List of usage examples for org.apache.hadoop.security UserGroupInformation isSecurityEnabled
public static boolean isSecurityEnabled()
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public void grantAccess(final GrantRevokeRequest request) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.grantAccess(" + request + ")"); }/*from ww w . j a v a 2s.com*/ ClientResponse response = null; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( RangerRESTUtils.REST_URL_SECURE_SERVICE_GRANT_ACCESS + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); return secureWebResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .post(ClientResponse.class, restClient.toJson(request)); }; }; if (LOG.isDebugEnabled()) { LOG.debug("grantAccess as user " + user); } response = user.doAs(action); } else { WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SERVICE_GRANT_ACCESS + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .post(ClientResponse.class, restClient.toJson(request)); } if (response != null && response.getStatus() != 200) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("grantAccess() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == 401) { throw new AccessControlException(); } throw new Exception("HTTP " + response.getStatus() + " Error: " + resp.getMessage()); } else if (response == null) { throw new Exception("unknown error during grantAccess. serviceName=" + serviceName); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.grantAccess(" + request + ")"); } }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public void revokeAccess(final GrantRevokeRequest request) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.revokeAccess(" + request + ")"); }// w w w . j av a2s.co m ClientResponse response = null; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( RangerRESTUtils.REST_URL_SECURE_SERVICE_REVOKE_ACCESS + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); return secureWebResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .post(ClientResponse.class, restClient.toJson(request)); }; }; if (LOG.isDebugEnabled()) { LOG.debug("revokeAccess as user " + user); } response = user.doAs(action); } else { WebResource webResource = createWebResource( RangerRESTUtils.REST_URL_SERVICE_REVOKE_ACCESS + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE) .post(ClientResponse.class, restClient.toJson(request)); } if (response != null && response.getStatus() != 200) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("revokeAccess() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == 401) { throw new AccessControlException(); } throw new Exception("HTTP " + response.getStatus() + " Error: " + resp.getMessage()); } else if (response == null) { throw new Exception("unknown error. revokeAccess(). serviceName=" + serviceName); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.revokeAccess(" + request + ")"); } }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + "): "); }//from w w w .j av a2s .c o m ServiceTags ret = null; ClientResponse response = null; WebResource webResource = null; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); }; }; if (LOG.isDebugEnabled()) { LOG.debug("getServiceTagsIfUpdated as user " + user); } response = user.doAs(action); } else { webResource = createWebResource(RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); } if (response != null && response.getStatus() == 200) { ret = response.getEntity(ServiceTags.class); } else if (response != null && response.getStatus() == 304) { // no change } else { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("Error getting taggedResources. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp.toString() + ", serviceName=" + serviceName + ", " + "lastKnownVersion=" + lastKnownVersion); throw new Exception(resp.getMessage()); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + "): "); } return ret; }
From source file:org.apache.ranger.admin.client.RangerAdminRESTClient.java
License:Apache License
@Override public List<String> getTagTypes(String pattern) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminRESTClient.getTagTypes(" + pattern + "): "); }/*from w ww . j a v a 2 s . com*/ List<String> ret = null; String emptyString = ""; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled(); final WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES) .queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName) .queryParam(RangerRESTUtils.PATTERN_PARAM, pattern); ClientResponse response = null; if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { return webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); }; }; if (LOG.isDebugEnabled()) { LOG.debug("getTagTypes as user " + user); } response = user.doAs(action); } else { response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); } if (response != null && response.getStatus() == 200) { ret = response.getEntity(getGenericType(emptyString)); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("Error getting taggedResources. request=" + webResource.toString() + ", response=" + resp.toString() + ", serviceName=" + serviceName + ", " + "pattern=" + pattern); throw new Exception(resp.getMessage()); } if (LOG.isDebugEnabled()) { LOG.debug("<== RangerAdminRESTClient.getTagTypes(" + pattern + "): " + ret); } return ret; }
