List of usage examples for org.apache.hadoop.security UserGroupInformation getCurrentUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getCurrentUser() throws IOException
From source file:org.apache.accumulo.hadoopImpl.mapreduce.lib.MapReduceClientOpts.java
License:Apache License
public Properties getClientProps() { Properties props = super.getClientProps(); // For MapReduce, Kerberos credentials don't make it to the Mappers and Reducers, // so we need to request a delegation token and use that instead. AuthenticationToken authToken = ClientProperty.getAuthenticationToken(props); if (authToken instanceof KerberosToken) { log.info("Received KerberosToken, fetching DelegationToken for MapReduce"); final KerberosToken krbToken = (KerberosToken) authToken; try {//from w w w . j ava2s . c o m UserGroupInformation user = UserGroupInformation.getCurrentUser(); if (!user.hasKerberosCredentials()) { throw new IllegalStateException("Expected current user to have Kerberos credentials"); } String newPrincipal = user.getUserName(); log.info("Obtaining delegation token for {}", newPrincipal); try (AccumuloClient client = Accumulo.newClient().from(props).as(newPrincipal, krbToken).build()) { // Do the explicit check to see if the user has the permission to get a delegation token if (!client.securityOperations().hasSystemPermission(client.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) { log.error( "{} doesn't have the {} SystemPermission neccesary to obtain a delegation" + " token. MapReduce tasks cannot automatically use the client's" + " credentials on remote servers. Delegation tokens provide a means to run" + " MapReduce without distributing the user's credentials.", user.getUserName(), SystemPermission.OBTAIN_DELEGATION_TOKEN.name()); throw new IllegalStateException( client.whoami() + " does not have permission to obtain a delegation token"); } // Get the delegation token from Accumulo AuthenticationToken token = client.securityOperations() .getDelegationToken(new DelegationTokenConfig()); props.setProperty(ClientProperty.AUTH_PRINCIPAL.getKey(), newPrincipal); ClientProperty.setAuthenticationToken(props, token); } } catch (IOException | AccumuloException | AccumuloSecurityException e) { final String msg = "Failed to acquire DelegationToken for use with MapReduce"; log.error(msg, e); throw new RuntimeException(msg, e); } } return props; }
From source file:org.apache.accumulo.proxy.Proxy.java
License:Apache License
public static ServerAddress createProxyServer(HostAndPort address, TProtocolFactory protocolFactory, Properties properties, ClientConfiguration clientConf) throws Exception { final int numThreads = Integer .parseInt(properties.getProperty(THRIFT_THREAD_POOL_SIZE_KEY, THRIFT_THREAD_POOL_SIZE_DEFAULT)); final long maxFrameSize = AccumuloConfiguration .getMemoryInBytes(properties.getProperty(THRIFT_MAX_FRAME_SIZE_KEY, THRIFT_MAX_FRAME_SIZE_DEFAULT)); final int simpleTimerThreadpoolSize = Integer .parseInt(Property.GENERAL_SIMPLETIMER_THREADPOOL_SIZE.getDefaultValue()); // How frequently to try to resize the thread pool final long threadpoolResizeInterval = 1000l * 5; // No timeout final long serverSocketTimeout = 0l; // Use the new hadoop metrics2 support final MetricsFactory metricsFactory = new MetricsFactory(false); final String serverName = "Proxy", threadName = "Accumulo Thrift Proxy"; // create the implementation of the proxy interface ProxyServer impl = new ProxyServer(properties); // Wrap the implementation -- translate some exceptions AccumuloProxy.Iface wrappedImpl = RpcWrapper.service(impl, new AccumuloProxy.Processor<AccumuloProxy.Iface>(impl)); // Create the processor from the implementation TProcessor processor = new AccumuloProxy.Processor<>(wrappedImpl); // Get the type of thrift server to instantiate final String serverTypeStr = properties.getProperty(THRIFT_SERVER_TYPE, THRIFT_SERVER_TYPE_DEFAULT); ThriftServerType serverType = DEFAULT_SERVER_TYPE; if (!THRIFT_SERVER_TYPE_DEFAULT.equals(serverTypeStr)) { serverType = ThriftServerType.get(serverTypeStr); }//from w w w . j a v a 2s .c o m SslConnectionParams sslParams = null; SaslServerConnectionParams saslParams = null; switch (serverType) { case SSL: sslParams = SslConnectionParams.forClient(ClientContext.convertClientConfig(clientConf)); break; case SASL: if (!clientConf.getBoolean(ClientProperty.INSTANCE_RPC_SASL_ENABLED.getKey(), false)) { // ACCUMULO-3651 