List of usage examples for org.apache.hadoop.security UserGroupInformation getLoginUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getLoginUser() throws IOException
From source file:org.apache.zeppelin.scalding.ScaldingInterpreter.java
License:Apache License
@Override public InterpreterResult interpret(String cmd, InterpreterContext contextInterpreter) { String user = contextInterpreter.getAuthenticationInfo().getUser(); logger.info("Running Scalding command: user: {} cmd: '{}'", user, cmd); if (interpreter == null) { logger.error("interpreter == null, open may not have been called because max.open.instances reached"); return new InterpreterResult(Code.ERROR, "interpreter == null\n" + "open may not have been called because max.open.instances reached"); }/*from www .j a v a 2 s. c o m*/ if (cmd == null || cmd.trim().length() == 0) { return new InterpreterResult(Code.SUCCESS); } InterpreterResult interpreterResult = new InterpreterResult(Code.ERROR); if (getProperty(ARGS_STRING).contains("hdfs")) { UserGroupInformation ugi = null; try { ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); } catch (IOException e) { logger.error("Error creating UserGroupInformation", e); return new InterpreterResult(Code.ERROR, e.getMessage()); } try { // Make variables final to avoid "local variable is accessed from within inner class; // needs to be declared final" exception in JDK7 final String cmd1 = cmd; final InterpreterContext contextInterpreter1 = contextInterpreter; PrivilegedExceptionAction<InterpreterResult> action = new PrivilegedExceptionAction<InterpreterResult>() { public InterpreterResult run() throws Exception { return interpret(cmd1.split("\n"), contextInterpreter1); } }; interpreterResult = ugi.doAs(action); } catch (Exception e) { logger.error("Error running command with ugi.doAs", e); return new InterpreterResult(Code.ERROR, e.getMessage()); } } else { interpreterResult = interpret(cmd.split("\n"), contextInterpreter); } return interpreterResult; }
From source file:org.carbondata.core.util.CarbonUtil.java
License:Apache License
/** * This method will be used to delete the folder and files * * @param path file path array//from w w w . j a v a2s . c o m * @throws Exception exception */ public static void deleteFoldersAndFiles(final String... path) throws CarbonUtilException { if (path == null) { return; } try { UserGroupInformation.getLoginUser().doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { for (int i = 0; i < path.length; i++) { if (null != path[i]) { deleteRecursive(new File(path[i])); } } return null; } }); } catch (IOException e) { throw new CarbonUtilException("Error while deleting the folders and files"); } catch (InterruptedException e) { throw new CarbonUtilException("Error while deleting the folders and files"); } }
From source file:org.kaaproject.kaa.server.flume.sink.hdfs.KaaHdfsSink.java
License:Apache License
/** * Static synchronized method for static Kerberos login. <br/> * Static synchronized due to a thundering herd problem when multiple Sinks * attempt to log in using the same principal at the same time with the * intention of impersonating different users (or even the same user). * If this is not controlled, MIT Kerberos v5 believes it is seeing a replay * attach and it returns:/*from ww w .j av a2 s.c om*/ * <blockquote>Request is a replay (34) - PROCESS_TGS</blockquote> * In addition, since the underlying Hadoop APIs we are using for * impersonation are static, we define this method as static as well. * * @param principal Fully-qualified principal to use for authentication. * @param keytab Location of keytab file containing credentials for principal. * @return Logged-in user * @throws IOException if login fails. */ private static synchronized UserGroupInformation kerberosLogin(KaaHdfsSink sink, String principal, String keytab) throws IOException { // if we are the 2nd user thru the lock, the login should already be // available statically if login was successful UserGroupInformation curUser = null; try { curUser = UserGroupInformation.getLoginUser(); } catch (IOException ex) { // not a big deal but this shouldn't typically happen because it will // generally fall back to the UNIX user LOG.debug("Unable to get login user before Kerberos auth attempt.", ex); } // we already have logged in successfully if (curUser != null && curUser.getUserName().equals(principal)) { LOG.debug("{}: Using existing principal ({}): {}", new Object[] { sink, principal, curUser }); // no principal found } else { LOG.info("{}: Attempting kerberos login as principal ({}) from keytab file ({})", new Object[] { sink, principal, keytab }); // attempt static kerberos login UserGroupInformation.loginUserFromKeytab(principal, keytab); curUser = UserGroupInformation.getLoginUser(); } return curUser; }
