List of usage examples for org.apache.hadoop.security UserGroupInformation isLoginKeytabBased
@InterfaceAudience.Public @InterfaceStability.Evolving public static boolean isLoginKeytabBased() throws IOException
From source file:com.blackberry.bdp.kaboom.Authenticator.java
License:Apache License
private boolean authenticate(String proxyUserName) { UserGroupInformation proxyTicket;//from ww w.j av a2 s . c om // logic for kerberos login boolean useSecurity = UserGroupInformation.isSecurityEnabled(); LOG.info("Hadoop Security enabled: " + useSecurity); if (useSecurity) { // sanity checking if (kerbConfPrincipal.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a principal to use for Kerberos auth."); return false; } if (kerbKeytab.isEmpty()) { LOG.error("Hadoop running in secure mode, but Flume config doesn't " + "specify a keytab to use for Kerberos auth."); return false; } String principal; try { // resolves _HOST pattern using standard Hadoop search/replace // via DNS lookup when 2nd argument is empty principal = SecurityUtil.getServerPrincipal(kerbConfPrincipal, ""); } catch (IOException e) { LOG.error("Host lookup error resolving kerberos principal (" + kerbConfPrincipal + "). Exception follows.", e); return false; } Preconditions.checkNotNull(principal, "Principal must not be null"); KerberosUser prevUser = staticLogin.get(); KerberosUser newUser = new KerberosUser(principal, kerbKeytab); // be cruel and unusual when user tries to login as multiple principals // this isn't really valid with a reconfigure but this should be rare // enough to warrant a restart of the agent JVM // TODO: find a way to interrogate the entire current config state, // since we don't have to be unnecessarily protective if they switch all // HDFS sinks to use a different principal all at once. Preconditions.checkState(prevUser == null || prevUser.equals(newUser), "Cannot use multiple kerberos principals in the same agent. " + " Must restart agent to use new principal or keytab. " + "Previous = %s, New = %s", prevUser, newUser); // attempt to use cached credential if the user is the same // this is polite and should avoid flooding the KDC with auth requests UserGroupInformation curUser = null; if (prevUser != null && prevUser.equals(newUser)) { try { LOG.info("Attempting login as {} with cached credentials", prevUser.getPrincipal()); curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.warn("User unexpectedly had no active login. Continuing with " + "authentication", e); } } if (curUser == null || !curUser.getUserName().equals(principal)) { try { // static login curUser = kerberosLogin(this, principal, kerbKeytab); LOG.info("Current user obtained from Kerberos login {}", curUser.getUserName()); } catch (IOException e) { LOG.error("Authentication or file read error while attempting to " + "login as kerberos principal (" + principal + ") using " + "keytab (" + kerbKeytab + "). Exception follows.", e); return false; } } else { LOG.debug("{}: Using existing principal login: {}", this, curUser); } try { if (UserGroupInformation.getLoginUser().isFromKeytab() == false) { LOG.warn("Using a keytab for authentication is {}", UserGroupInformation.getLoginUser().isFromKeytab()); LOG.warn("curUser.isFromKeytab(): {}", curUser.isFromKeytab()); LOG.warn("UserGroupInformation.getCurrentUser().isLoginKeytabBased(): {}", UserGroupInformation.getCurrentUser().isLoginKeytabBased()); LOG.warn("UserGroupInformation.isLoginKeytabBased(): {}", UserGroupInformation.isLoginKeytabBased()); LOG.warn("curUser.getAuthenticationMethod(): {}", curUser.getAuthenticationMethod()); //System.exit(1); } } catch (IOException e) { LOG.error("Failed to get login user.", e); System.exit(1); } // we supposedly got through this unscathed... so store the static user staticLogin.set(newUser); } // hadoop impersonation works with or without kerberos security proxyTicket = null; if (!proxyUserName.isEmpty()) { try { proxyTicket = UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser()); } catch (IOException e) { LOG.error("Unable to login as proxy user. Exception follows.", e); return false; } } UserGroupInformation ugi = null; if (proxyTicket != null) { ugi = proxyTicket; } else if (useSecurity) { try { ugi = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.error("Unexpected error: Unable to get authenticated user after " + "apparent successful login! Exception follows.", e); return false; } } if (ugi != null) { // dump login information AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); LOG.info("Auth method: {}", authMethod); LOG.info(" User name: {}", ugi.getUserName()); LOG.info(" Using keytab: {}", ugi.isFromKeytab()); if (authMethod == AuthenticationMethod.PROXY) { UserGroupInformation superUser; try { superUser = UserGroupInformation.getLoginUser(); LOG.info(" Superuser auth: {}", superUser.getAuthenticationMethod()); LOG.info(" Superuser name: {}", superUser.getUserName()); LOG.info(" Superuser using keytab: {}", superUser.isFromKeytab()); } catch (IOException e) { LOG.error("Unexpected error: unknown superuser impersonating proxy.", e); return false; } } LOG.info("Logged in as user {}", ugi.getUserName()); UGIState state = new UGIState(); state.ugi = proxyTicket; state.lastAuthenticated = System.currentTimeMillis(); proxyUserMap.put(proxyUserName, state); return true; } return true; }
From source file:com.github.sakserv.minicluster.impl.KdcLocalClusterHBaseIntegrationTest.java
License:Apache License
@Test public void testHBase() throws Exception { UserGroupInformation.loginUserFromKeytab(kdcLocalCluster.getKrbPrincipalWithRealm("hbase"), kdcLocalCluster.getKeytabForPrincipal("hbase")); assertTrue(UserGroupInformation.isSecurityEnabled()); assertTrue(UserGroupInformation.isLoginKeytabBased()); Configuration configuration = hbaseLocalCluster.getHbaseConfiguration(); configuration.set("hbase.client.retries.number", "1"); configuration.set("hbase.client.pause", "1000"); configuration.set("zookeeper.recovery.retry", "1"); // Write data try (Connection connection = ConnectionFactory.createConnection(configuration)) { Admin admin = connection.getAdmin(); TableName tableName = TableName.valueOf("test-kdc"); if (admin.tableExists(tableName)) { admin.disableTable(tableName); admin.deleteTable(tableName); }//from w ww. ja v a 2 s .c o m admin.createTable(new HTableDescriptor(tableName).addFamily(new HColumnDescriptor("cf"))); try (BufferedMutator mutator = connection.getBufferedMutator(tableName)) { mutator.mutate(new Put(Bytes.toBytes("key")).addColumn(Bytes.toBytes("cf"), Bytes.toBytes("col1"), Bytes.toBytes("azerty"))); } } // Log out LOG.info("Logout..."); UserGroupInformation.getLoginUser().logoutUserFromKeytab(); UserGroupInformation.reset(); try { Configuration unauthenticatedConfiguration = HBaseConfiguration.create(); hbaseLocalCluster.configure(unauthenticatedConfiguration); unauthenticatedConfiguration.set("hbase.client.retries.number", "1"); unauthenticatedConfiguration.set("hbase.client.pause", "1000"); unauthenticatedConfiguration.set("zookeeper.recovery.retry", "1"); UserGroupInformation.setConfiguration(unauthenticatedConfiguration); try (Connection connection = ConnectionFactory.createConnection(unauthenticatedConfiguration)) { Admin admin = connection.getAdmin(); TableName tableName = TableName.valueOf("test-kdc2"); if (admin.tableExists(tableName)) { admin.disableTable(tableName); admin.deleteTable(tableName); } try (BufferedMutator mutator = connection.getBufferedMutator(tableName)) { mutator.mutate(new Put(Bytes.toBytes("key")).addColumn(Bytes.toBytes("cf"), Bytes.toBytes("col1"), Bytes.toBytes("azerty"))); } } fail(); } catch (RetriesExhaustedException e) { LOG.info("Alright, this is expected!", e); assertTrue(e.getCause() instanceof IOException); System.out.println("Not authenticated!"); } }
From source file:com.github.sakserv.minicluster.impl.KdcLocalClusterHdfsIntegrationTest.java
License:Apache License
