List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:ml.shifu.guagua.yarn.GuaguaAppMaster.java
License:Apache License
/** * Application entry point//from ww w . j av a 2s.com * * @param args * command-line args (set by GuaguaYarnClient, if any) */ public static void main(final String[] args) { LOG.info("Starting GuaguaAppMaster. "); String containerIdString = System.getenv().get(Environment.CONTAINER_ID.name()); if (containerIdString == null) { // container id should always be set in the env by the framework throw new IllegalArgumentException("ContainerId not found in env vars."); } ContainerId containerId = ConverterUtils.toContainerId(containerIdString); ApplicationAttemptId appAttemptId = containerId.getApplicationAttemptId(); Configuration conf = new YarnConfiguration(); String jobUserName = System.getenv(ApplicationConstants.Environment.USER.name()); conf.set(MRJobConfig.USER_NAME, jobUserName); try { UserGroupInformation.setConfiguration(conf); // Security framework already loaded the tokens into current UGI, just use them Credentials credentials = UserGroupInformation.getCurrentUser().getCredentials(); LOG.info("Executing with tokens:"); for (Token<?> token : credentials.getAllTokens()) { LOG.info(token.toString()); } UserGroupInformation appMasterUgi = UserGroupInformation.createRemoteUser(jobUserName); appMasterUgi.addCredentials(credentials); // Now remove the AM->RM token so tasks don't have it Iterator<Token<?>> iter = credentials.getAllTokens().iterator(); while (iter.hasNext()) { Token<?> token = iter.next(); if (token.getKind().equals(AMRMTokenIdentifier.KIND_NAME)) { iter.remove(); } } final GuaguaAppMaster appMaster = new GuaguaAppMaster(containerId, appAttemptId, conf); appMasterUgi.doAs(new PrivilegedAction<Void>() { @Override public Void run() { boolean result = false; try { result = appMaster.run(); } catch (Throwable t) { LOG.error("GuaguaAppMaster caught a top-level exception in main.", t); System.exit(1); } if (result) { LOG.info("Guagua Application Master completed successfully. exiting"); System.exit(0); } else { LOG.info("Guagua Application Master failed. exiting"); System.exit(2); } return null; } }); } catch (Throwable t) { LOG.error("GuaguaAppMaster caught a top-level exception in main.", t); System.exit(1); } }
From source file:ml.shifu.guagua.yarn.GuaguaYarnTask.java
License:Apache License
public static void main(String[] args) { LOG.info("args:{}", Arrays.toString(args)); if (args.length != 7) { throw new IllegalStateException(String.format( "GuaguaYarnTask could not construct a TaskAttemptID for the Guagua job from args: %s", Arrays.toString(args))); }// w w w . ja v a2s . co m String containerIdString = System.getenv().get(Environment.CONTAINER_ID.name()); if (containerIdString == null) { // container id should always be set in the env by the framework throw new IllegalArgumentException("ContainerId not found in env vars."); } ContainerId containerId = ConverterUtils.toContainerId(containerIdString); ApplicationAttemptId appAttemptId = containerId.getApplicationAttemptId(); try { Configuration conf = new YarnConfiguration(); String jobUserName = System.getenv(ApplicationConstants.Environment.USER.name()); conf.set(MRJobConfig.USER_NAME, jobUserName); UserGroupInformation.setConfiguration(conf); // Security framework already loaded the tokens into current UGI, just use them Credentials credentials = UserGroupInformation.getCurrentUser().getCredentials(); LOG.info("Executing with tokens:"); for (Token<?> token : credentials.getAllTokens()) { LOG.info(token.toString()); } UserGroupInformation appTaskUGI = UserGroupInformation.createRemoteUser(jobUserName); appTaskUGI.addCredentials(credentials); @SuppressWarnings("rawtypes") final GuaguaYarnTask<?, ?> guaguaYarnTask = new GuaguaYarnTask(appAttemptId, containerId, Integer.parseInt(args[args.length - 3]), args[args.length - 2], args[args.length - 1], conf); appTaskUGI.doAs(new PrivilegedAction<Void>() { @Override public Void run() { guaguaYarnTask.run(); return null; } }); } catch (Throwable t) { LOG.error("GuaguaYarnTask threw a top-level exception, failing task", t); System.exit(2); } System.exit(0); }
From source file:net.sf.jfilesync.plugins.net.items.THdfs_plugin.java
License:Apache License
/** * There is a bug here. When user disconnect and then connect again, user will login as the user last time (the conData changed for the second time). * Even though I have changed my login user name for the second time. But If I restart the app, it works well. * FIXED! http://stackoverflow.com/questions/15941108/hdfs-access-from-remote-host-through-java-api-user-authentication *//*w w w . j a v a 2 s .c o m*/ @Override public void connect(TConnectionData connectData) throws PluginConnectException { this.conData = connectData; final String hostname = conData.getHost(); final int port = conData.getPort(); final String uri = "hdfs://" + hostname + ":" + port; final String username = conData.getUser(); // System.setProperty("HADOOP_USER_NAME", username); // conf = new Configuration(); LOGGER.info("trying to connect to :" + hostname); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(username); try { ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { conf = new Configuration(); conf.set("hadoop.job.ugi", username); fs = FileSystem.get(URI.create(uri), conf); return null; } }); } catch (Exception e) { e.printStackTrace(); throw new PluginConnectException(TErrorHandling.ERROR_CONNECTION_FAILURE, e.getMessage()); } LOGGER.info("hdfs connect done"); }
