List of usage examples for org.apache.hadoop.security UserGroupInformation getLoginUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getLoginUser() throws IOException
From source file:com.datatorrent.stram.util.SecureExecutor.java
License:Apache License
public static <T> T execute(final SecureExecutor.WorkLoad<T> workLoad) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); return loginUser.doAs(new PrivilegedAction<T>() { @Override/*from w w w. j a v a 2s .c o m*/ public T run() { return workLoad.run(); } }); } else { return workLoad.run(); } }
From source file:com.flipkart.foxtrot.core.datastore.impl.hbase.HBaseUtil.java
License:Apache License
public static Configuration create(final HbaseConfig hbaseConfig) throws IOException { Configuration configuration = HBaseConfiguration.create(); if (isValidFile(hbaseConfig.getCoreSite())) { configuration.addResource(new File(hbaseConfig.getCoreSite()).toURI().toURL()); }//from ww w . ja va 2 s. com if (isValidFile(hbaseConfig.getHdfsSite())) { configuration.addResource(new File(hbaseConfig.getHdfsSite()).toURI().toURL()); } if (isValidFile(hbaseConfig.getHbasePolicy())) { configuration.addResource(new File(hbaseConfig.getHbasePolicy()).toURI().toURL()); } if (isValidFile(hbaseConfig.getHbaseSite())) { configuration.addResource(new File(hbaseConfig.getHbaseSite()).toURI().toURL()); } if (hbaseConfig.isSecure() && isValidFile(hbaseConfig.getKeytabFileName())) { configuration.set("hbase.master.kerberos.principal", hbaseConfig.getAuthString()); configuration.set("hadoop.kerberos.kinit.command", hbaseConfig.getKinitPath()); UserGroupInformation.setConfiguration(configuration); System.setProperty("java.security.krb5.conf", hbaseConfig.getKerberosConfigFile()); UserGroupInformation.loginUserFromKeytab(hbaseConfig.getAuthString(), hbaseConfig.getKeytabFileName()); logger.info("Logged into Hbase with User: " + UserGroupInformation.getLoginUser()); } if (null != hbaseConfig.getHbaseZookeeperQuorum()) { configuration.set("hbase.zookeeper.quorum", hbaseConfig.getHbaseZookeeperQuorum()); } if (null != hbaseConfig.getHbaseZookeeperClientPort()) { configuration.setInt("hbase.zookeeper.property.clientPort", hbaseConfig.getHbaseZookeeperClientPort()); } return configuration; }
From source file:com.github.sakserv.minicluster.impl.KdcLocalCluster.java
License:Apache License
@Override public void start() throws Exception { LOG.info("KDC: Starting MiniKdc"); configure();//from ww w . j a v a2 s . c om miniKdc = new MiniKdc(conf, new File(baseDir)); miniKdc.start(); UserGroupInformation ugi = UserGroupInformation.createRemoteUser("guest"); UserGroupInformation.setLoginUser(ugi); String username = UserGroupInformation.getLoginUser().getShortUserName(); List<String> temp = new ArrayList<>(principals); temp.add(username); this.principals = Collections.unmodifiableList(temp); principals.forEach(p -> { try { File keytab = new File(baseDir, p + ".keytab"); LOG.info("KDC: Creating keytab for {} in {}", p, keytab); miniKdc.createPrincipal(keytab, p, getKrbPrincipal(p), getKrbPrincipalWithRealm(p)); } catch (Exception e) { throw Throwables.propagate(e); } }); refreshDefaultRealm(); prepareSecureConfiguration(username); }
From source file:com.github.sakserv.minicluster.impl.KdcLocalClusterHBaseIntegrationTest.java
License:Apache License
@Test public void testHBase() throws Exception { UserGroupInformation.loginUserFromKeytab(kdcLocalCluster.getKrbPrincipalWithRealm("hbase"), kdcLocalCluster.getKeytabForPrincipal("hbase")); assertTrue(UserGroupInformation.isSecurityEnabled()); assertTrue(UserGroupInformation.isLoginKeytabBased()); Configuration configuration = hbaseLocalCluster.getHbaseConfiguration(); configuration.set("hbase.client.retries.number", "1"); configuration.set("hbase.client.pause", "1000"); configuration.set("zookeeper.recovery.retry", "1"); // Write data try (Connection connection = ConnectionFactory.createConnection(configuration)) { Admin admin = connection.getAdmin(); TableName tableName = TableName.valueOf("test-kdc"); if (admin.tableExists(tableName)) { admin.disableTable(tableName); admin.deleteTable(tableName); }/*from w ww . j a va 2 s. co m*/ admin.createTable(new HTableDescriptor(tableName).addFamily(new HColumnDescriptor("cf"))); try (BufferedMutator mutator = connection.getBufferedMutator(tableName)) { mutator.mutate(new