List of usage examples for org.apache.hadoop.security UserGroupInformation getUserName
@InterfaceAudience.Public
@InterfaceStability.Evolving
public String getUserName()
From source file:azkaban.jobtype.HadoopJavaJobRunnerMain.java
License:Apache License
public HadoopJavaJobRunnerMain() throws Exception { Runtime.getRuntime().addShutdownHook(new Thread() { @Override/*from ww w .j a v a 2 s . c om*/ public void run() { cancelJob(); } }); try { _jobName = System.getenv(ProcessJob.JOB_NAME_ENV); String propsFile = System.getenv(ProcessJob.JOB_PROP_ENV); _logger = Logger.getRootLogger(); _logger.removeAllAppenders(); ConsoleAppender appender = new ConsoleAppender(DEFAULT_LAYOUT); appender.activateOptions(); _logger.addAppender(appender); _logger.setLevel(Level.INFO); //Explicitly setting level to INFO Properties props = new Properties(); props.load(new BufferedReader(new FileReader(propsFile))); HadoopConfigurationInjector.injectResources(new Props(null, props)); final Configuration conf = new Configuration(); UserGroupInformation.setConfiguration(conf); securityEnabled = UserGroupInformation.isSecurityEnabled(); _logger.info("Running job " + _jobName); String className = props.getProperty(JOB_CLASS); if (className == null) { throw new Exception("Class name is not set."); } _logger.info("Class name " + className); UserGroupInformation loginUser = null; UserGroupInformation proxyUser = null; if (shouldProxy(props)) { String userToProxy = props.getProperty("user.to.proxy"); if (securityEnabled) { String filelocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION); _logger.info("Found token file " + filelocation); _logger.info("Security enabled is " + UserGroupInformation.isSecurityEnabled()); _logger.info("Setting mapreduce.job.credentials.binary to " + filelocation); System.setProperty("mapreduce.job.credentials.binary", filelocation); _logger.info("Proxying enabled."); loginUser = UserGroupInformation.getLoginUser(); _logger.info("Current logged in user is " + loginUser.getUserName()); proxyUser = UserGroupInformation.createProxyUser(userToProxy, loginUser); for (Token<?> token : loginUser.getTokens()) { proxyUser.addToken(token); } } else { proxyUser = UserGroupInformation.createRemoteUser(userToProxy); } _logger.info("Proxied as user " + userToProxy); } // Create the object using proxy if (shouldProxy(props)) { _javaObject = getObjectAsProxyUser(props, _logger, _jobName, className, proxyUser); } else { _javaObject = getObject(_jobName, className, props, _logger); } if (_javaObject == null) { _logger.info("Could not create java object to run job: " + className); throw new Exception("Could not create running object"); } _logger.info("Got object " + _javaObject.toString()); _cancelMethod = props.getProperty(CANCEL_METHOD_PARAM, DEFAULT_CANCEL_METHOD); final String runMethod = props.getProperty(RUN_METHOD_PARAM, DEFAULT_RUN_METHOD); _logger.info("Invoking method " + runMethod); if (shouldProxy(props)) { _logger.info("Proxying enabled."); runMethodAsUser(props, _javaObject, runMethod, proxyUser); } else { _logger.info("Proxy check failed, not proxying run."); runMethod(_javaObject, runMethod); } _isFinished = true; // Get the generated properties and store them to disk, to be read // by ProcessJob. try { final Method generatedPropertiesMethod = _javaObject.getClass() .getMethod(GET_GENERATED_PROPERTIES_METHOD, new Class<?>[] {}); Object outputGendProps = generatedPropertiesMethod.invoke(_javaObject, new Object[] {}); if (outputGendProps != null) { final Method toPropertiesMethod = outputGendProps.getClass().getMethod("toProperties", new Class<?>[] {}); Properties properties = (Properties) toPropertiesMethod.invoke(outputGendProps, new Object[] {}); Props outputProps = new Props(null, properties); outputGeneratedProperties(outputProps); } else { _logger.info(GET_GENERATED_PROPERTIES_METHOD + " method returned null. No properties to pass along"); } } catch (NoSuchMethodException e) { _logger.info(String.format( "Apparently there isn't a method[%s] on object[%s], using " + "empty Props object instead.", GET_GENERATED_PROPERTIES_METHOD, _javaObject)); outputGeneratedProperties(new Props()); } } catch (Exception e) { _isFinished = true; throw e; } }