@Test public void testHdfs() throws Exception { FileSystem hdfsFsHandle = hdfsLocalCluster.getHdfsFileSystemHandle(); UserGroupInformation.loginUserFromKeytab(kdcLocalCluster.getKrbPrincipalWithRealm("hdfs"), kdcLocalCluster.getKeytabForPrincipal("hdfs")); assertTrue(UserGroupInformation.isSecurityEnabled()); assertTrue(UserGroupInformation.isLoginKeytabBased()); // Write a file to HDFS containing the test string FSDataOutputStream writer = hdfsFsHandle .create(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); writer.writeUTF(propertyParser.getProperty(ConfigVars.HDFS_TEST_STRING_KEY)); writer.close();//from ww w. ja va2 s. co m // Read the file and compare to test string FSDataInputStream reader = hdfsFsHandle .open(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); assertEquals(reader.readUTF(), propertyParser.getProperty(ConfigVars.HDFS_TEST_STRING_KEY)); reader.close(); // Log out UserGroupInformation.getLoginUser().logoutUserFromKeytab(); UserGroupInformation.reset(); try { Configuration conf = new Configuration(); UserGroupInformation.setConfiguration(conf); FileSystem.get(hdfsFsHandle.getUri(), conf) .open(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); fail(); } catch (AccessControlException e) { LOG.info("Not authenticated!"); } }
From source file:com.linkedin.drelephant.security.HadoopSecurity.java
License:Apache License
public void checkLogin() throws IOException { if (_loginUser == null) { logger.info("No login user. Creating login user"); logger.info("Logging with " + _keytabUser + " and " + _keytabLocation); UserGroupInformation.loginUserFromKeytab(_keytabUser, _keytabLocation); _loginUser = UserGroupInformation.getLoginUser(); logger.info("Logged in with user " + _loginUser); if (UserGroupInformation.isLoginKeytabBased()) { logger.info("Login is keytab based"); } else {/*w ww . ja v a2 s .c o m*/ logger.info("Login is not keytab based"); } } else { _loginUser.checkTGTAndReloginFromKeytab(); } }
From source file:org.apache.accumulo.core.rpc.ThriftUtil.java
License:Apache License
/** * Some wonderful snippets of documentation from HBase on performing the re-login client-side (as well as server-side) in the following paragraph. We want to * attempt a re-login to automatically refresh the client's Krb "credentials" (remember, a server might also be a client, master sending RPC to tserver), but * we have to take care to avoid Kerberos' replay attack protection. * <p>// w w w. j a v a 2 s . co m * If multiple clients with the same principal try to connect to the same server at the same time, the server assumes a replay attack is in progress. This is * a feature of kerberos. In order to work around this, what is done is that the client backs off randomly and tries to initiate the connection again. The * other problem is to do with ticket expiry. To handle that, a relogin is attempted. */ static void attemptClientReLogin() { try { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); if (null == loginUser || !loginUser.hasKerberosCredentials()) { // We should have already checked that we're logged in and have credentials. A precondition-like check. throw new RuntimeException("Expected to find Kerberos UGI credentials, but did not"); } UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); // A Proxy user is the "effective user" (in name only), riding on top of the "real user"'s Krb credentials. UserGroupInformation realUser = currentUser.getRealUser(); // re-login only in case it is the login user or superuser. if (loginUser.equals(currentUser) || loginUser.equals(realUser)) { if (UserGroupInformation.isLoginKeytabBased()) { log.info("Performing keytab-based Kerberos re-login"); loginUser.reloginFromKeytab(); } else { log.info("Performing ticket-cache-based Kerberos re-login"); loginUser.reloginFromTicketCache(); } // Avoid the replay attack protection, sleep 1 to 5000ms try { Thread.sleep((SASL_BACKOFF_RAND.nextInt(RELOGIN_MAX_BACKOFF) + 1)); } catch (InterruptedException e) { Thread.currentThread().interrupt(); return; } } else { log.debug("Not attempting Kerberos re-login: loginUser={}, currentUser={}, realUser={}", loginUser, currentUser, realUser); } } catch (IOException e) { // The inability to check is worrisome and deserves a RuntimeException instead of a propagated IO-like Exception. log.warn("Failed to check (and/or perform) Kerberos client re-login", e); throw new RuntimeException(e); } }
From source file:org.apache.atlas.web.listeners.LoginProcessorIT.java
License:Apache License