Put(Bytes.toBytes("key")).addColumn(Bytes.toBytes("cf"), Bytes.toBytes("col1"), Bytes.toBytes("azerty"))); } } // Log out LOG.info("Logout..."); UserGroupInformation.getLoginUser().logoutUserFromKeytab(); UserGroupInformation.reset(); try { Configuration unauthenticatedConfiguration = HBaseConfiguration.create(); hbaseLocalCluster.configure(unauthenticatedConfiguration); unauthenticatedConfiguration.set("hbase.client.retries.number", "1"); unauthenticatedConfiguration.set("hbase.client.pause", "1000"); unauthenticatedConfiguration.set("zookeeper.recovery.retry", "1"); UserGroupInformation.setConfiguration(unauthenticatedConfiguration); try (Connection connection = ConnectionFactory.createConnection(unauthenticatedConfiguration)) { Admin admin = connection.getAdmin(); TableName tableName = TableName.valueOf("test-kdc2"); if (admin.tableExists(tableName)) { admin.disableTable(tableName); admin.deleteTable(tableName); } try (BufferedMutator mutator = connection.getBufferedMutator(tableName)) { mutator.mutate(new Put(Bytes.toBytes("key")).addColumn(Bytes.toBytes("cf"), Bytes.toBytes("col1"), Bytes.toBytes("azerty"))); } } fail(); } catch (RetriesExhaustedException e) { LOG.info("Alright, this is expected!", e); assertTrue(e.getCause() instanceof IOException); System.out.println("Not authenticated!"); } }
From source file:com.github.sakserv.minicluster.impl.KdcLocalClusterHdfsIntegrationTest.java
License:Apache License
@Test public void testHdfs() throws Exception { FileSystem hdfsFsHandle = hdfsLocalCluster.getHdfsFileSystemHandle(); UserGroupInformation.loginUserFromKeytab(kdcLocalCluster.getKrbPrincipalWithRealm("hdfs"), kdcLocalCluster.getKeytabForPrincipal("hdfs")); assertTrue(UserGroupInformation.isSecurityEnabled()); assertTrue(UserGroupInformation.isLoginKeytabBased()); // Write a file to HDFS containing the test string FSDataOutputStream writer = hdfsFsHandle .create(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); writer.writeUTF(propertyParser.getProperty(ConfigVars.HDFS_TEST_STRING_KEY)); writer.close();/*from w w w . j a v a 2 s . c o m*/ // Read the file and compare to test string FSDataInputStream reader = hdfsFsHandle .open(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); assertEquals(reader.readUTF(), propertyParser.getProperty(ConfigVars.HDFS_TEST_STRING_KEY)); reader.close(); // Log out UserGroupInformation.getLoginUser().logoutUserFromKeytab(); UserGroupInformation.reset(); try { Configuration conf = new Configuration(); UserGroupInformation.setConfiguration(conf); FileSystem.get(hdfsFsHandle.getUri(), conf) .open(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); fail(); } catch (AccessControlException e) { LOG.info("Not authenticated!"); } }
From source file:com.huayu.metis.flume.sink.hdfs.HDFSEventSink.java
License:Apache License
private boolean authenticate() { // logic for kerberos login boolean useSecurity = UserGroupInformation.isSecurityEnabled(); LOG.info("Hadoop Security enabled: " + useSecurity); if (useSecurity) { // sanity checking if (kerbConfPrincipal.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a principal to use for Kerberos auth."); return false; }/* w w w . j a v a 2 s . c o m*/ if (kerbKeytab.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a keytab to use for Kerberos auth."); return false; } else { //If keytab is specified, user should want it take effect. //HDFSEventSink will halt when keytab file is non-exist or unreadable File kfile = new File(kerbKeytab); if (!(kfile.isFile() && kfile.canRead())) { throw new IllegalArgumentException( "The keyTab file: " + kerbKeytab + " is nonexistent or can't read. " + "Please specify a readable keytab file for Kerberos auth."); } } String principal; try { // resolves _HOST pattern using standard Hadoop search/replace // via DNS lookup when 2nd argument is empty principal = SecurityUtil.getServerPrincipal(kerbConfPrincipal, ""); } catch (IOException e) { LOG.error("Host lookup error resolving kerberos principal (" + kerbConfPrincipal + "). Exception follows.", e); return false; } Preconditions.checkNotNull(principal, "Principal must not be null"); KerberosUser prevUser = staticLogin.get(); KerberosUser newUser = new KerberosUser(principal, kerbKeytab); // be cruel and unusual when user tries to login as multiple principals // this isn't really valid with a reconfigure but this should be rare // enough to warrant a restart of the agent