Changed level to error and added FATAL to message for slf4j capability log.error("FATAL: SASL thrift server was requested but it is disabled in client configuration"); throw new RuntimeException("SASL is not enabled in configuration"); } // Kerberos needs to be enabled to use it if (!UserGroupInformation.isSecurityEnabled()) { // ACCUMULO-3651 Changed level to error and added FATAL to message for slf4j capability log.error("FATAL: Hadoop security is not enabled"); throw new RuntimeException(); } // Login via principal and keytab final String kerberosPrincipal = properties.getProperty(KERBEROS_PRINCIPAL, ""), kerberosKeytab = properties.getProperty(KERBEROS_KEYTAB, ""); if (StringUtils.isBlank(kerberosPrincipal) || StringUtils.isBlank(kerberosKeytab)) { // ACCUMULO-3651 Changed level to error and added FATAL to message for slf4j capability log.error("FATAL: Kerberos principal and keytab must be provided"); throw new RuntimeException(); } UserGroupInformation.loginUserFromKeytab(kerberosPrincipal, kerberosKeytab); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); log.info("Logged in as " + ugi.getUserName()); // The kerberosPrimary set in the SASL server needs to match the principal we're logged in as. final String shortName = ugi.getShortUserName(); log.info("Setting server primary to {}", shortName); clientConf.setProperty(ClientProperty.KERBEROS_SERVER_PRIMARY, shortName); KerberosToken token = new KerberosToken(); saslParams = new SaslServerConnectionParams(clientConf, token, null); processor = new UGIAssumingProcessor(processor); break; default: // nothing to do -- no extra configuration necessary break; } // Hook up support for tracing for thrift calls TimedProcessor timedProcessor = new TimedProcessor(metricsFactory, processor, serverName, threadName); // Create the thrift server with our processor and properties ServerAddress serverAddr = TServerUtils.startTServer(serverType, timedProcessor, protocolFactory, serverName, threadName, numThreads, simpleTimerThreadpoolSize, threadpoolResizeInterval, maxFrameSize, sslParams, saslParams, serverSocketTimeout, address); return serverAddr; }
From source file:org.apache.accumulo.server.init.Initialize.java
License:Apache License
private boolean initialize(Opts opts, String instanceNamePath, VolumeManager fs, String rootUser) { UUID uuid = UUID.randomUUID(); // the actual disk locations of the root table and tablets String[] configuredVolumes = VolumeConfiguration.getVolumeUris(SiteConfiguration.getInstance()); final String rootTabletDir = new Path( fs.choose(Optional.<String>empty(), configuredVolumes) + Path.SEPARATOR + ServerConstants.TABLE_DIR + Path.SEPARATOR + RootTable.ID + RootTable.ROOT_TABLET_LOCATION).toString(); try {/* ww w . j av a 2 s .c om*/ initZooKeeper(opts, uuid.toString(), instanceNamePath, rootTabletDir); } catch (Exception e) { log.error("FATAL: Failed to initialize zookeeper", e); return false; } try { initFileSystem(opts, fs, uuid, rootTabletDir); } catch (Exception e) { log.error("FATAL Failed to initialize filesystem", e); if (SiteConfiguration.getInstance().get(Property.INSTANCE_VOLUMES).trim().equals("")) { Configuration fsConf = CachedConfiguration.getInstance(); final String defaultFsUri = "file:///"; String fsDefaultName = fsConf.get("fs.default.name", defaultFsUri), fsDefaultFS = fsConf.get("fs.defaultFS", defaultFsUri); // Try to determine when we couldn't find an appropriate core-site.xml on the classpath if (defaultFsUri.equals(fsDefaultName) && defaultFsUri.equals(fsDefaultFS)) { log.error("FATAL: Default filesystem value ('fs.defaultFS' or 'fs.default.name') of '" + defaultFsUri + "' was found in the Hadoop configuration"); log.error( "FATAL: Please ensure that the Hadoop core-site.xml is on the classpath using 'general.classpaths' in accumulo-site.xml"); } } return false; } final ServerConfigurationFactory confFactory = new ServerConfigurationFactory( HdfsZooInstance.getInstance()); // When we're using Kerberos authentication, we need valid credentials to perform initialization. If the user provided some, use them. // If they did not, fall back to the credentials present in accumulo-site.xml that the servers will use themselves. try { final SiteConfiguration siteConf = confFactory.getSiteConfiguration(); if (siteConf.getBoolean(Property.INSTANCE_RPC_SASL_ENABLED)) { final UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); // We don't