From source file:nl.surfsara.warcexamples.hdfs.Headers.java
License:Apache License
@Override public void run() { // PropertyConfigurator.configure("log4jconfig.properties"); final Configuration conf = new Configuration(); // The core-site.xml and hdfs-site.xml are cluster specific. If you wish to use this on other clusters adapt the files as needed. conf.addResource(//from w ww . j av a 2 s .c o m Headers.class.getResourceAsStream("/nl/surfsara/warcexamples/hdfs/resources/core-site.xml")); conf.addResource( Headers.class.getResourceAsStream("/nl/surfsara/warcexamples/hdfs/resources/hdfs-site.xml")); conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authorization", "true"); System.setProperty("java.security.krb5.realm", "CUA.SURFSARA.NL"); System.setProperty("java.security.krb5.kdc", "kdc.hathi.surfsara.nl"); UserGroupInformation.setConfiguration(conf); UserGroupInformation loginUser; try { loginUser = UserGroupInformation.getLoginUser(); System.out.println("Logged in as: " + loginUser.getUserName()); PrintHeaders printHeaders = new PrintHeaders(conf, path); loginUser.doAs(printHeaders); } catch (IOException e) { // Just dump the error.. e.printStackTrace(); } }
From source file:org.apache.accumulo.core.client.impl.ThriftTransportKeyTest.java
License:Apache License
@Test public void testConnectionCaching() throws IOException, InterruptedException { UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]); final KerberosToken token = EasyMock.createMock(KerberosToken.class); final ClientConfiguration clientConf = ClientConfiguration.loadDefault(); // The primary is the first component of the principal final String primary = "accumulo"; clientConf.withSasl(true, primary);//from ww w .j a v a 2 s . c om // A first instance of the SASL cnxn params SaslConnectionParams saslParams1 = user1.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() { @Override public SaslConnectionParams run() throws Exception { return new SaslConnectionParams(clientConf, token); } }); // A second instance of what should be the same SaslConnectionParams SaslConnectionParams saslParams2 = user1.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() { @Override public SaslConnectionParams run() throws Exception { return new SaslConnectionParams(clientConf, token); } }); ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1l, null, saslParams1), ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1l, null, saslParams2); // Should equals() and hashCode() to make sure we don't throw away thrift cnxns assertEquals(ttk1, ttk2); assertEquals(ttk1.hashCode(), ttk2.hashCode()); }
From source file:org.apache.accumulo.core.client.impl.ThriftTransportKeyTest.java
License:Apache License
@Test public void testSaslPrincipalIsSignificant() throws IOException, InterruptedException { UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]); final KerberosToken token = EasyMock.createMock(KerberosToken.class); SaslConnectionParams saslParams1 = user1.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() { @Override// ww w . j ava2 s . c o m public SaslConnectionParams run() throws Exception { final ClientConfiguration clientConf = ClientConfiguration.loadDefault(); // The primary is the first component of the principal final String primary = "accumulo"; clientConf.withSasl(true, primary); assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED)); return new SaslConnectionParams(clientConf, token); } }); UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", new String[0]); SaslConnectionParams saslParams2 = user2.doAs(new PrivilegedExceptionAction<SaslConnectionParams>() { @Override public SaslConnectionParams run() throws Exception { final ClientConfiguration clientConf = ClientConfiguration.loadDefault(); // The primary is the first component of the principal final String primary = "accumulo"; clientConf.withSasl(true, primary); assertEquals("true", clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED)); return new SaslConnectionParams(clientConf, token); } }); ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1l, null, saslParams1), ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1l, null, saslParams2); assertNotEquals(ttk1, ttk2); assertNotEquals(ttk1.hashCode(), ttk2.hashCode()); }
From source file:org.apache.accumulo.core.clientImpl.ThriftTransportKeyTest.java
License:Apache License
@Test public void testConnectionCaching() throws IOException, InterruptedException { UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]); final KerberosToken token = EasyMock.createMock(KerberosToken.class); // A first instance of the SASL cnxn params SaslConnectionParams saslParams1 = user1 .doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token)); // A second instance of what should be the same SaslConnectionParams SaslConnectionParams saslParams2 = user1 .doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token)); ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams1),/*from w w w. j a v a2 s .c om*/ ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams2); // Should equals() and hashCode() to make sure we don't throw away thrift cnxns assertEquals(ttk1, ttk2); assertEquals(ttk1.hashCode(), ttk2.hashCode()); }
From source file:org.apache.accumulo.core.clientImpl.ThriftTransportKeyTest.java
License:Apache License
