List of usage examples for org.apache.hadoop.security UserGroupInformation getCurrentUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getCurrentUser() throws IOException
From source file:org.apache.twill.internal.AbstractTwillService.java
License:Apache License
/** * Attempts to handle secure store update. * * @param message The message received/*from w w w. j ava2 s . c om*/ * @return {@code true} if the message requests for secure store update, {@code false} otherwise. */ protected final boolean handleSecureStoreUpdate(Message message) { if (!SystemMessages.SECURE_STORE_UPDATED.equals(message)) { return false; } // If not in secure mode, simply ignore the message. if (!UserGroupInformation.isSecurityEnabled()) { return true; } try { Credentials credentials = new Credentials(); Location location = getSecureStoreLocation(); DataInputStream input = new DataInputStream(new BufferedInputStream(location.getInputStream())); try { credentials.readTokenStorageStream(input); } finally { input.close(); } UserGroupInformation.getCurrentUser().addCredentials(credentials); this.credentials = credentials; LOG.info("Secure store updated from {}.", location.toURI()); } catch (Throwable t) { LOG.error("Failed to update secure store.", t); } return true; }
From source file:org.apache.twill.internal.appmaster.ApplicationMasterService.java
License:Apache License
private Credentials createCredentials() { Credentials credentials = new Credentials(); if (!UserGroupInformation.isSecurityEnabled()) { return credentials; }/*from w w w.j a va 2 s .c o m*/ try { credentials.addAll(UserGroupInformation.getCurrentUser().getCredentials()); // Remove the AM->RM tokens Iterator<Token<?>> iter = credentials.getAllTokens().iterator(); while (iter.hasNext()) { Token<?> token = iter.next(); if (token.getKind().equals(AMRM_TOKEN_KIND_NAME)) { iter.remove(); } } } catch (IOException e) { LOG.warn("Failed to get current user. No credentials will be provided to containers.", e); } return credentials; }
From source file:org.apache.twill.internal.container.TwillContainerMain.java
License:Apache License
private static void loadSecureStore() throws IOException { if (!UserGroupInformation.isSecurityEnabled()) { return;/*www. ja v a 2 s. c om*/ } File file = new File(Constants.Files.CREDENTIALS); if (file.exists()) { Credentials credentials = new Credentials(); try (DataInputStream input = new DataInputStream(new FileInputStream(file))) { credentials.readTokenStorageStream(input); } UserGroupInformation.getCurrentUser().addCredentials(credentials); LOG.info("Secure store updated from {}", file); } }
From source file:org.apache.twill.internal.yarn.AbstractYarnTwillService.java
License:Apache License
/** * Attempts to handle secure store update. * * @param message The message received//from www . java2 s .c o m * @return {@code true} if the message requests for secure store update, {@code false} otherwise. */ protected final boolean handleSecureStoreUpdate(Message message) { if (!SystemMessages.SECURE_STORE_UPDATED.equals(message)) { return false; } // If not in secure mode, simply ignore the message. if (!UserGroupInformation.isSecurityEnabled()) { return true; } try { Credentials credentials = new Credentials(); Location location = getSecureStoreLocation(); try (DataInputStream input = new DataInputStream(new BufferedInputStream(location.getInputStream()))) { credentials.readTokenStorageStream(input); } UserGroupInformation.getCurrentUser().addCredentials(credentials); // CDAP-5844 Workaround for HDFS-9276, to update HDFS delegation token for long running application in HA mode cloneHaNnCredentials(location, UserGroupInformation.getCurrentUser()); this.credentials = credentials; LOG.info("Secure store updated from {}.", location); } catch (Throwable t) { LOG.error("Failed to update secure store.", t); } return true; }
From source file:org.apache.twill.internal.yarn.Hadoop23YarnAppClient.java
License:Apache License