JVM // TODO: find a way to interrogate the entire current config state, // since we don't have to be unnecessarily protective if they switch all // HDFS sinks to use a different principal all at once. Preconditions.checkState(prevUser == null || prevUser.equals(newUser), "Cannot use multiple kerberos principals in the same agent. " + " Must restart agent to use new principal or keytab. " + "Previous = %s, New = %s", prevUser, newUser); // attempt to use cached credential if the user is the same // this is polite and should avoid flooding the KDC with auth requests UserGroupInformation curUser = null; if (prevUser != null && prevUser.equals(newUser)) { try { curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.warn("User unexpectedly had no active login. Continuing with " + "authentication", e); } } if (curUser == null || !curUser.getUserName().equals(principal)) { try { // static login kerberosLogin(this, principal, kerbKeytab); } catch (IOException e) { LOG.error("Authentication or file read error while attempting to " + "login as kerberos principal (" + principal + ") using " + "keytab (" + kerbKeytab + "). Exception follows.", e); return false; } } else { LOG.debug("{}: Using existing principal login: {}", this, curUser); } // we supposedly got through this unscathed... so store the static user staticLogin.set(newUser); } // hadoop impersonation works with or without kerberos security proxyTicket = null; if (!proxyUserName.isEmpty()) { try { proxyTicket = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); } catch (IOException e) { LOG.error("Unable to login as proxy user. Exception follows.", e); return false; } } UserGroupInformation ugi = null; if (proxyTicket != null) { ugi = proxyTicket; } else if (useSecurity) { try { ugi = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.error("Unexpected error: Unable to get authenticated user after " + "apparent successful login! Exception follows.", e); return false; } } if (ugi != null) { // dump login information AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); LOG.info("Auth method: {}", authMethod); LOG.info(" User name: {}", ugi.getUserName()); LOG.info(" Using keytab: {}", ugi.isFromKeytab()); if (authMethod == AuthenticationMethod.PROXY) { UserGroupInformation superUser; try { superUser = UserGroupInformation.getLoginUser(); LOG.info(" Superuser auth: {}", superUser.getAuthenticationMethod()); LOG.info(" Superuser name: {}", superUser.getUserName()); LOG.info(" Superuser using keytab: {}", superUser.isFromKeytab()); } catch (IOException e) { LOG.error("Unexpected error: unknown superuser impersonating proxy.", e); return false; } } LOG.info("Logged in as user {}", ugi.getUserName()); return true; } return true; }
From source file:com.huayu.metis.flume.sink.hdfs.HDFSEventSink.java
License:Apache License
/** * Static synchronized method for static Kerberos login. <br/> * Static synchronized due to a thundering herd problem when multiple Sinks * attempt to log in using the same principal at the same time with the * intention of impersonating different users (or even the same user). * If this is not controlled, MIT Kerberos v5 believes it is seeing a replay * attach and it returns:/* w w w . ja v a 2 s . c o m*/ * <blockquote>Request is a replay (34) - PROCESS_TGS</blockquote> * In addition, since the underlying Hadoop APIs we are using for * impersonation are static, we define this method as static as well. * * @param principal Fully-qualified principal to use for authentication. * @param keytab Location of keytab file containing credentials for principal. * @return Logged-in user * @throws java.io.IOException if login fails. */ private static synchronized UserGroupInformation kerberosLogin(HDFSEventSink sink, String principal, String keytab) throws IOException { // if we are the 2nd user thru the lock, the login should already be // available statically if login was successful UserGroupInformation curUser = null; try { curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { // not a big deal but this shouldn't typically happen because it will // generally fall back to the UNIX user LOG.debug("Unable to get login user before Kerberos auth attempt.", e); } // we already have logged in successfully if (curUser != null && curUser.getUserName().equals(principal)) { LOG.debug("{}: Using existing principal ({}): {}", new Object[] { sink, principal, curUser }); // no principal found } else { LOG.info("{}: Attempting kerberos login as principal ({}) from keytab " + "file ({})", new Object[] { sink, principal, keytab }); // attempt static kerberos login UserGroupInformation.loginUserFromKeytab(principal, keytab); curUser = UserGroupInformation.getLoginUser(); } return curUser; }