have any valid creds to talk to HDFS if (!ugi.hasKerberosCredentials()) { final String accumuloKeytab = siteConf.get(Property.GENERAL_KERBEROS_KEYTAB), accumuloPrincipal = siteConf.get(Property.GENERAL_KERBEROS_PRINCIPAL); // Fail if the site configuration doesn't contain appropriate credentials to login as servers if (StringUtils.isBlank(accumuloKeytab) || StringUtils.isBlank(accumuloPrincipal)) { log.error( "FATAL: No Kerberos credentials provided, and Accumulo is not properly configured for server login"); return false; } log.info("Logging in as " + accumuloPrincipal + " with " + accumuloKeytab); // Login using the keytab as the 'accumulo' user UserGroupInformation.loginUserFromKeytab(accumuloPrincipal, accumuloKeytab); } } } catch (IOException e) { log.error("FATAL: Failed to get the Kerberos user", e); return false; } try { AccumuloServerContext context = new AccumuloServerContext(confFactory); initSecurity(context, opts, uuid.toString(), rootUser); } catch (Exception e) { log.error("FATAL: Failed to initialize security", e); return false; } return true; }
From source file:org.apache.accumulo.server.security.SecurityUtil.java
License:Apache License
/** * Performs a Kerberos login using the given Kerberos principal and keytab if they are non-null and positive length Strings. This method automaticallys spawns * a thread to renew the given ticket upon successful login using {@link Property#GENERAL_KERBEROS_RENEWAL_PERIOD} as the renewal period. This method does * nothing if either {@code keyTab} or {@code principal} are null or of zero length. * * @param acuConf//from www.java 2s . c o m * The Accumulo configuration * @param keyTab * The path to the Kerberos keytab file * @param principal * The Kerberos principal */ public static void serverLogin(AccumuloConfiguration acuConf, String keyTab, String principal) { if (keyTab == null || keyTab.length() == 0) return; if (principal == null || principal.length() == 0) return; usingKerberos = true; if (login(principal, keyTab)) { try { startTicketRenewalThread(UserGroupInformation.getCurrentUser(), acuConf.getTimeInMillis(Property.GENERAL_KERBEROS_RENEWAL_PERIOD)); return; } catch (IOException e) { log.error("Failed to obtain Kerberos user after successfully logging in", e); } } throw new RuntimeException("Failed to perform Kerberos login for " + principal + " using " + keyTab); }
From source file:org.apache.accumulo.server.util.ChangeSecret.java
License:Apache License
private static void checkHdfsAccessPermissions(FileStatus stat, FsAction mode) throws Exception { FsPermission perm = stat.getPermission(); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); String user = ugi.getShortUserName(); List<String> groups = Arrays.asList(ugi.getGroupNames()); if (user.equals(stat.getOwner())) { if (perm.getUserAction().implies(mode)) { return; }//w ww .j a v a 2 s .c o m } else if (groups.contains(stat.getGroup())) { if (perm.getGroupAction().implies(mode)) { return; } } else { if (perm.getOtherAction().implies(mode)) { return; } } throw new Exception(String.format("Permission denied: user=%s, path=\"%s\":%s:%s:%s%s", user, stat.getPath(), stat.getOwner(), stat.getGroup(), stat.isDirectory() ? "d" : "-", perm)); }
From source file:org.apache.accumulo.shell.ShellOptionsJC.java
License:Apache License
public String getUsername() throws Exception { if (null == username) { final ClientConfiguration clientConf = getClientConfiguration(); if (Boolean.parseBoolean(clientConf.get(ClientProperty.INSTANCE_RPC_SASL_ENABLED))) { if (!UserGroupInformation.isSecurityEnabled()) { throw new RuntimeException("Kerberos security is not enabled"); }/*from w w w.j a v a 2 s. co m*/ UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); username = ugi.getUserName(); } else { username = System.getProperty("user.name", "root"); } } return username; }
From source file:org.apache.accumulo.test.proxy.SimpleProxyBase.java
License:Apache License
