List of usage examples for org.apache.hadoop.security UserGroupInformation isSecurityEnabled
public static boolean isSecurityEnabled()
From source file:org.apache.ignite.yarn.IgniteYarnClient.java
License:Apache License
/** * Main methods has one mandatory parameter and one optional parameter. * * @param args Path to jar mandatory parameter and property file is optional. *//* w w w . ja v a 2s. co m*/ public static void main(String[] args) throws Exception { checkArguments(args); // Set path to app master jar. String pathAppMasterJar = args[0]; ClusterProperties props = ClusterProperties.from(args.length == 2 ? args[1] : null); YarnConfiguration conf = new YarnConfiguration(); YarnClient yarnClient = YarnClient.createYarnClient(); yarnClient.init(conf); yarnClient.start(); // Create application via yarnClient YarnClientApplication app = yarnClient.createApplication(); FileSystem fs = FileSystem.get(conf); Path ignite; // Load ignite and jar if (props.ignitePath() == null) ignite = getIgnite(props, fs); else ignite = new Path(props.ignitePath()); // Upload the jar file to HDFS. Path appJar = IgniteYarnUtils.copyLocalToHdfs(fs, pathAppMasterJar, props.igniteWorkDir() + File.separator + IgniteYarnUtils.JAR_NAME); // Set up the container launch context for the application master ContainerLaunchContext amContainer = Records.newRecord(ContainerLaunchContext.class); amContainer.setCommands(Collections .singletonList(Environment.JAVA_HOME.$() + "/bin/java -Xmx512m " + ApplicationMaster.class.getName() + IgniteYarnUtils.SPACE + ignite.toUri() + IgniteYarnUtils.YARN_LOG_OUT)); // Setup jar for ApplicationMaster LocalResource appMasterJar = IgniteYarnUtils.setupFile(appJar, fs, LocalResourceType.FILE); amContainer.setLocalResources(Collections.singletonMap(IgniteYarnUtils.JAR_NAME, appMasterJar)); // Setup CLASSPATH for ApplicationMaster Map<String, String> appMasterEnv = props.toEnvs(); setupAppMasterEnv(appMasterEnv, conf); amContainer.setEnvironment(appMasterEnv); // Setup security tokens if (UserGroupInformation.isSecurityEnabled()) { Credentials creds = new Credentials(); String tokRenewer = conf.get(YarnConfiguration.RM_PRINCIPAL); if (tokRenewer == null || tokRenewer.length() == 0) throw new IOException("Master Kerberos principal for the RM is not set."); log.info("Found RM principal: " + tokRenewer); final Token<?> tokens[] = fs.addDelegationTokens(tokRenewer, creds); if (tokens != null) log.info("File system delegation tokens: " + Arrays.toString(tokens)); amContainer.setTokens(IgniteYarnUtils.createTokenBuffer(creds)); } // Set up resource type requirements for ApplicationMaster Resource capability = Records.newRecord(Resource.class); capability.setMemory(512); capability.setVirtualCores(1); // Finally, set-up ApplicationSubmissionContext for the application ApplicationSubmissionContext appContext = app.getApplicationSubmissionContext(); appContext.setApplicationName("ignition"); // application name appContext.setAMContainerSpec(amContainer); appContext.setResource(capability); appContext.setQueue("default"); // queue // Submit application ApplicationId appId = appContext.getApplicationId(); yarnClient.submitApplication(appContext); log.log(Level.INFO, "Submitted application. Application id: {0}", appId); ApplicationReport appReport = yarnClient.getApplicationReport(appId); YarnApplicationState appState = appReport.getYarnApplicationState(); while (appState == YarnApplicationState.NEW || appState == YarnApplicationState.NEW_SAVING || appState == YarnApplicationState.SUBMITTED || appState == YarnApplicationState.ACCEPTED) { TimeUnit.SECONDS.sleep(1L); appReport = yarnClient.getApplicationReport(appId); if (appState != YarnApplicationState.ACCEPTED && appReport.getYarnApplicationState() == YarnApplicationState.ACCEPTED) log.log(Level.INFO, "Application {0} is ACCEPTED.", appId); appState = appReport.getYarnApplicationState(); } log.log(Level.INFO, "Application {0} is {1}.", new Object[] { appId, appState }); }
From source file:org.apache.metron.maas.service.Client.java
License:Apache License