/** * Overrides parent method to adds RM delegation token to the given context. If YARN is running with HA RM, * delegation tokens for each RM service will be added. */// w w w.j a v a2s.c o m protected void addRMToken(ContainerLaunchContext context, YarnClient yarnClient, ApplicationId appId) { if (!UserGroupInformation.isSecurityEnabled()) { return; } try { Text renewer = new Text(UserGroupInformation.getCurrentUser().getShortUserName()); org.apache.hadoop.yarn.api.records.Token rmDelegationToken = yarnClient.getRMDelegationToken(renewer); // The following logic is copied from ClientRMProxy.getRMDelegationTokenService, which is not available in // YARN older than 2.4 List<String> services = new ArrayList<>(); if (HAUtil.isHAEnabled(configuration)) { // If HA is enabled, we need to enumerate all RM hosts // and add the corresponding service name to the token service // Copy the yarn conf since we need to modify it to get the RM addresses YarnConfiguration yarnConf = new YarnConfiguration(configuration); for (String rmId : HAUtil.getRMHAIds(configuration)) { yarnConf.set(YarnConfiguration.RM_HA_ID, rmId); InetSocketAddress address = yarnConf.getSocketAddr(YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS, YarnConfiguration.DEFAULT_RM_PORT); services.add(SecurityUtil.buildTokenService(address).toString()); } } else { services.add(SecurityUtil.buildTokenService(YarnUtils.getRMAddress(configuration)).toString()); } Credentials credentials = YarnUtils.decodeCredentials(context.getTokens()); // casting needed for later Hadoop version @SuppressWarnings("RedundantCast") Token<TokenIdentifier> token = ConverterUtils.convertFromYarn(rmDelegationToken, (InetSocketAddress) null); token.setService(new Text(Joiner.on(',').join(services))); credentials.addToken(new Text(token.getService()), token); LOG.debug("Added RM delegation token {} for application {}", token, appId); credentials.addToken(token.getService(), token); context.setTokens(YarnUtils.encodeCredentials(credentials)); } catch (Exception e) { throw Throwables.propagate(e); } }
From source file:org.apache.twill.yarn.YarnTwillPreparer.java
License:Apache License
private Credentials createCredentials() { Credentials credentials = new Credentials(); try {// w w w . ja v a2 s .c o m credentials.addAll(UserGroupInformation.getCurrentUser().getCredentials()); List<Token<?>> tokens = YarnUtils.addDelegationTokens(yarnConfig, locationFactory, credentials); for (Token<?> token : tokens) { LOG.debug("Delegation token acquired for {}, {}", locationFactory.getHomeLocation(), token); } } catch (IOException e) { LOG.warn("Failed to check for secure login type. Not gathering any delegation token.", e); } return credentials; }
From source file:org.apache.zeppelin.jdbc.JDBCInterpreter.java
License:Apache License
public Connection getConnection(String propertyKey, InterpreterContext interpreterContext) throws ClassNotFoundException, SQLException, InterpreterException, IOException { final String user = interpreterContext.getAuthenticationInfo().getUser(); Connection connection;/*from ww w . j a v a 2 s . c om*/ if (propertyKey == null || basePropretiesMap.get(propertyKey) == null) { return null; } JDBCUserConfigurations jdbcUserConfigurations = getJDBCConfiguration(user); setUserProperty(propertyKey, interpreterContext); final Properties properties = jdbcUserConfigurations.getPropertyMap(propertyKey); final String url = properties.getProperty(URL_KEY); if (isEmpty(getProperty("zeppelin.jdbc.auth.type"))) { connection = getConnectionFromPool(url, user, propertyKey, properties); } else { UserGroupInformation.AuthenticationMethod authType = JDBCSecurityImpl.getAuthtype(getProperties()); final String connectionUrl = appendProxyUserToURL(url, user, propertyKey); JDBCSecurityImpl.createSecureConfiguration(getProperties(), authType); switch (authType) { case KERBEROS: if (user == null || "false".equalsIgnoreCase(getProperty("zeppelin.jdbc.auth.kerberos.proxy.enable"))) { connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); } else { if (basePropretiesMap.get(propertyKey).containsKey("proxy.user.property")) { connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); } else { UserGroupInformation ugi = null; try { ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getCurrentUser()); } catch (Exception e) { logger.error("Error in getCurrentUser", e); throw new InterpreterException("Error in getCurrentUser", e); } final String poolKey = propertyKey; try { connection = ugi.doAs(new PrivilegedExceptionAction<Connection>() { @Override public Connection run() throws Exception { return getConnectionFromPool(connectionUrl, user, poolKey, properties); } }); } catch (Exception e) { logger.error("Error in doAs", e); throw new InterpreterException("Error in doAs", e); } } } break; default: connection = getConnectionFromPool(connectionUrl, user, propertyKey, properties); } } return connection; }
From source file:org.apache.zeppelin.jdbc.security.JDBCSecurityImpl.java
License:Apache License
/*** * @param properties// w w w . j a va2s. c om */ public static void createSecureConfiguration(Properties properties, AuthenticationMethod authType) { switch (authType) { case KERBEROS: Configuration conf = new org.apache.hadoop.conf.Configuration(); conf.set("hadoop.security.authentication", KERBEROS.toString()); UserGroupInformation.setConfiguration(conf); try { // Check TGT before calling login // Ref: https://github.com/apache/hadoop/blob/release-3.0.1-RC1/hadoop-common-project/ // hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L1232 if (!UserGroupInformation.isSecurityEnabled() || UserGroupInformation.getCurrentUser().getAuthenticationMethod() != KERBEROS || !UserGroupInformation.isLoginKeytabBased()) { UserGroupInformation.loginUserFromKeytab(properties.getProperty("zeppelin.jdbc.principal"), properties.getProperty("zeppelin.jdbc.keytab.location")); } else { LOGGER.info( "The user has already logged in using Keytab and principal, " + "no action required"); } } catch (IOException e) { LOGGER.error("Failed to get either keytab location or principal name in the " + "interpreter", e); } } }
From source file:org.apache.zeppelin.submarine.hadoop.HdfsClient.java
License:Apache License
private synchronized <T> T callHdfsOperation(final HdfsOperation<T> func) throws IOException { if (isSecurityEnabled) { try {//from w w w .jav a2 s . com return UserGroupInformation.getCurrentUser().doAs(new PrivilegedExceptionAction<T>() { @Override public T run() throws Exception { return func.call(); } }); } catch (InterruptedException e) { throw new IOException(e); } } else { return func.call(); } }
From source file:org.deeplearning4j.iterativereduce.runtime.yarn.ContainerManagerHandler.java
License:Apache License
public StartContainerResponse startContainer(List<String> commands, Map<String, LocalResource> localResources, Map<String, String> env) throws IOException { if (containerManager == null) throw new IllegalStateException("Cannot start a continer before connecting to the container manager!"); ContainerLaunchContext ctx = Records.newRecord(ContainerLaunchContext.class); ctx.setContainerId(container.getId()); ctx.setResource(container.getResource()); ctx.setLocalResources(localResources); ctx.setCommands(commands);//from w w w . ja v a 2s. c o m ctx.setUser(UserGroupInformation.getCurrentUser().getShortUserName()); ctx.setEnvironment(env); if (LOG.isDebugEnabled()) { LOG.debug("Using ContainerLaunchContext with" + ", containerId=" + ctx.getContainerId() + ", memory=" + ctx.getResource().getMemory() + ", localResources=" + ctx.getLocalResources().toString() + ", commands=" + ctx.getCommands().toString() + ", env=" + ctx.getEnvironment().toString()); } StartContainerRequest request = Records.newRecord(StartContainerRequest.class); request.setContainerLaunchContext(ctx); LOG.info("Starting container, containerId=" + container.getId().toString() + ", host=" + container.getNodeId().getHost() + ", http=" + container.getNodeHttpAddress()); return containerManager.startContainer(request); }