From source file:org.apache.ranger.plugin.store.rest.ServiceRESTStore.java
License:Apache License
@Override public ServicePolicies getServicePoliciesIfUpdated(final String serviceName, final Long lastKnownVersion) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")"); }//from w ww . java 2 s.co m ServicePolicies ret = null; ClientResponse response = null; if (MiscUtil.getUGILoginUser() != null && UserGroupInformation.isSecurityEnabled()) { LOG.info("Checking Service policy if updated as user : " + MiscUtil.getUGILoginUser()); PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource( REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceName + "/" + lastKnownVersion); return secureWebResource.accept(REST_MIME_TYPE_JSON).get(ClientResponse.class); }; }; response = MiscUtil.getUGILoginUser().doAs(action); } else { WebResource webResource = createWebResource( REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName + "/" + lastKnownVersion); response = webResource.accept(REST_MIME_TYPE_JSON).get(ClientResponse.class); } if (response != null && response.getStatus() == 200) { ret = response.getEntity(ServicePolicies.class); } else if (response != null && response.getStatus() == 304) { // no change } else { RESTResponse resp = RESTResponse.fromClientResponse(response); throw new Exception(resp.getMessage()); } if (LOG.isDebugEnabled()) { LOG.debug("<== ServiceRESTStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + "): " + ret); } return ret; }
From source file:org.apache.samza.job.yarn.YarnClusterResourceManager.java
License:Apache License
/** * Runs a command as a process on the container. All binaries needed by the physical process are packaged in the URL * specified by packagePath./*from www .j a v a 2s . c om*/ */ private void startContainer(Path packagePath, Container container, Map<String, String> env, final String cmd) throws IOException { LocalResource packageResource = Records.newRecord(LocalResource.class); URL packageUrl = ConverterUtils.getYarnUrlFromPath(packagePath); FileStatus fileStatus; fileStatus = packagePath.getFileSystem(yarnConfiguration).getFileStatus(packagePath); packageResource.setResource(packageUrl); log.debug("Set package resource in YarnContainerRunner for {}", packageUrl); packageResource.setSize(fileStatus.getLen()); packageResource.setTimestamp(fileStatus.getModificationTime()); packageResource.setType(LocalResourceType.ARCHIVE); packageResource.setVisibility(LocalResourceVisibility.APPLICATION); ByteBuffer allTokens; // copy tokens to start the container Credentials credentials = UserGroupInformation.getCurrentUser().getCredentials(); DataOutputBuffer dob = new DataOutputBuffer(); credentials.writeTokenStorageToStream(dob); // now remove the AM->RM token so that containers cannot access it Iterator iter = credentials.getAllTokens().iterator(); while (iter.hasNext()) { TokenIdentifier token = ((org.apache.hadoop.security.token.Token) iter.next()).decodeIdentifier(); if (token != null && token.getKind().equals(AMRMTokenIdentifier.KIND_NAME)) { iter.remove(); } } allTokens = ByteBuffer.wrap(dob.getData(), 0, dob.getLength()); Map<String, LocalResource> localResourceMap = new HashMap<>(); localResourceMap.put("__package", packageResource); // include the resources from the universal resource configurations LocalizerResourceMapper resourceMapper = new LocalizerResourceMapper(new LocalizerResourceConfig(config), yarnConfiguration); localResourceMap.putAll(resourceMapper.getResourceMap()); ContainerLaunchContext context = Records.newRecord(ContainerLaunchContext.class); context.setEnvironment(env); context.setTokens(allTokens.duplicate()); context.setCommands(new ArrayList<String>() { { add(cmd); } }); context.setLocalResources(localResourceMap); if (UserGroupInformation.isSecurityEnabled()) { Map<ApplicationAccessType, String> acls = yarnConfig.getYarnApplicationAcls(); if (!acls.isEmpty()) { context.setApplicationACLs(acls); } } log.debug("Setting localResourceMap to {}", localResourceMap); log.debug("Setting context to {}", context); StartContainerRequest startContainerRequest = Records.newRecord(StartContainerRequest.class); startContainerRequest.setContainerLaunchContext(context); log.info( "Making an async start request for Container ID: {} on host: {} with local resource map: {} and context: {}", container.getId(), container.getNodeHttpAddress(), localResourceMap.toString(), context); nmClientAsync.startContainerAsync(container, context); }
From source file:org.apache.slider.client.TokensOperation.java
License:Apache License