/** * Main run function for the client/*from w ww. java2 s.c o m*/ * @return true if application completed successfully * @throws IOException * @throws YarnException */ public boolean run() throws IOException, YarnException { LOG.info("Running Client"); yarnClient.start(); YarnClusterMetrics clusterMetrics = yarnClient.getYarnClusterMetrics(); LOG.info("Got Cluster metric info from ASM" + ", numNodeManagers=" + clusterMetrics.getNumNodeManagers()); List<NodeReport> clusterNodeReports = yarnClient.getNodeReports(NodeState.RUNNING); LOG.info("Got Cluster node info from ASM"); for (NodeReport node : clusterNodeReports) { LOG.info("Got node report from ASM for" + ", nodeId=" + node.getNodeId() + ", nodeAddress" + node.getHttpAddress() + ", nodeRackName" + node.getRackName() + ", nodeNumContainers" + node.getNumContainers()); } QueueInfo queueInfo = yarnClient.getQueueInfo(this.amQueue); LOG.info("Queue info" + ", queueName=" + queueInfo.getQueueName() + ", queueCurrentCapacity=" + queueInfo.getCurrentCapacity() + ", queueMaxCapacity=" + queueInfo.getMaximumCapacity() + ", queueApplicationCount=" + queueInfo.getApplications().size() + ", queueChildQueueCount=" + queueInfo.getChildQueues().size()); List<QueueUserACLInfo> listAclInfo = yarnClient.getQueueAclsInfo(); for (QueueUserACLInfo aclInfo : listAclInfo) { for (QueueACL userAcl : aclInfo.getUserAcls()) { LOG.info("User ACL Info for Queue" + ", queueName=" + aclInfo.getQueueName() + ", userAcl=" + userAcl.name()); } } if (domainId != null && domainId.length() > 0 && toCreateDomain) { prepareTimelineDomain(); } // Get a new application id YarnClientApplication app = yarnClient.createApplication(); GetNewApplicationResponse appResponse = app.getNewApplicationResponse(); // TODO get min/max resource capabilities from RM and change memory ask if needed // If we do not have min/max, we may not be able to correctly request // the required resources from the RM for the app master // Memory ask has to be a multiple of min and less than max. // Dump out information about cluster capability as seen by the resource manager int maxMem = appResponse.getMaximumResourceCapability().getMemory(); LOG.info("Max mem capabililty of resources in this cluster " + maxMem); // A resource ask cannot exceed the max. if (amMemory > maxMem) { LOG.info("AM memory specified above max threshold of cluster. Using max value." + ", specified=" + amMemory + ", max=" + maxMem); amMemory = maxMem; } int maxVCores = appResponse.getMaximumResourceCapability().getVirtualCores(); LOG.info("Max virtual cores capabililty of resources in this cluster " + maxVCores); if (amVCores > maxVCores) { LOG.info("AM virtual cores specified above max threshold of cluster. " + "Using max value." + ", specified=" + amVCores + ", max=" + maxVCores); amVCores = maxVCores; } // set the application name ApplicationSubmissionContext appContext = app.getApplicationSubmissionContext(); ApplicationId appId = appContext.getApplicationId(); appContext.setKeepContainersAcrossApplicationAttempts(keepContainers); appContext.setApplicationName(appName); if (attemptFailuresValidityInterval >= 0) { appContext.setAttemptFailuresValidityInterval(attemptFailuresValidityInterval); } // set local resources for the application master // local files or archives as needed // In this scenario, the jar file for the application master is part of the local resources Map<String, LocalResource> localResources = new HashMap<String, LocalResource>(); LOG.info("Copy App Master jar from local filesystem and add to local environment"); // Copy the application master jar to the filesystem // Create a local resource to point to the destination jar path FileSystem fs = FileSystem.get(conf); Path ajPath = addToLocalResources(fs, appMasterJar, appMasterJarPath, appId.toString(), localResources, null); // Set the log4j properties if needed if (!log4jPropFile.isEmpty()) { addToLocalResources(fs, log4jPropFile, log4jPath, appId.toString(), localResources, null); } // Set the necessary security tokens as needed //amContainer.setContainerTokens(containerToken); // Set the env variables to be setup in the env where the application master will be run LOG.info("Set the environment for the application master"); Map<String, String> env = new HashMap<String, String>(); // put location of shell script into env // using the env info, the application master will create the correct local resource for the // eventual containers that will be launched to execute the shell scripts if (domainId != null && domainId.length() > 0) { env.put(Constants.TIMELINEDOMAIN, domainId); } // Add AppMaster.jar location to classpath // At some point we should not be required to add // the hadoop specific classpaths to the env. // It should be provided out of the box. // For now setting all required classpaths including // the classpath to "." for the application jar StringBuilder classPathEnv = new StringBuilder(Environment.CLASSPATH.