From source file:com.inmobi.conduit.utils.SecureLoginUtil.java
License:Apache License
public static void login(Configuration conf, String principalKey, String keyTabKey) throws IOException { SecurityUtil.login(conf, keyTabKey, principalKey); UserGroupInformation ugi = UserGroupInformation.getLoginUser(); LOG.info("User logged in :" + ugi); }
From source file:com.inmobi.messaging.consumer.databus.AbstractMessagingDatabusConsumer.java
License:Apache License
protected void initializeConfig(ClientConfig config) throws IOException { String hadoopConfFileName = config.getString(hadoopConfigFileKey); if (hadoopConfFileName != null) { Configuration.addDefaultResource(hadoopConfFileName); }/*from ww w . java 2s . c om*/ conf = new Configuration(); super.init(config); // verify authentication if (UserGroupInformation.isSecurityEnabled()) { String principal = config.getString(consumerPrincipal); String keytab = config.getString(consumerKeytab); if (principal != null && keytab != null) { Configuration conf = new Configuration(); conf.set(consumerPrincipal, principal); conf.set(consumerKeytab, keytab); SecurityUtil.login(conf, consumerKeytab, consumerPrincipal); UserGroupInformation ugi = UserGroupInformation.getLoginUser(); LOG.info("User logged in :" + ugi); } else { LOG.info( "There is no principal or key tab file passed. Using the" + " commandline authentication."); } } // Read consumer id String consumerIdStr = config.getString(consumerIdInGroupConfig, DEFAULT_CONSUMER_ID); String[] id = consumerIdStr.split("/"); try { consumerNumber = Integer.parseInt(id[0]); totalConsumers = Integer.parseInt(id[1]); partitionMinList = new HashSet<Integer>(); if (isValidConfiguration()) { for (int i = 0; i < 60; i++) { if ((i % totalConsumers) == (consumerNumber - 1)) { partitionMinList.add(i); } } } else { throw new IllegalArgumentException("Invalid consumer group membership"); } } catch (NumberFormatException nfe) { throw new IllegalArgumentException("Invalid consumer group membership", nfe); } // Create checkpoint provider and initialize checkpoint String chkpointProviderClassName = config.getString(chkProviderConfig, DEFAULT_CHK_PROVIDER); String databusCheckpointDir = config.getString(checkpointDirConfig, DEFAULT_CHECKPOINT_DIR); this.checkpointProvider = createCheckpointProvider(chkpointProviderClassName, databusCheckpointDir); createCheckpoint(); currentCheckpoint.read(checkpointProvider, getChkpointKey()); //create buffer bufferSize = config.getInteger(queueSizeConfig, DEFAULT_QUEUE_SIZE); buffer = new LinkedBlockingQueue<QueueEntry>(bufferSize); // initialize other common configuration waitTimeForFileCreate = config.getLong(waitTimeForFileCreateConfig, DEFAULT_WAIT_TIME_FOR_FILE_CREATE); // get the retention period of the topic retentionInHours = config.getString(retentionConfig); relativeStartTimeStr = config.getString(relativeStartTimeConfig); if (relativeStartTimeStr == null && retentionInHours != null) { LOG.warn(retentionConfig + " is deprecated." + " Use " + relativeStartTimeConfig + " instead"); int minutes = (Integer.parseInt(retentionInHours)) * 60; relativeStartTimeStr = String.valueOf(minutes); } String stopTimeStr = config.getString(stopDateConfig); stopTime = getDateFromString(stopTimeStr); startOfStream = config.getBoolean(startOfStreamConfig, DEFAULT_START_OF_STREAM); closedReadercount = 0; }
From source file:com.linkedin.drelephant.security.HadoopSecurity.java
License:Apache License
public void checkLogin() throws IOException { if (_loginUser == null) { logger.info("No login user. Creating login user"); logger.info("Logging with " + _keytabUser + " and " + _keytabLocation); UserGroupInformation.loginUserFromKeytab(_keytabUser, _keytabLocation); _loginUser = UserGroupInformation.getLoginUser(); logger.info("Logged in with user " + _loginUser); if (UserGroupInformation.isLoginKeytabBased()) { logger.info("Login is keytab based"); } else {// www . ja v a 2 s . c o m logger.info("Login is not keytab based"); } } else { _loginUser.checkTGTAndReloginFromKeytab(); } }