From source file:azkaban.jobtype.HadoopSecureWrapperUtils.java
License:Apache License
/** * Perform all the magic required to get the proxyUser in a securitized grid * //from w w w. j a v a2 s. c o m * @param userToProxy * @return a UserGroupInformation object for the specified userToProxy, which will also contain * the logged in user's tokens * @throws IOException */ private static UserGroupInformation createSecurityEnabledProxyUser(String userToProxy, String filelocation, Logger log) throws IOException { if (!new File(filelocation).exists()) { throw new RuntimeException("hadoop token file doesn't exist."); } log.info("Found token file. Setting " + HadoopSecurityManager.MAPREDUCE_JOB_CREDENTIALS_BINARY + " to " + filelocation); System.setProperty(HadoopSecurityManager.MAPREDUCE_JOB_CREDENTIALS_BINARY, filelocation); UserGroupInformation loginUser = null; loginUser = UserGroupInformation.getLoginUser(); log.info("Current logged in user is " + loginUser.getUserName()); UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(userToProxy, loginUser); for (Token<?> token : loginUser.getTokens()) { proxyUser.addToken(token); } return proxyUser; }
From source file:azkaban.security.commons.SecurityUtils.java
License:Apache License
/** * Create a proxied user, taking all parameters, including which user to proxy * from provided Properties./*from w w w. j a v a 2s . com*/ */ public static UserGroupInformation getProxiedUser(Properties prop, Logger log, Configuration conf) throws IOException { String toProxy = verifySecureProperty(prop, TO_PROXY, log); UserGroupInformation user = getProxiedUser(toProxy, prop, log, conf); if (user == null) throw new IOException("Proxy as any user in unsecured grid is not supported!" + prop.toString()); log.info("created proxy user for " + user.getUserName() + user.toString()); return user; }
From source file:co.cask.cdap.data2.datafabric.dataset.service.executor.DatasetAdminService.java
License:Apache License
private static UserGroupInformation getUgiForDataset(Impersonator impersonator, DatasetId datasetInstanceId) throws IOException, NamespaceNotFoundException { // for system dataset do not look up owner information in store as we know that it will be null. // Also, this is required for CDAP to start, because initially we don't want to look up owner admin // (causing its own lookup) as the SystemDatasetInitiator.getDataset is called when CDAP starts UserGroupInformation ugi; if (NamespaceId.SYSTEM.equals(datasetInstanceId.getParent())) { ugi = UserGroupInformation.getCurrentUser(); } else {/* www . j a v a 2 s . com*/ ugi = impersonator.getUGI(datasetInstanceId); } LOG.debug("Using {} user for dataset {}", ugi.getUserName(), datasetInstanceId); return ugi; }
From source file:co.cask.cdap.gateway.handlers.ImpersonationHandler.java
License:Apache License
@POST @Path("/credentials") public void getCredentials(HttpRequest request, HttpResponder responder) throws Exception { String requestContent = request.getContent().toString(Charsets.UTF_8); if (requestContent == null) { throw new BadRequestException("Request body is empty."); }//ww w. j a va 2 s . co m ImpersonationInfo impersonationInfo = GSON.fromJson(requestContent, ImpersonationInfo.class); LOG.info("Credentials for {}", impersonationInfo); UserGroupInformation ugi = ugiProvider.getConfiguredUGI(impersonationInfo); Credentials credentials = ImpersonationUtils.doAs(ugi, new Callable<Credentials>() { @Override public Credentials call() throws Exception { SecureStore update = tokenSecureStoreUpdater.update(); return update.getStore(); } }); // example: hdfs:///cdap/credentials Location credentialsDir = locationFactory.create("credentials"); if (credentialsDir.isDirectory() || credentialsDir.mkdirs() || credentialsDir.isDirectory()) { // the getTempFile() doesn't create the file within the directory that you call it on. It simply appends the path // without a separator, which is why we manually append the "tmp" // example: hdfs:///cdap/credentials/tmp.5960fe60-6fd8-4f3e-8e92-3fb6d4726006.credentials Location credentialsFile = credentialsDir.append("tmp").getTempFile(".credentials"); // 600 is owner-only READ_WRITE try (DataOutputStream os = new DataOutputStream( new BufferedOutputStream(credentialsFile.getOutputStream("600")))) { credentials.writeTokenStorageToStream(os); } LOG.debug("Wrote credentials for user {} to {}", ugi.getUserName(), credentialsFile); responder.sendString(HttpResponseStatus.OK, credentialsFile.toURI().toString()); } else { throw new IllegalStateException("Unable to create credentails directory."); } }