@Test public void testSaslPrincipalIsSignificant() throws IOException, InterruptedException { UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]); final KerberosToken token = EasyMock.createMock(KerberosToken.class); SaslConnectionParams saslParams1 = user1 .doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token)); UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", new String[0]); SaslConnectionParams saslParams2 = user2 .doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token)); ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams1),/*from w w w .j a va2 s. c o m*/ ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams2); assertNotEquals(ttk1, ttk2); assertNotEquals(ttk1.hashCode(), ttk2.hashCode()); }
From source file:org.apache.accumulo.monitor.rest.trace.TracesResource.java
License:Apache License
protected Pair<Scanner, UserGroupInformation> getScanner() throws AccumuloException, AccumuloSecurityException { AccumuloConfiguration conf = Monitor.getContext().getConfiguration(); final boolean saslEnabled = conf.getBoolean(Property.INSTANCE_RPC_SASL_ENABLED); UserGroupInformation traceUgi = null; final String principal; final AuthenticationToken at; Map<String, String> loginMap = conf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX); // May be null String keytab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab"); if (keytab == null || keytab.length() == 0) { keytab = conf.getPath(Property.GENERAL_KERBEROS_KEYTAB); }//from w ww . j av a 2 s. c o m if (saslEnabled && null != keytab) { principal = SecurityUtil.getServerPrincipal(conf.get(Property.TRACE_USER)); try { traceUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab); } catch (IOException e) { throw new RuntimeException("Failed to login as trace user", e); } } else { principal = conf.get(Property.TRACE_USER); } if (!saslEnabled) { if (loginMap.isEmpty()) { Property p = Property.TRACE_PASSWORD; at = new PasswordToken(conf.get(p).getBytes(UTF_8)); } else { Properties props = new Properties(); int prefixLength = Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey().length(); for (Entry<String, String> entry : loginMap.entrySet()) { props.put(entry.getKey().substring(prefixLength), entry.getValue()); } AuthenticationToken token = Property.createInstanceFromPropertyName(conf, Property.TRACE_TOKEN_TYPE, AuthenticationToken.class, new PasswordToken()); token.init(props); at = token; } } else { at = null; } final String table = conf.get(Property.TRACE_TABLE); Scanner scanner; if (null != traceUgi) { try { scanner = traceUgi.doAs(new PrivilegedExceptionAction<Scanner>() { @Override public Scanner run() throws Exception { // Make the KerberosToken inside the doAs AuthenticationToken token = at; if (null == token) { token = new KerberosToken(); } return getScanner(table, principal, token); } }); } catch (IOException | InterruptedException e) { throw new RuntimeException("Failed to obtain scanner", e); } } else { if (null == at) { throw new AssertionError("AuthenticationToken should not be null"); } scanner = getScanner(table, principal, at); } return new Pair<>(scanner, traceUgi); }
From source file:org.apache.accumulo.monitor.servlets.trace.Basic.java
License:Apache License
protected Entry<Scanner, UserGroupInformation> getScanner(final StringBuilder sb) throws AccumuloException, AccumuloSecurityException { AccumuloConfiguration conf = Monitor.getContext().getConfiguration(); final boolean saslEnabled = conf.getBoolean(Property.INSTANCE_RPC_SASL_ENABLED); UserGroupInformation traceUgi = null; final String principal; final AuthenticationToken at; Map<String, String> loginMap = conf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX); // May be null String keytab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab"); if (keytab == null || keytab.length() == 0) { keytab = conf.getPath(Property.GENERAL_KERBEROS_KEYTAB); }/*from w w w .ja v a 2s. c om*/ if (saslEnabled && null != keytab) { principal = SecurityUtil.getServerPrincipal(conf.get(Property.TRACE_USER)); try { traceUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab); } catch (IOException e) { throw new RuntimeException("Failed to login as trace user", e); } } else { principal = conf.get(Property.TRACE_USER); } if (!saslEnabled) { if (loginMap.isEmpty()) { Property p = Property.TRACE_PASSWORD; at = new PasswordToken(conf.get(p).getBytes(UTF_8)); } else { Properties props = new Properties(); int prefixLength = Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey().length(); for (Entry<String, String> entry : loginMap.entrySet()) { props.put(entry.getKey().substring(prefixLength), entry.getValue()); } AuthenticationToken token = Property.createInstanceFromPropertyName(conf, Property.TRACE_TOKEN_TYPE, AuthenticationToken.class, new PasswordToken()); token.init(props); at = token; } } else { at = null; } final String table = conf.get(Property.TRACE_TABLE); Scanner scanner; if (null != traceUgi) { try { scanner = traceUgi.doAs(new PrivilegedExceptionAction<Scanner>() { @Override public Scanner run() throws Exception { // Make the KerberosToken inside the doAs AuthenticationToken token = at; if (null == token) { token = new KerberosToken(); } return getScanner(table, principal, token, sb); } }); } catch (IOException | InterruptedException e) { throw new RuntimeException("Failed to obtain scanner", e); } } else { if (null == at) { throw new AssertionError("AuthenticationToken should not be null"); } scanner = getScanner(table, principal, at, sb); } return new AbstractMap.SimpleEntry<>(scanner, traceUgi); }