List of usage examples for org.apache.hadoop.security UserGroupInformation getLoginUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getLoginUser() throws IOException
From source file:org.apache.sentry.cli.tools.SentryShellGeneric.java
License:Apache License
@Override public void run() throws Exception { String component = getComponent(); Configuration conf = getSentryConf(); String service = getService(conf); try (SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf)) { UserGroupInformation ugi = UserGroupInformation.getLoginUser(); String requestorName = ugi.getShortUserName(); TSentryPrivilegeConverter converter = getPrivilegeConverter(component, service); ShellCommand command = new GenericShellCommand(client, component, service, converter); // check the requestor name if (StringUtils.isEmpty(requestorName)) { // The exception message will be recorded in log file. throw new Exception("The requestor name is empty."); }/*from ww w . ja v a 2 s .co m*/ if (isCreateRole) { command.createRole(requestorName, roleName); } else if (isDropRole) { command.dropRole(requestorName, roleName); } else if (isAddRoleGroup) { Set<String> groups = Sets.newHashSet(groupName.split(SentryShellCommon.GROUP_SPLIT_CHAR)); command.grantRoleToGroups(requestorName, roleName, groups); } else if (isDeleteRoleGroup) { Set<String> groups = Sets.newHashSet(groupName.split(SentryShellCommon.GROUP_SPLIT_CHAR)); command.revokeRoleFromGroups(requestorName, roleName, groups); } else if (isGrantPrivilegeRole) { command.grantPrivilegeToRole(requestorName, roleName, privilegeStr); } else if (isRevokePrivilegeRole) { command.revokePrivilegeFromRole(requestorName, roleName, privilegeStr); } else if (isListRole) { List<String> roles = command.listRoles(requestorName, groupName); for (String role : roles) { System.out.println(role); } } else if (isListPrivilege) { List<String> privileges = command.listPrivileges(requestorName, roleName); for (String privilege : privileges) { System.out.println(privilege); } } else if (isListGroup) { List<String> groups = command.listGroupRoles(requestorName); for (String group : groups) { System.out.println(group); } } } }
From source file:org.apache.sentry.cli.tools.SentryShellHive.java
License:Apache License
public void run() throws Exception { try (SentryPolicyServiceClient client = SentryServiceClientFactory.create(getSentryConf())) { UserGroupInformation ugi = UserGroupInformation.getLoginUser(); String requestorName = ugi.getShortUserName(); ShellCommand command = new HiveShellCommand(client); // check the requestor name if (StringUtils.isEmpty(requestorName)) { // The exception message will be recorded in the log file. throw new Exception("The requestor name is empty."); }//from w w w . j a va2 s.co m if (isCreateRole) { command.createRole(requestorName, roleName); } else if (isDropRole) { command.dropRole(requestorName, roleName); } else if (isAddRoleGroup) { Set<String> groups = Sets.newHashSet(groupName.split(SentryShellCommon.GROUP_SPLIT_CHAR)); command.grantRoleToGroups(requestorName, roleName, groups); } else if (isDeleteRoleGroup) { Set<String> groups = Sets.newHashSet(groupName.split(SentryShellCommon.GROUP_SPLIT_CHAR)); command.revokeRoleFromGroups(requestorName, roleName, groups); } else if (isGrantPrivilegeRole) { command.grantPrivilegeToRole(requestorName, roleName, privilegeStr); } else if (isRevokePrivilegeRole) { command.revokePrivilegeFromRole(requestorName, roleName, privilegeStr); } else if (isListRole) { List<String> roles = command.listRoles(requestorName, groupName); for (String role : roles) { System.out.println(role); } } else if (isListPrivilege) { List<String> privileges = command.listPrivileges(requestorName, roleName); for (String privilege : privileges) { System.out.println(privilege); } } else if (isListGroup) { List<String> groups = command.listGroupRoles(requestorName); for (String group : groups) { System.out.println(group); } } } }
From source file:org.apache.sentry.hdfs.SentryHdfsServiceIntegrationBase.java
License:Apache License