$$()) .append(ApplicationConstants.CLASS_PATH_SEPARATOR).append("./*"); for (String c : conf.getStrings(YarnConfiguration.YARN_APPLICATION_CLASSPATH, YarnConfiguration.DEFAULT_YARN_CROSS_PLATFORM_APPLICATION_CLASSPATH)) { classPathEnv.append(ApplicationConstants.CLASS_PATH_SEPARATOR); classPathEnv.append(c.trim()); } classPathEnv.append(ApplicationConstants.CLASS_PATH_SEPARATOR).append("./log4j.properties"); // add the runtime classpath needed for tests to work if (conf.getBoolean(YarnConfiguration.IS_MINI_YARN_CLUSTER, false)) { classPathEnv.append(':'); classPathEnv.append(System.getProperty("java.class.path")); } env.put("CLASSPATH", classPathEnv.toString()); // Set the necessary command to execute the application master Vector<CharSequence> vargs = new Vector<CharSequence>(30); // Set java executable command LOG.info("Setting up app master command"); vargs.add(Environment.JAVA_HOME.$$() + "/bin/java"); // Set Xmx based on am memory size vargs.add("-Xmx" + amMemory + "m"); // Set class name vargs.add(appMasterMainClass); // Set params for Application Master vargs.add(ApplicationMaster.AMOptions.toArgs(ApplicationMaster.AMOptions.ZK_QUORUM.of(zkQuorum), ApplicationMaster.AMOptions.ZK_ROOT.of(zkRoot), ApplicationMaster.AMOptions.APP_JAR_PATH.of(ajPath.toString()))); if (null != nodeLabelExpression) { appContext.setNodeLabelExpression(nodeLabelExpression); } for (Map.Entry<String, String> entry : shellEnv.entrySet()) { vargs.add("--shell_env " + entry.getKey() + "=" + entry.getValue()); } vargs.add("1>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/AppMaster.stdout"); vargs.add("2>" + ApplicationConstants.LOG_DIR_EXPANSION_VAR + "/AppMaster.stderr"); // Get final commmand StringBuilder command = new StringBuilder(); for (CharSequence str : vargs) { command.append(str).append(" "); } LOG.info("Completed setting up app master command " + command.toString()); List<String> commands = new ArrayList<String>(); commands.add(command.toString()); // Set up the container launch context for the application master ContainerLaunchContext amContainer = ContainerLaunchContext.newInstance(localResources, env, commands, null, null, null); // Set up resource type requirements // For now, both memory and vcores are supported, so we set memory and // vcores requirements Resource capability = Resource.newInstance(amMemory, amVCores); appContext.setResource(capability); // Service data is a binary blob that can be passed to the application // Not needed in this scenario // Setup security tokens if (UserGroupInformation.isSecurityEnabled()) { // Note: Credentials class is marked as LimitedPrivate for HDFS and MapReduce Credentials credentials = new Credentials(); String tokenRenewer = conf.get(YarnConfiguration.RM_PRINCIPAL); if (tokenRenewer == null || tokenRenewer.length() == 0) { throw new IOException("Can't get Master Kerberos principal for the RM to use as renewer"); } // For now, only getting tokens for the default file-system. final Token<?> tokens[] = fs.addDelegationTokens(tokenRenewer, credentials); if (tokens != null) { for (Token<?> token : tokens) { LOG.info("Got dt for " + fs.getUri() + "; " + token); } } DataOutputBuffer dob = new DataOutputBuffer(); credentials.writeTokenStorageToStream(dob); ByteBuffer fsTokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength()); amContainer.setTokens(fsTokens); } appContext.setAMContainerSpec(amContainer); // Set the priority for the application master Priority pri = Priority.newInstance(amPriority); appContext.setPriority(pri); // Set the queue to which this application is to be submitted in the RM appContext.setQueue(amQueue); // Submit the application to the applications manager // SubmitApplicationResponse submitResp = applicationsManager.submitApplication(appRequest); // Ignore the response as either a valid response object is returned on success // or an exception thrown to denote some form of a failure LOG.info("Submitting application to ASM"); yarnClient.submitApplication(appContext); // Monitor the application return monitorApplication(appId); }
From source file:org.apache.nifi.ranger.authorization.ManagedRangerAuthorizerTest.java
License:Apache License