@Before public void setup() throws Exception { // Create a new client for each test if (isKerberosEnabled()) { UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath()); proxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, UserGroupInformation.getCurrentUser()); client = proxyClient.proxy();//from w w w .j a v a 2 s . com creds = client.login(clientPrincipal, properties); TestingKdc kdc = getKdc(); final ClusterUser user = kdc.getClientPrincipal(0); // Create another user client.createLocalUser(creds, user.getPrincipal(), s2bb("unused")); // Login in as that user we just created UserGroupInformation.loginUserFromKeytab(user.getPrincipal(), user.getKeytab().getAbsolutePath()); final UserGroupInformation badUgi = UserGroupInformation.getCurrentUser(); // Get a "Credentials" object for the proxy TestProxyClient badClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, badUgi); try { Client badProxy = badClient.proxy(); badLogin = badProxy.login(user.getPrincipal(), properties); } finally { badClient.close(); } // Log back in as the test user UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath()); // Drop test user, invalidating the credentials (not to mention not having the krb credentials anymore) client.dropLocalUser(creds, user.getPrincipal()); } else { proxyClient = new TestProxyClient(hostname, proxyPort, factory); client = proxyClient.proxy(); creds = client.login("root", properties); // Create 'user' client.createLocalUser(creds, "user", s2bb(SharedMiniClusterBase.getRootPassword())); // Log in as 'user' badLogin = client.login("user", properties); // Drop 'user', invalidating the credentials client.dropLocalUser(creds, "user"); } // Create some unique names for tables, namespaces, etc. String[] uniqueNames = getUniqueNames(2); // Create a general table to be used tableName = uniqueNames[0]; client.createTable(creds, tableName, true, TimeType.MILLIS); // Create a general namespace to be used namespaceName = uniqueNames[1]; client.createNamespace(creds, namespaceName); }
From source file:org.apache.accumulo.test.proxy.SimpleProxyBase.java
License:Apache License
@Test public void attachIteratorsWithScans() throws Exception { if (client.tableExists(creds, "slow")) { client.deleteTable(creds, "slow"); }//w ww . j av a2 s .com // create a table that's very slow, so we can look for scans client.createTable(creds, "slow", true, TimeType.MILLIS); IteratorSetting setting = new IteratorSetting(100, "slow", SlowIterator.class.getName(), Collections.singletonMap("sleepTime", "250")); client.attachIterator(creds, "slow", setting, EnumSet.allOf(IteratorScope.class)); // Should take 10 seconds to read every record for (int i = 0; i < 40; i++) { client.updateAndFlush(creds, "slow", mutation("row" + i, "cf", "cq", "value")); } // scan Thread t = new Thread() { @Override public void run() { String scanner; TestProxyClient proxyClient2 = null; try { if (isKerberosEnabled()) { UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath()); proxyClient2 = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, UserGroupInformation.getCurrentUser()); } else { proxyClient2 = new TestProxyClient(hostname, proxyPort, factory); } Client client2 = proxyClient2.proxy(); scanner = client2.createScanner(creds, "slow", null); client2.nextK(scanner, 10); client2.closeScanner(scanner); } catch (Exception e) { throw new RuntimeException(e); } finally { if (null != proxyClient2) { proxyClient2.close(); } } } }; t.start(); // look for the scan many times List<ActiveScan> scans = new ArrayList<>(); for (int i = 0; i < 100 && scans.isEmpty(); i++) { for (String tserver : client.getTabletServers(creds)) { List<ActiveScan> scansForServer = client.getActiveScans(creds, tserver); for (ActiveScan scan : scansForServer) { if (clientPrincipal.equals(scan.getUser())) { scans.add(scan); } } if (!scans.isEmpty()) break; sleepUninterruptibly(100, TimeUnit.MILLISECONDS); } } t.join(); assertFalse("Expected to find scans, but found none", scans.isEmpty()); boolean found = false; Map<String, String> map = null; for (int i = 0; i < scans.size() && !found; i++) { ActiveScan scan = scans.get(i); if (clientPrincipal.equals(scan.getUser())) { assertTrue(ScanState.RUNNING.equals(scan.getState()) || ScanState.QUEUED.equals(scan.getState())); assertEquals(ScanType.SINGLE, scan.getType()); assertEquals("slow", scan.getTable()); map = client.tableIdMap(creds); assertEquals(map.get("slow"), scan.getExtent().tableId); assertTrue(scan.getExtent().endRow == null); assertTrue(scan.getExtent().prevEndRow == null); found = true; } } assertTrue("Could not find a scan against the 'slow' table", found); }
From source file:org.apache.accumulo.test.proxy.SimpleProxyBase.java
License:Apache License