From source file:org.kaaproject.kaa.server.flume.sink.hdfs.KaaHdfsSink.java
License:Apache License
private boolean authenticate() { // logic for kerberos login boolean useSecurity = UserGroupInformation.isSecurityEnabled(); LOG.info("Hadoop Security enabled: " + useSecurity); if (useSecurity) { // sanity checking if (kerbConfPrincipal.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a principal to use for Kerberos auth."); return false; }//from w w w . j a v a2 s. com if (kerbKeytab.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a keytab to use for Kerberos auth."); return false; } else { //If keytab is specified, user should want it take effect. //HDFSSink will halt when keytab file is non-exist or unreadable File kfile = new File(kerbKeytab); if (!(kfile.isFile() && kfile.canRead())) { throw new IllegalArgumentException( "The keyTab file: " + kerbKeytab + " is nonexistent or can't read. " + "Please specify a readable keytab file for Kerberos auth."); } } String principal; try { // resolves _HOST pattern using standard Hadoop search/replace // via DNS lookup when 2nd argument is empty principal = SecurityUtil.getServerPrincipal(kerbConfPrincipal, ""); } catch (IOException ex) { LOG.error("Host lookup error resolving kerberos principal (" + kerbConfPrincipal + "). Exception follows.", ex); return false; } Preconditions.checkNotNull(principal, "Principal must not be null"); KerberosUser prevUser = staticLogin.get(); KerberosUser newUser = new KerberosUser(principal, kerbKeytab); // be cruel and unusual when user tries to login as multiple principals // this isn't really valid with a reconfigure but this should be rare // enough to warrant a restart of the agent JVM // TODO: find a way to interrogate the entire current config state, // since we don't have to be unnecessarily protective if they switch all // HDFS sinks to use a different principal all at once. Preconditions.checkState(prevUser == null || prevUser.equals(newUser), "Cannot use multiple kerberos principals in the same agent. " + " Must restart agent to use new principal or keytab. " + "Previous = %s, New = %s", prevUser, newUser); // attempt to use cached credential if the user is the same // this is polite and should avoid flooding the KDC with auth requests UserGroupInformation curUser = null; if (prevUser != null && prevUser.equals(newUser)) { try { curUser = UserGroupInformation.getLoginUser(); } catch (IOException ex) { LOG.warn("User unexpectedly had no active login. Continuing with " + "authentication", ex); } } if (curUser == null || !curUser.getUserName().equals(principal)) { try { // static login kerberosLogin(this, principal, kerbKeytab); } catch (IOException ex) { LOG.error("Authentication or file read error while attempting to " + "login as kerberos principal (" + principal + ") using " + "keytab (" + kerbKeytab + "). Exception follows.", ex); return false; } } else { LOG.debug("{}: Using existing principal login: {}", this, curUser); } // we supposedly got through this unscathed... so store the static user staticLogin.set(newUser); } // hadoop impersonation works with or without kerberos security proxyTicket = null; if (!proxyUserName.isEmpty()) { try { proxyTicket = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); } catch (IOException ex) { LOG.error("Unable to login as proxy user. Exception follows.", ex); return false; } } UserGroupInformation ugi = null; if (proxyTicket != null) { ugi = proxyTicket; } else if (useSecurity) { try { ugi = UserGroupInformation.getLoginUser(); } catch (IOException ex) { LOG.error("Unexpected error: Unable to get authenticated user