@Before public void setup() { // have to initialize this system property before anything else File krb5conf = new File("src/test/resources/krb5.conf"); assertTrue(krb5conf.exists());//ww w. j a v a 2s .c o m System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath()); // rest the authentication to simple in case any tests set it to kerberos final Configuration securityConf = new Configuration(); securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); UserGroupInformation.setConfiguration(securityConf); assertFalse(UserGroupInformation.isSecurityEnabled()); }
From source file:org.apache.nifi.ranger.authorization.TestRangerNiFiAuthorizer.java
License:Apache License
@Before public void setup() { // have to initialize this system property before anything else File krb5conf = new File("src/test/resources/krb5.conf"); assertTrue(krb5conf.exists());/* w ww . j a v a 2s . c o m*/ System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath()); // rest the authentication to simple in case any tests set it to kerberos final Configuration securityConf = new Configuration(); securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); UserGroupInformation.setConfiguration(securityConf); configurationContext = createMockConfigContext(); rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class); authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin); authorizer.onConfigured(configurationContext); assertFalse(UserGroupInformation.isSecurityEnabled()); allowedResult = Mockito.mock(RangerAccessResult.class); when(allowedResult.getIsAllowed()).thenReturn(true); notAllowedResult = Mockito.mock(RangerAccessResult.class); when(notAllowedResult.getIsAllowed()).thenReturn(false); }
From source file:org.apache.nifi.registry.ranger.TestRangerAuthorizer.java
License:Apache License
private void setup(final NiFiRegistryProperties registryProperties, final UserGroupProvider userGroupProvider, final AuthorizerConfigurationContext configurationContext) { // have to initialize this system property before anything else File krb5conf = new File("src/test/resources/krb5.conf"); assertTrue(krb5conf.exists());//from w ww .j a v a 2 s.c o m System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath()); // rest the authentication to simple in case any tests set it to kerberos final Configuration securityConf = new Configuration(); securityConf.set(RangerAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); UserGroupInformation.setConfiguration(securityConf); rangerBasePlugin = mock(RangerBasePluginWithPolicies.class); authorizer = new MockRangerAuthorizer(rangerBasePlugin); final UserGroupProviderLookup userGroupProviderLookup = mock(UserGroupProviderLookup.class); when(userGroupProviderLookup.getUserGroupProvider(eq("user-group-provider"))).thenReturn(userGroupProvider); final AuthorizerInitializationContext initializationContext = mock(AuthorizerInitializationContext.class); when(initializationContext.getUserGroupProviderLookup()).thenReturn(userGroupProviderLookup); authorizer.setRegistryProperties(registryProperties); authorizer.initialize(initializationContext); authorizer.onConfigured(configurationContext); assertFalse(UserGroupInformation.isSecurityEnabled()); allowedResult = mock(RangerAccessResult.class); when(allowedResult.getIsAllowed()).thenReturn(true); notAllowedResult = mock(RangerAccessResult.class); when(notAllowedResult.getIsAllowed()).thenReturn(false); }
From source file:org.apache.omid.tools.hbase.HBaseLogin.java
License:Apache License
public static UserGroupInformation loginIfNeeded(SecureHBaseConfig config) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { LOG.info("Security is enabled, logging in with principal={}, keytab={}", config.getPrincipal(), config.getKeytab());/* w w w. j a va2 s . co m*/ UserGroupInformation.loginUserFromKeytab(config.getPrincipal(), config.getKeytab()); } return UserGroupInformation.getCurrentUser(); }
From source file:org.apache.oozie.service.HadoopAccessorService.java
License:Apache License
public Text getMRDelegationTokenRenewer(JobConf jobConf) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { // secure cluster return getMRTokenRenewerInternal(jobConf); } else {/*from w w w . j a v a 2 s .c o m*/ return MR_TOKEN_ALIAS; //Doesn't matter what we pass as renewer } }
From source file:org.apache.pig.backend.hadoop.HKerberos.java
License:Apache License