protected void connectToHdfsSyncService() throws Exception { if (hdfsClient != null) { hdfsClient.close();// www . j a va 2 s. c o m } // SentryHdfs client configuration setup conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); if (kerberos) { conf.set(ClientConfig.SECURITY_MODE, ClientConfig.SECURITY_MODE_KERBEROS); conf.set(ClientConfig.SECURITY_USE_UGI_TRANSPORT, "true"); conf.set(ClientConfig.PRINCIPAL, getServerKerberosName()); hdfsClient = UserGroupInformation.getLoginUser() .doAs(new PrivilegedExceptionAction<SentryHDFSServiceClient>() { @Override public SentryHDFSServiceClient run() throws Exception { return SentryHDFSServiceClientFactory.create(conf); } }); } else { hdfsClient = SentryHDFSServiceClientFactory.create(conf); } hdfsClient.close(); }
From source file:org.apache.sentry.provider.db.generic.tools.PermissionsMigrationToolCommon.java
License:Apache License
private void migrateSentryServiceConfig() throws Exception { Configuration conf = getSentryConf(); String component = getComponent(conf); String serviceName = getServiceName(conf); GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, serviceName, false); // instantiate a client for sentry service. This sets the ugi, so must // be done before getting the ugi below. try (SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(getSentryConf())) { UserGroupInformation ugi = UserGroupInformation.getLoginUser(); String requestorName = ugi.getShortUserName(); for (TSentryRole r : client.listAllRoles(requestorName, component)) { for (TSentryPrivilege p : client.listAllPrivilegesByRoleName(requestorName, r.getRoleName(), component, serviceName)) { Collection<String> privileges = Collections.singleton(converter.toString(p)); Collection<String> migrated = transformPrivileges(privileges); if (!migrated.isEmpty()) { LOGGER.info("{} For role {} migrating privileges from {} to {}", getDryRunMessage(), r.getRoleName(), privileges, migrated); if (!dryRun) { Collection<TSentryPrivilege> tmp = new ArrayList<>(); for (String perm : migrated) { tmp.add(converter.fromString(perm)); }/*w ww . j a v a 2s . c om*/ /* * Note that it is not possible to provide transactional (all-or-nothing) behavior for these configuration * changes since the Sentry client/server protocol does not support. e.g. under certain failure conditions * like crash of Sentry server or network disconnect between client/server, it is possible that the migration * can not complete but can also not be rolled back. Hence this migration tool relies on the fact that privilege * grant/revoke operations are idempotent and hence re-execution of the migration tool will fix any inconsistency * due to such failures. **/ for (TSentryPrivilege x : tmp) { // grant new permissions client.grantPrivilege(requestorName, r.getRoleName(), component, x); } // Revoke old permission (only if not part of migrated permissions) if (!tmp.contains(p)) { client.revokePrivilege(requestorName, r.getRoleName(), component, p); } } } } } } }
From source file:org.apache.sentry.provider.db.generic.tools.SentryConfigToolIndexer.java
License:Apache License
/** * Processes the necessary command based on the arguments parsed earlier. * @throws Exception/*from w w w. j a va 2 s .c o m*/ */ public void run() throws Exception { String component = HBASE_INDEXER; Configuration conf = getSentryConf(); String service = conf.get(SERVICE_NAME, getServiceName()); if (service == null) { throw new IllegalArgumentException( "Service was not defined. Please, use -s command option, or sentry.provider.backend.generic.service-name configuration entry."); } LOGGER.info(String.format("Context: component=%s, service=%s", component, service)); // instantiate a solr client for sentry service. This sets the ugi, so must // be done before getting the ugi below. try (SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf)) { UserGroupInformation ugi = UserGroupInformation.getLoginUser(); String requestorName = ugi.getShortUserName(); convertINIToSentryServiceCmds(component, service, requestorName, conf, client, getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat()); } }
From source file:org.apache.sentry.provider.db.generic.tools.SentryShellKafka.java
License:Apache License