after " + "apparent successful login! Exception follows.", ex); return false; } } if (ugi != null) { // dump login information AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); LOG.info("Auth method: {}", authMethod); LOG.info(" User name: {}", ugi.getUserName()); LOG.info(" Using keytab: {}", ugi.isFromKeytab()); if (authMethod == AuthenticationMethod.PROXY) { UserGroupInformation superUser; try { superUser = UserGroupInformation.getLoginUser(); LOG.info(" Superuser auth: {}", superUser.getAuthenticationMethod()); LOG.info(" Superuser name: {}", superUser.getUserName()); LOG.info(" Superuser using keytab: {}", superUser.isFromKeytab()); } catch (IOException ex) { LOG.error("Unexpected error: unknown superuser impersonating proxy.", ex); return false; } } LOG.info("Logged in as user {}", ugi.getUserName()); return true; } return true; }
From source file:org.kitesdk.spring.hbase.example.service.WebPageSnapshotService.java
License:Apache License
/** * Take a snapshot of an URL. This WebPageSnapshot is stored in HBase. Returns * the WebPageSnapshotMeta//ww w . jav a 2 s .c o m * * If the URL is a redirect, the snapshot is stored under the final URL * destination. A WebPageRedirectModel is stored in the redirect table so when * fetching snapshots, we can follow the proper redirect path. * * @param url The URL to take a snapshot of * @param contentKey The key used to store the content * @param user The user taking a snapshot * @return The WebPageSnapshotMeta for the page that we snapshotted. * @throws IOException */ public WebPageSnapshotMeta takeSnapshot(final String url, final String contentKey, final String user) throws IOException { WebPageSnapshotMeta meta = null; UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); try { meta = ugi.doAs(new PrivilegedExceptionAction<WebPageSnapshotMeta>() { @Override public WebPageSnapshotMeta run() throws Exception { WebPageSnapshotModel webPageSnapshotModel = fetchWebPage(url, contentKey); if (!webPageSnapshotModel.getUrl().equals(url)) { // Url is different, so must have redirected. Store the redirect model WebPageRedirectModel redirectModel = WebPageRedirectModel.newBuilder().setUrl(url) .setDestinationUrl(webPageSnapshotModel.getUrl()).build(); webPageRedirectModels(user).put(redirectModel); } else { // If redirect exists, remove it since this URL no longer redirects Key key = new Key.Builder(webPageRedirectModels(user)).add("url", url).build(); WebPageRedirectModel redirectModel = webPageRedirectModels(user).get(key); if (redirectModel != null) { webPageRedirectModels(user).delete(key); } } webPageSnapshotModels(user).put(webPageSnapshotModel); return conversionService.convert(webPageSnapshotModel, WebPageSnapshotMeta.class); } }); } catch (InterruptedException ex) { Thread.currentThread().interrupt(); if (meta == null) { throw new IOException("Interrupted trying to save the snapshot", ex); } } return meta; }
From source file:org.kitesdk.spring.hbase.example.service.WebPageSnapshotService.java
License:Apache License
/** * Get the epoch timestamps for every snapshot time of an URL in HBase. * * @param url The URL of the page to get snapshot timestamps for * @return The list of timestamps//from ww w . j ava 2 s . c o m */ public List<Long> getSnapshotTimestamps(String url, final String user) throws IOException { List<Long> snapshotTimestamps = null; final String normalizedUrl = normalizeUrl(url, user); LOG.error("Getting snapshot timestamps: url = {}, user = {}, normalized url = {}", new Object[] { url, user, normalizedUrl }); UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); snapshotTimestamps = ugi.doAs(new PrivilegedAction<List<Long>>() { @Override public List<Long> run() { List<Long> snapshotTimestamps = new ArrayList<Long>(); DatasetReader<WebPageSnapshotModel> reader = null; try { reader = webPageSnapshotModels(user).from("url", normalizedUrl).from("fetchedAtRevTs", 0L) .to("url", normalizedUrl).to("fetchedAtRevTs", Long.MAX_VALUE).newReader(); while (reader.hasNext()) { snapshotTimestamps.add(reader.next().getFetchedAt()); } } finally { if (reader != null) { reader.close(); } } return snapshotTimestamps; } }); return snapshotTimestamps; }