From source file:co.cask.cdap.security.impersonation.ImpersonationUtils.java
License:Apache License
/** * Helper function, to unwrap any exceptions that were wrapped * by {@link UserGroupInformation#doAs(PrivilegedExceptionAction)} *///from www. j a va 2 s .c om public static <T> T doAs(UserGroupInformation ugi, final Callable<T> callable) throws Exception { try { return ugi.doAs(new PrivilegedExceptionAction<T>() { @Override public T run() throws Exception { return callable.call(); } }); } catch (UndeclaredThrowableException e) { // UserGroupInformation#doAs will wrap any checked exceptions, so unwrap and rethrow here Throwable wrappedException = e.getUndeclaredThrowable(); Throwables.propagateIfPossible(wrappedException); if (wrappedException instanceof Exception) { throw (Exception) wrappedException; } // since PrivilegedExceptionAction#run can only throw Exception (besides runtime exception), // this should never happen LOG.warn("Unexpected exception while executing callable as {}.", ugi.getUserName(), wrappedException); throw Throwables.propagate(wrappedException); } }
From source file:com.blackberry.bdp.kaboom.Authenticator.java
License:Apache License
private boolean authenticate(String proxyUserName) { UserGroupInformation proxyTicket;//from w w w. ja va 2s.c o m // logic for kerberos login boolean useSecurity = UserGroupInformation.isSecurityEnabled(); LOG.info("Hadoop Security enabled: " + useSecurity); if (useSecurity) { // sanity checking if (kerbConfPrincipal.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a principal to use for Kerberos auth."); return false; } if (kerbKeytab.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a keytab to use for Kerberos auth."); return false; } String principal; try { // resolves _HOST pattern using standard Hadoop search/replace // via DNS lookup when 2nd argument is empty principal = SecurityUtil.getServerPrincipal(kerbConfPrincipal, ""); } catch (IOException e) { LOG.error("Host lookup error resolving kerberos principal (" + kerbConfPrincipal + "). Exception follows.", e); return false; } Preconditions.checkNotNull(principal, "Principal must not be null"); KerberosUser prevUser = staticLogin.get(); KerberosUser newUser = new KerberosUser(principal, kerbKeytab); // be cruel and unusual when user tries to login as multiple principals // this isn't really valid with a reconfigure but this should be rare // enough to warrant a restart of the agent JVM // TODO: find a way to interrogate the entire current config state, // since we don't have to be unnecessarily protective if they switch all // HDFS sinks to use a different principal all at once. Preconditions.checkState(prevUser == null || prevUser.equals(newUser), "Cannot use multiple kerberos principals in the same agent. " + " Must restart agent to use new principal or keytab. " + "Previous = %s, New = %s", prevUser, newUser); // attempt to use cached credential if the user is the same // this is polite and should avoid flooding the KDC with auth requests UserGroupInformation curUser = null; if (prevUser != null && prevUser.equals(newUser)) { try { LOG.info("Attempting login as {} with cached credentials", prevUser.getPrincipal()); curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.warn("User unexpectedly had no active login. Continuing with " + "authentication", e); } } if (curUser == null || !curUser.getUserName().equals(principal)) { try { // static login curUser = kerberosLogin(this, principal, kerbKeytab); LOG.info("Current user obtained from Kerberos login {}", curUser.getUserName()); } catch (IOException e) { LOG.error("Authentication or file read error while attempting to " + "login as kerberos principal (" + principal + ") using " + "keytab (" + kerbKeytab + "). Exception follows.", e); return false; } } else { LOG.debug("{}: Using existing principal login: {}", this, curUser); } try { if (UserGroupInformation.getLoginUser().isFromKeytab() == false) { LOG.warn("Using a keytab for authentication is {}", UserGroupInformation.getLoginUser().isFromKeytab()); LOG.warn("curUser.isFromKeytab(): {}", curUser.isFromKeytab()); LOG.warn("UserGroupInformation.getCurrentUser().isLoginKeytabBased(): {}", UserGroupInformation.getCurrentUser().isLoginKeytabBased()); LOG.warn("UserGroupInformation.isLoginKeytabBased(): {}", UserGroupInformation.isLoginKeytabBased()); LOG.warn("curUser.getAuthenticationMethod(): {}", curUser.getAuthenticationMethod()); //System.exit(1); } } catch (IOException e) { LOG.error("Failed to get login user.", e); System.exit(1); } // we supposedly got through this unscathed... so store the static user staticLogin.set(newUser); } // hadoop impersonation works with or without kerberos security proxyTicket = null; if (!proxyUserName.isEmpty()) { try { proxyTicket = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); } catch (IOException e) { LOG.error("Unable to login as proxy user. Exception follows.", e); return false; } } UserGroupInformation ugi = null; if (proxyTicket != null) { ugi = proxyTicket; } else if (useSecurity) { try { ugi = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.error("Unexpected error: Unable to get authenticated user after " + "apparent successful login! Exception follows.", e); return false; } } if (ugi != null) { // dump login information AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); LOG.info("Auth method: {}", authMethod); LOG.info(" User name: {}", ugi.getUserName()); LOG.info(" Using keytab: {}", ugi.isFromKeytab()); if (authMethod == AuthenticationMethod.PROXY) { UserGroupInformation superUser; try { superUser = UserGroupInformation.getLoginUser(); LOG.info(" Superuser auth: {}", superUser.getAuthenticationMethod()); LOG.info(" Superuser name: {}", superUser.getUserName()); LOG.info(" Superuser using keytab: {}", superUser.isFromKeytab()); } catch (IOException e) { LOG.error("Unexpected error: unknown superuser impersonating proxy.", e); return false; } } LOG.info("Logged in as user {}", ugi.getUserName()); UGIState state = new UGIState(); state.ugi = proxyTicket; state.lastAuthenticated = System.currentTimeMillis(); proxyUserMap.put(proxyUserName, state); return true; } return true; }
From source file:com.blackberry.bdp.kaboom.Authenticator.java
License:Apache License
/** * Static synchronized method for static Kerberos login. <br/> * Static synchronized due to a thundering herd problem when multiple Sinks * attempt to log in using the same principal at the same time with the * intention of impersonating different users (or even the same user). If this * is not controlled, MIT Kerberos v5 believes it is seeing a replay attach * and it returns: <blockquote>Request is a replay (34) - * PROCESS_TGS</blockquote> In addition, since the underlying Hadoop APIs we * are using for impersonation are static, we define this method as static as * well.// ww w . ja v a 2 s . c o m * * @param principal * Fully-qualified principal to use for authentication. * @param keytab * Location of keytab file containing credentials for principal. * @return Logged-in user * @throws IOException * if login fails. */ private synchronized UserGroupInformation kerberosLogin(Authenticator authenticator, String principal, String keytab) throws IOException { // if we are the 2nd user thru the lock, the login should already be // available statically if login was successful UserGroupInformation curUser = null; try { curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { // not a big deal but this shouldn't typically happen because it will // generally fall back to the UNIX user LOG.debug("Unable to get login user before Kerberos auth attempt.", e); } // we already have logged in successfully if (curUser != null && curUser.getUserName().equals(principal)) { LOG.debug("{}: Using existing principal ({}): {}", new Object[] { authenticator, principal, curUser }); // no principal found } else { LOG.info("{}: Attempting kerberos login as principal ({}) from keytab " + "file ({})", new Object[] { authenticator, principal, keytab }); // attempt static kerberos login UserGroupInformation.loginUserFromKeytab(principal, keytab); curUser = UserGroupInformation.getLoginUser(); } return curUser; }