@Test public void attachIteratorWithCompactions() throws Exception { if (client.tableExists(creds, "slow")) { client.deleteTable(creds, "slow"); }//from w w w . j av a 2 s . c o m // create a table that's very slow, so we can look for compactions client.createTable(creds, "slow", true, TimeType.MILLIS); IteratorSetting setting = new IteratorSetting(100, "slow", SlowIterator.class.getName(), Collections.singletonMap("sleepTime", "250")); client.attachIterator(creds, "slow", setting, EnumSet.allOf(IteratorScope.class)); // Should take 10 seconds to read every record for (int i = 0; i < 40; i++) { client.updateAndFlush(creds, "slow", mutation("row" + i, "cf", "cq", "value")); } Map<String, String> map = client.tableIdMap(creds); // start a compaction Thread t = new Thread() { @Override public void run() { TestProxyClient proxyClient2 = null; try { if (isKerberosEnabled()) { UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath()); proxyClient2 = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, UserGroupInformation.getCurrentUser()); } else { proxyClient2 = new TestProxyClient(hostname, proxyPort, factory); } Client client2 = proxyClient2.proxy(); client2.compactTable(creds, "slow", null, null, null, true, true, null); } catch (Exception e) { throw new RuntimeException(e); } finally { if (null != proxyClient2) { proxyClient2.close(); } } } }; t.start(); final String desiredTableId = map.get("slow"); // Make sure we can find the slow table assertNotNull(desiredTableId); // try to catch it in the act List<ActiveCompaction> compactions = new ArrayList<>(); for (int i = 0; i < 100 && compactions.isEmpty(); i++) { // Iterate over the tservers for (String tserver : client.getTabletServers(creds)) { // And get the compactions on each List<ActiveCompaction> compactionsOnServer = client.getActiveCompactions(creds, tserver); for (ActiveCompaction compact : compactionsOnServer) { // There might be other compactions occurring (e.g. on METADATA) in which // case we want to prune out those that aren't for our slow table if (desiredTableId.equals(compact.getExtent().tableId)) { compactions.add(compact); } } // If we found a compaction for the table we wanted, so we can stop looking if (!compactions.isEmpty()) break; } sleepUninterruptibly(10, TimeUnit.MILLISECONDS); } t.join(); // verify the compaction information assertFalse(compactions.isEmpty()); for (ActiveCompaction c : compactions) { if (desiredTableId.equals(c.getExtent().tableId)) { assertTrue(c.inputFiles.isEmpty()); assertEquals(CompactionType.MINOR, c.getType()); assertEquals(CompactionReason.USER, c.getReason()); assertEquals("", c.localityGroup); assertTrue(c.outputFile.contains("default_tablet")); return; } } fail("Expection to find running compaction for table 'slow' but did not find one"); }
From source file:org.apache.accumulo.test.proxy.SimpleProxyBase.java
License:Apache License
@Test public void userManagement() throws Exception { String user;/*from www . j av a 2s . c o m*/ ClusterUser otherClient = null; ByteBuffer password = s2bb("password"); if (isKerberosEnabled()) { otherClient = getKdc().getClientPrincipal(1); user = otherClient.getPrincipal(); } else { user = getUniqueNames(1)[0]; } // create a user client.createLocalUser(creds, user, password); // change auths Set<String> users = client.listLocalUsers(creds); Set<String> expectedUsers = new HashSet<>(Arrays.asList(clientPrincipal, user)); assertTrue("Did not find all expected users: " + expectedUsers, users.containsAll(expectedUsers)); HashSet<ByteBuffer> auths = new HashSet<>(Arrays.asList(s2bb("A"), s2bb("B"))); client.changeUserAuthorizations(creds, user, auths); List<ByteBuffer> update = client.getUserAuthorizations(creds, user); assertEquals(auths, new HashSet<>(update)); // change password if (!isKerberosEnabled()) { password = s2bb(""); client.changeLocalUserPassword(creds, user, password); assertTrue(client.authenticateUser(creds, user, s2pp(ByteBufferUtil.toString(password)))); } if (isKerberosEnabled()) { UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath()); final UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); // Re-login in and make a new connection. Can't use the previous one TestProxyClient otherProxyClient = null; try { otherProxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, ugi); otherProxyClient.proxy().login(user, Collections.<String, String>emptyMap()); } finally { if (null != otherProxyClient) { otherProxyClient.close(); } } } else { // check login with new password client.login(user, s2pp(ByteBufferUtil.toString(password))); } }