From source file:org.kitesdk.spring.hbase.example.service.WebPageSnapshotService.java
License:Apache License
/** * Get the most recent WebPageSnapshotModel from HBase * * @param url The URL to get the snapshotted page from HBase * @return The WebPageSnapshotModel, or null if there are no fetches for this * URL/*from w w w. j a va2 s . c o m*/ */ private WebPageSnapshotModel getMostRecentWebPageSnapshot(String url, final String user) throws IOException { WebPageSnapshotModel snapshot = null; final String normalizedUrl = normalizeUrl(url, user); UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); LOG.error("Created proxy user " + ugi.getShortUserName() + " ugi: " + ugi); snapshot = ugi.doAs(new PrivilegedAction<WebPageSnapshotModel>() { @Override public WebPageSnapshotModel run() { DatasetReader<WebPageSnapshotModel> reader = null; try { // we don't know the exact timestamp in the key, but we know since keys // are in timestamp descending order that the first row for an URL will be // the most recent. reader = webPageSnapshotModels(user).from("url", normalizedUrl).from("fetchedAtRevTs", 0L) .to("url", normalizedUrl).to("fetchedAtRevTs", Long.MAX_VALUE).newReader(); if (reader.hasNext()) { return reader.next(); } else { return null; } } finally { if (reader != null) { reader.close(); } } } }); return snapshot; }
From source file:org.kitesdk.spring.hbase.example.service.WebPageSnapshotService.java
License:Apache License
/** * Get the WebPageSnapshotModel from HBase * * @param url The URL of the WebPageSnapshotModel * @param ts The snapshot timestamp of the WebPageSnapshotModel * @return The WebPageSnapshotModel, or null if there is no snapshot for the * URL at this timestamp./*from ww w.j a v a2s .c om*/ */ private WebPageSnapshotModel getWebPageSnapshot(String url, final long ts, final String user) throws IOException { WebPageSnapshotModel snapshot = null; final String normalizedUrl = normalizeUrl(url, user); UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); snapshot = ugi.doAs(new PrivilegedAction<WebPageSnapshotModel>() { @Override public WebPageSnapshotModel run() { Key key = new Key.Builder(webPageSnapshotModels(user)).add("url", normalizedUrl) .add("fetchedAtRevTs", Long.MAX_VALUE - ts).build(); return webPageSnapshotModels(user).get(key); } }); return snapshot; }
From source file:org.kitesdk.spring.hbase.example.service.WebPageSnapshotService.java
License:Apache License
/** * Get WebPageSnapshotModels for an URL from HBase since the since param. * * @param url The URL of the page to fetch * @param since The models to fetch since * @return The list of models that have been fetched for an URL since the * since param.//from w w w . j a v a2s. c om */ private List<WebPageSnapshotModel> getWebPageSnapshotsSince(String url, final long since, final String user) throws IOException { List<WebPageSnapshotModel> snapshots = null; final String normalizedUrl = normalizeUrl(url, user); UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); ugi.doAs(new PrivilegedAction<List<WebPageSnapshotModel>>() { @Override public List<WebPageSnapshotModel> run() { List<WebPageSnapshotModel> models = new ArrayList<WebPageSnapshotModel>(); DatasetReader<WebPageSnapshotModel> reader = null; try { reader = webPageSnapshotModels(user).from("url", normalizedUrl).from("fetchedAtRevTs", 0L) .to("url", normalizedUrl).to("fetchedAtRevTs", since).newReader(); while (reader.hasNext()) { models.add(reader.next()); } } finally { if (reader != null) { reader.close(); } } return models; } }); return snapshots; }
From source file:org.kitesdk.spring.hbase.example.service.WebPageSnapshotService.java
License:Apache License
/** * Return a WebPageRedirectModel if an URL is one that redirects to a * different source. Otherwise, returns null. * * @return The WebPageRedirectModel// w w w . j av a 2 s . c o m */ private WebPageRedirectModel getRedirect(final String url, final String user) throws IOException { UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); return ugi.doAs(new PrivilegedAction<WebPageRedirectModel>() { @Override public WebPageRedirectModel run() { Key key = new Key.Builder(webPageRedirectModels(user)).add("url", url).build(); return webPageRedirectModels(user).get(key); } }); }