@Override public void run() throws Exception { Command command = null;/*w w w .j a v a2 s. co m*/ String component = AuthorizationComponent.KAFKA; Configuration conf = getSentryConf(); String service = conf.get(KAFKA_SERVICE_NAME, "kafka1"); SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf); UserGroupInformation ugi = UserGroupInformation.getLoginUser(); String requestorName = ugi.getShortUserName(); if (isCreateRole) { command = new CreateRoleCmd(roleName, component); } else if (isDropRole) { command = new DropRoleCmd(roleName, component); } else if (isAddRoleGroup) { command = new AddRoleToGroupCmd(roleName, groupName, component); } else if (isDeleteRoleGroup) { command = new DeleteRoleFromGroupCmd(roleName, groupName, component); } else if (isGrantPrivilegeRole) { command = new GrantPrivilegeToRoleCmd(roleName, component, privilegeStr, new KafkaTSentryPrivilegeConverter(component, service)); } else if (isRevokePrivilegeRole) { command = new RevokePrivilegeFromRoleCmd(roleName, component, privilegeStr, new KafkaTSentryPrivilegeConverter(component, service)); } else if (isListRole) { command = new ListRolesCmd(groupName, component); } else if (isListPrivilege) { command = new ListPrivilegesByRoleCmd(roleName, component, service, new KafkaTSentryPrivilegeConverter(component, service)); } // check the requestor name if (StringUtils.isEmpty(requestorName)) { // The exception message will be recorded in log file. throw new Exception("The requestor name is empty."); } if (command != null) { command.execute(client, requestorName); } }
From source file:org.apache.sentry.provider.db.generic.tools.SentryShellSolr.java
License:Apache License
@Override public void run() throws Exception { Command command = null;/* w w w . j a va 2s . c o m*/ String component = "SOLR"; Configuration conf = getSentryConf(); String service = conf.get(SOLR_SERVICE_NAME, "service1"); SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf); UserGroupInformation ugi = UserGroupInformation.getLoginUser(); String requestorName = ugi.getShortUserName(); if (isCreateRole) { command = new CreateRoleCmd(roleName, component); } else if (isDropRole) { command = new DropRoleCmd(roleName, component); } else if (isAddRoleGroup) { command = new AddRoleToGroupCmd(roleName, groupName, component); } else if (isDeleteRoleGroup) { command = new DeleteRoleFromGroupCmd(roleName, groupName, component); } else if (isGrantPrivilegeRole) { command = new GrantPrivilegeToRoleCmd(roleName, component, privilegeStr, new SolrTSentryPrivilegeConverter(component, service)); } else if (isRevokePrivilegeRole) { command = new RevokePrivilegeFromRoleCmd(roleName, component, privilegeStr, new SolrTSentryPrivilegeConverter(component, service)); } else if (isListRole) { command = new ListRolesCmd(groupName, component); } else if (isListPrivilege) { command = new ListPrivilegesByRoleCmd(roleName, component, service, new SolrTSentryPrivilegeConverter(component, service)); } // check the requestor name if (StringUtils.isEmpty(requestorName)) { // The exception message will be recorded in log file. throw new Exception("The requestor name is empty."); } if (command != null) { command.execute(client, requestorName); } }
From source file:org.apache.sentry.provider.db.generic.UpdatableCache.java
License:Apache License
/** * Build cache replica with latest values * * @return cache replica with latest values */// w w w. j a v a2 s. c o m private Table<String, String, Set<String>> loadFromRemote() throws Exception { Table<String, String, Set<String>> tempCache = HashBasedTable.create(); String requestor; requestor = UserGroupInformation.getLoginUser().getShortUserName(); try (SentryGenericServiceClient client = getClient()) { Set<TSentryRole> tSentryRoles = client.listAllRoles(requestor, componentType); for (TSentryRole tSentryRole : tSentryRoles) { final String roleName = tSentryRole.getRoleName(); final Set<TSentryPrivilege> tSentryPrivileges = client.listAllPrivilegesByRoleName(requestor, roleName, componentType, serviceName); for (String group : tSentryRole.getGroups()) { Set<String> currentPrivileges = tempCache.get(group, roleName); if (currentPrivileges == null) { currentPrivileges = new HashSet<>(); tempCache.put(group, roleName, currentPrivileges); } for (TSentryPrivilege tSentryPrivilege : tSentryPrivileges) { currentPrivileges.add(tSentryPrivilegeConverter.toString(tSentryPrivilege)); } } } return tempCache; } }
From source file:org.apache.sentry.service.thrift.SentryServiceIntegrationBase.java
License:Apache License
