List of usage examples for org.apache.hadoop.security UserGroupInformation getLoginUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getLoginUser() throws IOException
From source file:org.apache.accumulo.core.security.SecurityUtil.java
License:Apache License
/** * This method is for logging a server in kerberos. If this is used in client code, it will fail unless run as the accumulo keytab's owner. Instead, use * {@link #login(String, String)}/*from w ww . j a va 2 s.co m*/ */ public static void serverLogin(AccumuloConfiguration acuConf) { String keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB); if (keyTab == null || keyTab.length() == 0) return; usingKerberos = true; String principalConfig = acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL); if (principalConfig == null || principalConfig.length() == 0) return; if (login(principalConfig, keyTab)) { try { // This spawns a thread to periodically renew the logged in (accumulo) user UserGroupInformation.getLoginUser(); } catch (IOException io) { log.error("Error starting up renewal thread. This shouldn't be happenining.", io); } } }
From source file:org.apache.accumulo.server.AccumuloServerContext.java
License:Apache License
/** * A "client-side" assertion for servers to validate that they are logged in as the expected user, per the configuration, before performing any RPC *///from w ww. jav a2 s. c o m // Should be private, but package-protected so EasyMock will work void enforceKerberosLogin() { final AccumuloConfiguration conf = confFactory.getSiteConfiguration(); // Unwrap _HOST into the FQDN to make the kerberos principal we'll compare against final String kerberosPrincipal = SecurityUtil .getServerPrincipal(conf.get(Property.GENERAL_KERBEROS_PRINCIPAL)); UserGroupInformation loginUser; try { // The system user should be logged in via keytab when the process is started, not the currentUser() like KerberosToken loginUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { throw new RuntimeException("Could not get login user", e); } checkArgument(loginUser.hasKerberosCredentials(), "Server does not have Kerberos credentials"); checkArgument(kerberosPrincipal.equals(loginUser.getUserName()), "Expected login user to be " + kerberosPrincipal + " but was " + loginUser.getUserName()); }
From source file:org.apache.accumulo.server.rpc.TServerUtils.java
License:Apache License
public static ServerAddress createSaslThreadPoolServer(HostAndPort address, TProcessor processor, TProtocolFactory protocolFactory, long socketTimeout, SaslServerConnectionParams params, final String serverName, String threadName, final int numThreads, final int numSTThreads, long timeBetweenThreadChecks) throws TTransportException { // We'd really prefer to use THsHaServer (or similar) to avoid 1 RPC == 1 Thread that the TThreadPoolServer does, // but sadly this isn't the case. Because TSaslTransport needs to issue a handshake when it open()'s which will fail // when the server does an accept() to (presumably) wake up the eventing system. log.info("Creating SASL thread pool thrift server on listening on {}:{}", address.getHostText(), address.getPort());//w ww .ja v a 2 s . c o m TServerSocket transport = new TServerSocket(address.getPort(), (int) socketTimeout); String hostname, fqdn; try { hostname = InetAddress.getByName(address.getHostText()).getCanonicalHostName(); fqdn = InetAddress.getLocalHost().getCanonicalHostName(); } catch (UnknownHostException e) { transport.close(); throw new TTransportException(e); } // If we can't get a real hostname from the provided host test, use the hostname from DNS for localhost if ("0.0.0.0".equals(hostname)) { hostname = fqdn; } // ACCUMULO-3497 an easy sanity check we can perform for the user when SASL is enabled. Clients and servers have to agree upon the FQDN // so that the SASL handshake can occur. If the provided hostname doesn't match the FQDN for this host, fail quickly and inform them to update // their configuration. if (!hostname.equals(fqdn)) { log.error( "Expected hostname of '{}' but got '{}'. Ensure the entries in the Accumulo hosts files (e.g. masters, tservers) are the FQDN for each host when using SASL.", fqdn, hostname); transport.close(); throw new RuntimeException( "SASL requires that the address the thrift server listens on is the same as the FQDN for this host"); } final UserGroupInformation serverUser; try { serverUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { transport.close(); throw new TTransportException(e); } log.debug("Logged in as {}, creating TSaslServerTransport factory with {}/{}", serverUser, params.getKerberosServerPrimary(), hostname); // Make the SASL transport factory with the instance and primary from the kerberos server principal, SASL properties // and the SASL callback handler from Hadoop to ensure authorization ID is the authentication ID. Despite the 'protocol' argument seeming to be useless, it // *must* be the primary of the server. TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory(); saslTransportFactory.addServerDefinition(ThriftUtil.GSSAPI, params.getKerberosServerPrimary(), hostname, params.getSaslProperties(), new SaslRpcServer.SaslGssCallbackHandler()); if (null != params.getSecretManager()) { log.info("Adding DIGEST-MD5 server definition for delegation tokens"); saslTransportFactory.addServerDefinition(ThriftUtil.DIGEST_MD5, params.getKerberosServerPrimary(), hostname, params.getSaslProperties(), new SaslServerDigestCallbackHandler(params.getSecretManager())); } else { log.info("SecretManager is null, not adding support for delegation token authentication"); } // Make sure the TTransportFactory is performing a UGI.doAs TTransportFactory ugiTransportFactory = new UGIAssumingTransportFactory(saslTransportFactory, serverUser); if (address.getPort() == 0) { // If we chose a port dynamically, make a new use it (along with the proper hostname) address = HostAndPort.fromParts(address.getHostText(), transport.getServerSocket().getLocalPort()); log.info("SASL thrift server bound on {}", address); } ThreadPoolExecutor pool = createSelfResizingThreadPool(serverName, numThreads, numSTThreads, timeBetweenThreadChecks); final TThreadPoolServer server = createTThreadPoolServer(transport, processor, ugiTransportFactory, protocolFactory, pool); return new ServerAddress(server, address); }
From source file:org.apache.accumulo.server.rpc.UGIAssumingProcessor.java
License:Apache License
public UGIAssumingProcessor(TProcessor wrapped) { this.wrapped = wrapped; try {/*from ww w . jav a2 s. co m*/ this.loginUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { log.error("Failed to obtain login user", e); throw new RuntimeException("Failed to obtain login user", e); } }
From source file:org.apache.accumulo.server.ServerContext.java
License:Apache License
/** * A "client-side" assertion for servers to validate that they are logged in as the expected user, * per the configuration, before performing any RPC *///from w w w .j av a 2 s . co m // Should be private, but package-protected so EasyMock will work void enforceKerberosLogin() { final AccumuloConfiguration conf = getServerConfFactory().getSiteConfiguration(); // Unwrap _HOST into the FQDN to make the kerberos principal we'll compare against final String kerberosPrincipal = SecurityUtil .getServerPrincipal(conf.get(Property.GENERAL_KERBEROS_PRINCIPAL)); UserGroupInformation loginUser; try { // The system user should be logged in via keytab when the process is started, not the // currentUser() like KerberosToken loginUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { throw new RuntimeException("Could not get login user", e); } checkArgument(loginUser.hasKerberosCredentials(), "Server does not have Kerberos credentials"); checkArgument(kerberosPrincipal.equals(loginUser.getUserName()), "Expected login user to be " + kerberosPrincipal + " but was " + loginUser.getUserName()); }
From source file:org.apache.accumulo.tserver.TabletServer.java
License:Apache License
public static void main(String[] args) throws IOException { try {/*from w w w. ja v a 2s . com*/ final String app = "tserver"; Accumulo.setupLogging(app); SecurityUtil.serverLogin(SiteConfiguration.getInstance()); ServerOpts opts = new ServerOpts(); opts.parseArgs(app, args); String hostname = opts.getAddress(); ServerConfigurationFactory conf = new ServerConfigurationFactory(HdfsZooInstance.getInstance()); VolumeManager fs = VolumeManagerImpl.get(); Accumulo.init(fs, conf, app); final TabletServer server = new TabletServer(conf, fs); server.config(hostname); DistributedTrace.enable(hostname, app, conf.getConfiguration()); if (UserGroupInformation.isSecurityEnabled()) { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() { server.run(); return null; } }); } else { server.run(); } } catch (Exception ex) { log.error("Uncaught exception in TabletServer.main, exiting", ex); System.exit(1); } finally { DistributedTrace.disable(); } }