public int actionTokens(ActionTokensArgs args, FileSystem fs, Configuration conf, YarnClientImpl yarnClient) throws IOException, YarnException { Credentials credentials;// w w w . j a v a2 s. co m String footnote = ""; UserGroupInformation user = UserGroupInformation.getCurrentUser(); boolean isSecure = UserGroupInformation.isSecurityEnabled(); if (args.keytab != null) { File keytab = args.keytab; if (!keytab.isFile()) { throw new NotFoundException(E_NO_KEYTAB + keytab.getAbsolutePath()); } String principal = args.principal; log.info("Logging in as {} from keytab {}", principal, keytab); user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab.getCanonicalPath()); } Credentials userCredentials = user.getCredentials(); File output = args.output; if (output != null) { if (!isSecure) { throw new BadClusterStateException(E_INSECURE); } credentials = new Credentials(userCredentials); // filesystem addRMRenewableFSDelegationTokens(conf, fs, credentials); addRMDelegationToken(yarnClient, credentials); if (maybeAddTimelineToken(conf, credentials) != null) { log.debug("Added timeline token"); } saveTokens(output, credentials); String filename = output.getCanonicalPath(); footnote = String.format( "%d tokens saved to %s\n" + "To use these in the environment:\n" + "export %s=%s", credentials.numberOfTokens(), filename, UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION, filename); } else if (args.source != null) { File source = args.source; log.info("Reading credentials from file {}", source); if (!source.isFile()) { throw new NotFoundException(E_MISSING_SOURCE_FILE + source.getAbsolutePath()); } credentials = Credentials.readTokenStorageFile(args.source, conf); } else { StringBuffer origin = new StringBuffer(); File file = locateEnvCredentials(System.getenv(), conf, origin); if (file != null) { log.info("Credential Source {}", origin); } else { log.info("Credential source: logged in user"); } credentials = userCredentials; } // list the tokens log.info("\n{}", dumpTokens(credentials, "\n")); if (!footnote.isEmpty()) { log.info(footnote); } return 0; }
From source file:org.apache.slider.common.tools.SliderUtils.java
License:Apache License
/** * Turn on security. This is setup to only run once. * @param conf configuration to build up security * @return true if security was initialized in this call * @throws IOException IO/Net problems/*ww w. j a v a 2 s .co m*/ * @throws BadConfigException the configuration and system state are inconsistent */ public static boolean initProcessSecurity(Configuration conf) throws IOException, BadConfigException { if (processSecurityAlreadyInitialized.compareAndSet(true, true)) { //security is already inited return false; } log.info("JVM initialized into secure mode with kerberos realm {}", SliderUtils.getKerberosRealm()); //this gets UGI to reset its previous world view (i.e simple auth) //security log.debug("java.security.krb5.realm={}", System.getProperty(JAVA_SECURITY_KRB5_REALM, "")); log.debug("java.security.krb5.kdc={}", System.getProperty(JAVA_SECURITY_KRB5_KDC, "")); log.debug("hadoop.security.authentication={}", conf.get(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION)); log.debug("hadoop.security.authorization={}", conf.get(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION)); /* SecurityUtil.setAuthenticationMethod( UserGroupInformation.AuthenticationMethod.KERBEROS, conf);*/ UserGroupInformation.setConfiguration(conf); UserGroupInformation authUser = UserGroupInformation.getCurrentUser(); log.debug("Authenticating as " + authUser.toString()); log.debug("Login user is {}", UserGroupInformation.getLoginUser()); if (!UserGroupInformation.isSecurityEnabled()) { throw new BadConfigException("Although secure mode is enabled," + "the application has already set up its user as an insecure entity %s", authUser); } if (authUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.SIMPLE) { throw new BadConfigException("Auth User is not Kerberized %s" + " -security has already been set up with the wrong authentication method. " + "This can occur if a file system has already been created prior to the loading of " + "the security configuration.", authUser); } SliderUtils.verifyPrincipalSet(conf, YarnConfiguration.RM_PRINCIPAL); SliderUtils.verifyPrincipalSet(conf, DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY); return true; }
From source file:org.apache.slider.core.launch.CredentialUtils.java
License:Apache License
/** * Create and add any filesystem delegation tokens with * the RM(s) configured to be able to renew them. Returns null * on an insecure cluster (i.e. harmless) * @param conf configuration//from w w w . j a va 2 s . c o m * @param fs filesystem * @param credentials credentials to update * @return a list of all added tokens. * @throws IOException */ public static Token<?>[] addRMRenewableFSDelegationTokens(Configuration conf, FileSystem fs, Credentials credentials) throws IOException { Preconditions.checkArgument(conf != null); Preconditions.checkArgument(credentials != null); if (UserGroupInformation.isSecurityEnabled()) { return fs.addDelegationTokens(CredentialUtils.getRMPrincipal(conf), credentials); } return null; }
From source file:org.apache.slider.core.restclient.UrlConnectionOperations.java
License:Apache License
/** * Create an instance off the configuration. The SPNEGO policy * is derived from the current UGI settings. * @param conf config//from w ww. j a v a 2s.co m */ public UrlConnectionOperations(Configuration conf) { super(conf); connectionFactory = SliderURLConnectionFactory.newInstance(conf); if (UserGroupInformation.isSecurityEnabled()) { log.debug("SPNEGO is enabled"); setUseSpnego(true); } }