From source file:com.cloudera.flume.agent.FlumeNode.java
License:Apache License
/** * This should attempts to kerberos login via a keytab if security is enabled * in hadoop.//from ww w . j av a 2 s .c o m * * This should be able to support multiple hadoop clusters as long as the * particular principal is allowed on multiple clusters. * * To preserve compatibility with non security enhanced hdfs, we use * reflection on various UserGroupInformation and SecurityUtil related method * calls. */ @SuppressWarnings("unchecked") static void tryKerberosLogin() throws IOException { /* * UserGroupInformation is in hadoop 0.18 * UserGroupInformation.isSecurityEnabled() not in pre security API. * * boolean useSec = UserGroupInformation.isSecurityEnabled(); */ boolean useSec = false; try { Class<UserGroupInformation> c = UserGroupInformation.class; // static call, null this obj useSec = (Boolean) c.getMethod("isSecurityEnabled").invoke(null); } catch (Exception e) { LOG.warn("Flume is using Hadoop core " + org.apache.hadoop.util.VersionInfo.getVersion() + " which does not support Security / Authentication: " + e.getMessage()); return; } LOG.info("Hadoop Security enabled: " + useSec); if (!useSec) { return; } // At this point we know we are using a hadoop library that is kerberos // enabled. // attempt to load kerberos information for authenticated hdfs comms. String principal = FlumeConfiguration.get().getKerberosPrincipal(); String keytab = FlumeConfiguration.get().getKerberosKeytab(); LOG.info("Kerberos login as " + principal + " from " + keytab); try { /* * SecurityUtil not present pre hadoop 20.2 * * SecurityUtil.login not in pre-security Hadoop API * * // Keytab login does not need to auto refresh * * SecurityUtil.login(FlumeConfiguration.get(), * FlumeConfiguration.SECURITY_KERBEROS_KEYTAB, * FlumeConfiguration.SECURITY_KERBEROS_PRINCIPAL); */ Class c = Class.forName("org.apache.hadoop.security.SecurityUtil"); // get method login(Configuration, String, String); Method m = c.getMethod("login", Configuration.class, String.class, String.class); m.invoke(null, FlumeConfiguration.get(), FlumeConfiguration.SECURITY_KERBEROS_KEYTAB, FlumeConfiguration.SECURITY_KERBEROS_PRINCIPAL); } catch (Exception e) { LOG.error("Flume failed when attempting to authenticate with keytab " + FlumeConfiguration.get().getKerberosKeytab() + " and principal '" + FlumeConfiguration.get().getKerberosPrincipal() + "'", e); // e.getMessage() comes from hadoop is worthless return; } try { /* * getLoginUser, getAuthenticationMethod, and isLoginKeytabBased are not * in Hadoop 20.2, only kerberized enhanced version. * * getUserName is in all 0.18.3+ * * UserGroupInformation ugi = UserGroupInformation.getLoginUser(); * LOG.info("Auth method: " + ugi.getAuthenticationMethod()); * LOG.info(" User name: " + ugi.getUserName()); * LOG.info(" Using keytab: " + * UserGroupInformation.isLoginKeytabBased()); */ Class<UserGroupInformation> c2 = UserGroupInformation.class; // static call, null this obj UserGroupInformation ugi = (UserGroupInformation) c2.getMethod("getLoginUser").invoke(null); String authMethod = c2.getMethod("getAuthenticationMethod").invoke(ugi).toString(); boolean keytabBased = (Boolean) c2.getMethod("isLoginKeytabBased").invoke(ugi); LOG.info("Auth method: " + authMethod); LOG.info(" User name: " + ugi.getUserName()); LOG.info(" Using keytab: " + keytabBased); } catch (Exception e) { LOG.error("Flume was unable to dump kerberos login user" + " and authentication method", e); return; } }
From source file:com.cloudera.hoop.client.fs.HoopFileSystem.java
License:Open Source License
/** * Called after a new FileSystem instance is constructed. * * @param name a uri whose authority section names the host, port, etc. for this FileSystem * @param conf the configuration// ww w. ja v a 2 s. co m */ @Override public void initialize(URI name, Configuration conf) throws IOException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); doAs = ugi.getUserName(); super.initialize(name, conf); try { uri = new URI(name.getScheme() + "://" + name.getHost() + ":" + name.getPort()); } catch (URISyntaxException ex) { throw new IOException(ex); } }