@Test public void testDefaultSimpleLogin() throws Exception { LoginProcessor processor = new LoginProcessor() { @Override/*w w w . ja v a2s .c om*/ protected org.apache.commons.configuration.Configuration getApplicationConfiguration() { return new PropertiesConfiguration(); } }; processor.login(); Assert.assertNotNull(UserGroupInformation.getCurrentUser()); Assert.assertFalse(UserGroupInformation.isLoginKeytabBased()); Assert.assertFalse(UserGroupInformation.isSecurityEnabled()); }
From source file:org.apache.atlas.web.listeners.LoginProcessorIT.java
License:Apache License
@Test public void testKerberosLogin() throws Exception { final File keytab = setupKDCAndPrincipals(); LoginProcessor processor = new LoginProcessor() { @Override//w ww . j a v a2 s. com protected org.apache.commons.configuration.Configuration getApplicationConfiguration() { PropertiesConfiguration config = new PropertiesConfiguration(); config.setProperty("atlas.authentication.method", "kerberos"); config.setProperty("atlas.authentication.principal", "dgi@EXAMPLE.COM"); config.setProperty("atlas.authentication.keytab", keytab.getAbsolutePath()); return config; } @Override protected Configuration getHadoopConfiguration() { Configuration config = new Configuration(false); config.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); config.setBoolean(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, true); config.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL, kerberosRule); return config; } @Override protected boolean isHadoopCluster() { return true; } }; processor.login(); Assert.assertTrue(UserGroupInformation.getLoginUser().getShortUserName().endsWith("dgi")); Assert.assertNotNull(UserGroupInformation.getCurrentUser()); Assert.assertTrue(UserGroupInformation.isLoginKeytabBased()); Assert.assertTrue(UserGroupInformation.isSecurityEnabled()); kdc.stop(); }
From source file:org.apache.druid.security.kerberos.DruidKerberosUtil.java
License:Apache License
public static void authenticateIfRequired(String internalClientPrincipal, String internalClientKeytab) { if (!Strings.isNullOrEmpty(internalClientPrincipal) && !Strings.isNullOrEmpty(internalClientKeytab)) { Configuration conf = new Configuration(); conf.setClassLoader(DruidKerberosModule.class.getClassLoader()); conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); UserGroupInformation.setConfiguration(conf); try {/*ww w.ja v a 2s . co m*/ //login for the first time. if (UserGroupInformation.getCurrentUser().hasKerberosCredentials() == false || !UserGroupInformation.getCurrentUser().getUserName().equals(internalClientPrincipal)) { log.info("trying to authenticate user [%s] with keytab [%s]", internalClientPrincipal, internalClientKeytab); UserGroupInformation.loginUserFromKeytab(internalClientPrincipal, internalClientKeytab); return; } //try to relogin in case the TGT expired if (UserGroupInformation.isLoginKeytabBased()) { log.info("Re-Login from key tab [%s] with principal [%s]", internalClientKeytab, internalClientPrincipal); UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab(); return; } else if (UserGroupInformation.isLoginTicketBased()) { log.info("Re-Login from Ticket cache"); UserGroupInformation.getLoginUser().reloginFromTicketCache(); return; } } catch (IOException e) { throw new ISE(e, "Failed to authenticate user principal [%s] with keytab [%s]", internalClientPrincipal, internalClientKeytab); } } }
From source file:org.apache.hive.minikdc.TestMiniHiveKdc.java
License:Apache License
@Test public void testLogin() throws Exception { String servicePrinc = miniHiveKdc.getHiveServicePrincipal(); assertNotNull(servicePrinc);/* w w w . jav a2 s . c o m*/ miniHiveKdc.loginUser(servicePrinc); assertTrue(UserGroupInformation.isLoginKeytabBased()); UserGroupInformation ugi = Utils.getUGI(); assertEquals(MiniHiveKdc.HIVE_SERVICE_PRINCIPAL, ugi.getShortUserName()); }
From source file:org.apache.hoya.tools.HoyaUtils.java
License:Apache License
/** * Force an early login: This catches any auth problems early rather than * in RPC operatins// ww w .j ava 2 s .c o m * @throws IOException if the login fails */ public static void forceLogin() throws IOException { if (UserGroupInformation.isSecurityEnabled()) { if (UserGroupInformation.isLoginKeytabBased()) { UserGroupInformation.getLoginUser().reloginFromKeytab(); } else { UserGroupInformation.getLoginUser().reloginFromTicketCache(); } } }