public static void setupConf() throws Exception { if (kerberos) { setupKdc();// w w w . j av a 2s. c o m kdc = SentryMiniKdcTestcase.getKdc(); kdcWorkDir = SentryMiniKdcTestcase.getWorkDir(); serverKeytab = new File(kdcWorkDir, "server.keytab"); clientKeytab = new File(kdcWorkDir, "client.keytab"); kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL); kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL); conf.set(ServerConfig.PRINCIPAL, getServerKerberosName()); conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath()); conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME); conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL, getServerKerberosName()); conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB, serverKeytab.getPath()); conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath()); clientUgi = UserGroupInformation.getLoginUser(); } else { LOGGER.info("Stopped KDC"); conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE); } if (webServerEnabled) { conf.set(ServerConfig.SENTRY_WEB_ENABLE, "true"); conf.set(ServerConfig.SENTRY_WEB_PORT, String.valueOf(webServerPort)); conf.set(ServerConfig.SENTRY_WEB_PUBSUB_SERVLET_ENABLED, "true"); if (webSecurity) { httpKeytab = new File(kdcWorkDir, "http.keytab"); kdc.createPrincipal(httpKeytab, HTTP_PRINCIPAL); conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS); conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL); conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath()); conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowedUsers); } else { conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE); } } else { conf.set(ServerConfig.SENTRY_WEB_ENABLE, "false"); } if (pooled) { conf.set(ApiConstants.ClientConfig.SENTRY_POOL_ENABLED, "true"); } if (useSSL) { String keystorePath = Resources.getResource("keystore.jks").getPath(); conf.set(ServerConfig.SENTRY_WEB_USE_SSL, "true"); conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, keystorePath); conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "password"); LOGGER.debug("{} is at {}", ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, keystorePath); } conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP); conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST); conf.set(ServerConfig.RPC_PORT, String.valueOf(0)); dbDir = new File(Files.createTempDir(), "sentry_policy_db"); conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true"); conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy"); server = SentryServiceFactory.create(conf); conf.set(ApiConstants.ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); conf.set(ApiConstants.ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); }
From source file:org.apache.sentry.shell.SentryCli.java
License:Apache License
/** * Initialize CLI// w w w. ja v a 2 s .c om */ private void init() { Map<String, String> env = System.getenv(); String log4jconf = cmd.getOptionValue(LOG4J_CONF); if (log4jconf != null && log4jconf.length() > 0) { Properties log4jProperties = new Properties(); // Firstly load log properties from properties file try (FileInputStream istream = new FileInputStream(log4jconf)) { log4jProperties.load(istream); } catch (IOException e) { e.printStackTrace(); } PropertyConfigurator.configure(log4jProperties); } String host = cmd.getOptionValue(hostOpt); if (host == null) { host = env.get(hostEnv); } String pathConf = cmd.getOptionValue(configOpt); if (pathConf == null) { pathConf = env.get(configEnv); } if (host == null && pathConf == null) { host = localhost + ":" + defaultPort; } Configuration conf = new Configuration(); if (pathConf != null) { conf.addResource(new Path(pathConf), true); } else { conf.set(SECURITY_MODE, SECURITY_MODE_NONE); } if (host != null) { conf.set(ApiConstants.ClientConfig.SERVER_RPC_ADDRESS, host); } requestorName = cmd.getOptionValue(userOpt); if (requestorName == null) { requestorName = env.get(userEnv); } if (requestorName == null) { UserGroupInformation ugi = null; try { ugi = UserGroupInformation.getLoginUser(); } catch (IOException e) { e.printStackTrace(); } requestorName = ugi.getShortUserName(); } try { sentryClient = SentryServiceClientFactory.create(conf); sentryGenericClient = SentryGenericServiceClientFactory.create(conf); } catch (Exception e) { System.out.println("Failed to connect to Sentry server: " + e.toString()); } }