From source file:org.apache.ambari.servicemonitor.Monitor.java
License:Apache License
/** * Execute the monitor. This method does not exit except by throwing exceptions or by calling System.exit(). * @throws IOException problems/*from w w w .jav a 2s . com*/ * @throws ExitMainException an explicit exit exception */ public void execMonitor(Reporter reporter) throws IOException { Configuration conf = getConf(); int probeInterval = conf.getInt(MONITOR_PROBE_INTERVAL, PROBE_INTERVAL_DEFAULT); int reportInterval = conf.getInt(MONITOR_REPORT_INTERVAL, REPORT_INTERVAL_DEFAULT); int probeTimeout = conf.getInt(MONITOR_PROBE_TIMEOUT, PROBE_TIMEOUT_DEFAULT); int bootstrapTimeout = conf.getInt(MONITOR_BOOTSTRAP_TIMEOUT, BOOTSTRAP_TIMEOUT_DEFAULT); boolean krb5Enabled = conf.getBoolean(MONITOR_KRB5_ENABLED, MONITOR_DEFAULT_KRB5_ENABLED); String krb5Principal = conf.get(MONITOR_KRB5_PRINCIPAL, MONITOR_DEFAULT_KRB5_PRINCIPAL); String krb5Keytab = conf.get(MONITOR_KRB5_KEYTAB, MONITOR_DEFAULT_KRB5_KEYTAB); if (LOG.isInfoEnabled()) { LOG.info("krb5Enabled = " + krb5Enabled + ", krb5Principal = " + krb5Principal + ", krb5Keyab = " + krb5Keytab); } if (krb5Enabled) { UserGroupInformation.loginUserFromKeytab(krb5Principal, krb5Keytab); UserGroupInformation.getLoginUser(); } List<Probe> probes = new ArrayList<Probe>(); if (conf.getBoolean(PORT_PROBE_ENABLED, false)) { String probeHost = conf.get(PORT_PROBE_HOST, DEFAULT_PROBE_HOST); int probePort = conf.getInt(PORT_PROBE_PORT, DEFAULT_PROBE_PORT); if (probePort == -1) { URI fsURI = FileSystem.getDefaultUri(conf); probePort = fsURI.getPort(); validateParam(probePort == -1, "No port value in " + fsURI); } PortProbe portProbe = PortProbe.createPortProbe(new Configuration(conf), probeHost, probePort); probes.add(portProbe); } else { LOG.debug("port probe disabled"); } if (conf.getBoolean(PID_PROBE_ENABLED, false)) { Probe probe = PidLiveProbe.createProbe(new Configuration(conf)); probes.add(probe); LOG.debug("Pid probe enabled: " + probe.toString()); } else { LOG.debug("Pid probe disabled"); } if (conf.getBoolean(WEB_PROBE_ENABLED, false)) { HttpProbe httpProbe = HttpProbe.createHttpProbe(new Configuration(conf)); probes.add(httpProbe); } else { LOG.debug("HTTP probe disabled"); } if (conf.getBoolean(LS_PROBE_ENABLED, false)) { String path = conf.get(LS_PROBE_PATH, LS_PROBE_DEFAULT); DfsListProbe lsProbe = new DfsListProbe(new Configuration(conf), path); probes.add(lsProbe); } else { LOG.debug("ls probe disabled"); } if (conf.getBoolean(JT_PROBE_ENABLED, false)) { Probe jtProbe = new JTClusterStatusProbe(new Configuration(conf)); probes.add(jtProbe); } else { LOG.debug("JT probe disabled"); } List<Probe> dependencyProbes = new ArrayList<Probe>(1); if (conf.getBoolean(MONITOR_DEPENDENCY_DFSLIVE, false)) { //there's a dependency on DFS //add a monitor for it LOG.info("Adding a dependency on HDFS being live"); dependencyProbes.add(new DfsSafeModeProbe(new Configuration(conf), true)); } reportingLoop = new ReportingLoop(name, reporter, probes, dependencyProbes, probeInterval, reportInterval, probeTimeout, bootstrapTimeout); if (!reportingLoop.startReporting()) { throw new ExitMainException(name + ": failed to start monitoring with reporter " + reporter); } //start reporting, either in a background thread //or here, directly in the main thread reportingLoop.run(); }
From source file:org.apache.apex.engine.security.TokenRenewer.java
License:Apache License
private long renewTokens(final boolean refresh, boolean checkOnly) throws IOException { logger.info("{}", checkOnly ? "Checking renewal" : (refresh ? "Refreshing tokens" : "Renewing tokens")); long expiryTime = System.currentTimeMillis() + (refresh ? tokenLifeTime : tokenRenewalInterval); final String tokenRenewer = UserGroupInformation.getCurrentUser().getUserName(); logger.debug("Token renewer {}", tokenRenewer); File keyTabFile = null;/* w w w. j a v a 2 s . co m*/ try (FileSystem fs = FileSystem.newInstance(conf)) { String destinationDir = FileUtils.getTempDirectoryPath(); keyTabFile = FSUtil.copyToLocalFileSystem(fs, destinationDir, destinationFile, hdfsKeyTabFile, conf); if (principal == null) { //principal = UserGroupInformation.getCurrentUser().getUserName(); principal = UserGroupInformation.getLoginUser().getUserName(); } logger.debug("Principal {}", principal); UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keyTabFile.getAbsolutePath()); if (!checkOnly) { try { UserGroupInformation currUGI = UserGroupInformation.createProxyUser(tokenRenewer, ugi); currUGI.doAs(new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { if (refresh) { Credentials creds = new Credentials(); try (FileSystem fs1 = FileSystem.newInstance(conf)) { logger.info("Refreshing fs tokens"); fs1.addDelegationTokens(tokenRenewer, creds); logger.info("Refreshed tokens"); } if (renewRMToken) { try (YarnClient yarnClient = StramClientUtils.createYarnClient(conf)) { logger.info("Refreshing rm tokens"); new StramClientUtils.ClientRMHelper(yarnClient, conf) .addRMDelegationToken(tokenRenewer, creds); logger.info("Refreshed tokens"); } } credentials.addAll(creds); } else { Collection<Token<? extends TokenIdentifier>> tokens = credentials.getAllTokens(); for (Token<? extends TokenIdentifier> token : tokens) { logger.debug("Token {}", token); if (token.getKind().equals(HDFS_TOKEN_KIND) || (renewRMToken && token.getKind().equals(RMDelegationTokenIdentifier.KIND_NAME))) { logger.info("Renewing token {}", token.getKind()); token.renew(conf); logger.info("Renewed token"); } } } return null; } }); UserGroupInformation.getCurrentUser().addCredentials(credentials); } catch (InterruptedException e) { logger.error("Error while renewing tokens ", e); expiryTime = System.currentTimeMillis(); } catch (IOException e) { logger.error("Error while renewing tokens ", e); expiryTime = System.currentTimeMillis(); } } if (logger.isDebugEnabled()) { logger.debug("number of tokens: {}", credentials.getAllTokens().size()); Iterator<Token<?>> iter = credentials.getAllTokens().iterator(); while (iter.hasNext()) { Token<?> token = iter.next(); logger.debug("updated token: {}", token); } } } finally { if (keyTabFile != null) { keyTabFile.delete(); } } return expiryTime; }
From source file:org.apache.apex.malhar.contrib.hbase.HBaseStore.java
License:Apache License
@Override public void connect() throws IOException { if ((principal != null) && (keytabPath != null)) { String lprincipal = evaluateProperty(principal); String lkeytabPath = evaluateProperty(keytabPath); UserGroupInformation.loginUserFromKeytab(lprincipal, lkeytabPath); doRelogin = true;/* ww w . j av a 2s . c om*/ loginRenewer = new Thread(new Runnable() { @Override public void run() { logger.debug("Renewer starting"); try { while (doRelogin) { Thread.sleep(reloginCheckInterval); try { UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab(); } catch (IOException e) { logger.error("Error trying to relogin from keytab", e); } } } catch (InterruptedException e) { if (doRelogin) { logger.warn("Renewer interrupted... stopping"); } } logger.debug("Renewer ending"); } }); loginRenewer.start(); } configuration = HBaseConfiguration.create(); // The default configuration is loaded from resources in classpath, the following parameters can be optionally set // to override defaults if (zookeeperQuorum != null) { configuration.set("hbase.zookeeper.quorum", zookeeperQuorum); } if (zookeeperClientPort != 0) { configuration.set("hbase.zookeeper.property.clientPort", "" + zookeeperClientPort); } // Connect to default table if specified if (tableName != null) { table = connectTable(tableName); } CacheLoader<String, HTable> cacheLoader = new CacheLoader<String, HTable>() { @Override public HTable load(String key) throws Exception { return loadTable(key); } }; RemovalListener<String, HTable> removalListener = new RemovalListener<String, HTable>() { @Override public void onRemoval(RemovalNotification<String, HTable> notification) { unloadTable(notification.getValue()); } }; int maxCacheSize = (tableName == null) ? maxOpenTables : (maxOpenTables - 1); tableCache = CacheBuilder.<String, HTable>newBuilder().maximumSize(maxCacheSize) .removalListener(removalListener).build(cacheLoader); }
From source file:org.apache.apex.malhar.contrib.hbase.HBaseStore.java
License:Apache License
private String evaluateProperty(String property) throws IOException { if (property.contains(USER_NAME_SPECIFIER)) { property = property.replaceAll(USER_NAME_SPECIFIER, UserGroupInformation.getLoginUser().getShortUserName()); }/*from w w w. j a v a 2s . c o m*/ return property; }