public static void tryKerberosKeytabLogin(Configuration conf) { // Before we can actually connect we may need to login using the provided credentials. if (UserGroupInformation.isSecurityEnabled()) { UserGroupInformation loginUser;/*from ww w . j ava2 s . c om*/ try { loginUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.error("Unable to start attempt to login using Kerberos keytab: " + e.getMessage()); return; } // If we are logged in into Kerberos with a keytab we can skip this to avoid needless logins if (!loginUser.hasKerberosCredentials() && !loginUser.isFromKeytab()) { String krb5Conf = conf.get("java.security.krb5.conf"); String krb5Principal = conf.get("hadoop.security.krb5.principal"); String krb5Keytab = conf.get("hadoop.security.krb5.keytab"); // Only attempt login if we have all the required settings. if (krb5Conf != null && krb5Principal != null && krb5Keytab != null) { LOG.info("Trying login using Kerberos Keytab"); LOG.info("krb5: Conf = " + krb5Conf); LOG.info("krb5: Principal = " + krb5Principal); LOG.info("krb5: Keytab = " + krb5Keytab); System.setProperty("java.security.krb5.conf", krb5Conf); try { UserGroupInformation.loginUserFromKeytab(krb5Principal, krb5Keytab); } catch (IOException e) { LOG.error("Unable to perform keytab based kerberos authentication: " + e.getMessage()); } } } } }
From source file:org.apache.ranger.admin.client.RangerAdminJersey2RESTClient.java
License:Apache License
@Override public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminJersey2RESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + ")"); }// www. java 2 s . c o m UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); String url = null; try { ServicePolicies servicePolicies = null; Response response = null; if (isSecureMode) { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated as user : " + user); } url = _utils.getSecureUrlForPolicyUpdate(_baseUrl, _serviceName); final String secureUrl = url; PrivilegedAction<Response> action = new PrivilegedAction<Response>() { public Response run() { return _client.target(secureUrl) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, _pluginId) .request(MediaType.APPLICATION_JSON_TYPE).get(); }; }; response = user.doAs(action); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated with old api call"); } url = _utils.getUrlForPolicyUpdate(_baseUrl, _serviceName); response = _client.target(url) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, _pluginId) .request(MediaType.APPLICATION_JSON_TYPE).get(); } int httpResponseCode = response == null ? -1 : response.getStatus(); String body = null; switch (httpResponseCode) { case 200: body = response.readEntity(String.class); if (LOG.isDebugEnabled()) { LOG.debug("Response from 200 server: " + body); } Gson gson = getGson(); servicePolicies = gson.fromJson(body, ServicePolicies.class); if (LOG.isDebugEnabled()) { LOG.debug("Deserialized response to: " + servicePolicies); } break; case 304: LOG.debug("Got response: 304. Ok. Returning null"); break; case -1: LOG.warn( "Unexpected: Null response from policy server while trying to get policies! Returning null!"); break; default: body = response.readEntity(String.class); LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, url)); break; } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminJersey2RESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + "): " + servicePolicies); } return servicePolicies; } catch (Exception ex) { LOG.error("Failed getting policies from server. url=" + url + ", pluginId=" + _pluginId + ", lastKnownVersion=" + lastKnownVersion); throw ex; } }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + ")"); }//from ww w. j a v a2 s . c o m ServicePolicies ret = null; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); ClientResponse response = null; if (isSecureMode) { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated as user : " + user); } PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); }; }; response = user.doAs(action); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated with old api call"); } WebResource webResource = createWebResource( RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); } if (response != null && response.getStatus() == 200) { ret = response.getEntity(ServicePolicies.class); } else if (response != null && response.getStatus() == 304) { // no change } else { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("Error getting policies. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp.toString() + ", serviceName=" + serviceName); throw new Exception(resp.getMessage()); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + "): " + ret); } return ret; }