true; } @Override public Result authenticate(final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context) { return new Result() { @Override public URI getURI() { return request.getURI(); } @Override public void apply(Request request) { try { // No need to set cookies as they are handled by Jetty Http Client itself. URI uri = request.getURI(); if (DruidKerberosUtil.needToSendCredentials(httpClient.getCookieStore(), uri)) { log.debug( "No Auth Cookie found for URI[%s]. Existing Cookies[%s] Authenticating... ", uri, httpClient.getCookieStore().getCookies()); final String host = request.getHost(); DruidKerberosUtil.authenticateIfRequired(config); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); String challenge = currentUser.doAs(new PrivilegedExceptionAction<String>() { @Override public String run() throws Exception { return DruidKerberosUtil.kerberosChallenge(host); } }); request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Negotiate " + challenge); } else { log.debug("Found Auth Cookie found for URI[%s].", uri); } } catch (Throwable e) { Throwables.propagate(e); } } }; } }); return httpClient; }
From source file:joshelser.TUGIAssumingProcessor.java
License:Apache License
@Override public boolean process(final TProtocol inProt, final TProtocol outProt) throws TException { TTransport trans = inProt.getTransport(); if (!(trans instanceof TSaslServerTransport)) { throw new TException("Unexpected non-SASL transport " + trans.getClass()); }/* w ww . ja v a 2 s . com*/ TSaslServerTransport saslTrans = (TSaslServerTransport) trans; SaslServer saslServer = saslTrans.getSaslServer(); String authId = saslServer.getAuthorizationID(); String endUser = authId; UserGroupInformation clientUgi = null; try { clientUgi = UserGroupInformation.createProxyUser(endUser, UserGroupInformation.getLoginUser()); final String remoteUser = clientUgi.getShortUserName(); log.debug("Executing action as {}", remoteUser); return clientUgi.doAs(new PrivilegedExceptionAction<Boolean>() { @Override public Boolean run() { try { return wrapped.process(inProt, outProt); } catch (TException te) { throw new RuntimeException(te); } } }); } catch (RuntimeException rte) { if (rte.getCause() instanceof TException) { log.error("Failed to invoke wrapped processor", rte.getCause()); throw (TException) rte.getCause(); } throw rte; } catch (InterruptedException | IOException e) { log.error("Failed to invoke wrapped processor", e); throw new RuntimeException(e); } finally { if (clientUgi != null) { try { FileSystem.closeAllForUGI(clientUgi); } catch (IOException exception) { log.error("Could not clean up file-system handles for UGI: {}", clientUgi, exception); } } } }