List of usage examples for org.apache.hadoop.security UserGroupInformation loginUserFromKeytab
@InterfaceAudience.Public @InterfaceStability.Evolving public static void loginUserFromKeytab(String user, String path) throws IOException
From source file:com.cloudera.llama.server.Security.java
License:Apache License
public static void loginToHadoop(ServerConfiguration conf) throws Exception { if (UserGroupInformation.isSecurityEnabled()) { String principalName = conf.getServerPrincipalName(); String keytab = conf.getKeytabFile(); if (!(keytab.charAt(0) == '/')) { String confDir = conf.getConfDir(); keytab = new File(confDir, keytab).getAbsolutePath(); }/* www . jav a 2s .c om*/ File keytabFile = new File(keytab).getAbsoluteFile(); if (!keytabFile.exists()) { throw new RuntimeException(FastFormat.format("Keytab file '{}' does not exist", keytabFile)); } UserGroupInformation.loginUserFromKeytab(principalName, keytabFile.getPath()); } }
From source file:com.cloudera.sa.querykerberosauthhs2.QueryKerberosAuthHS2.java
public QueryKerberosAuthHS2() throws IOException { if (UserGroupInformation.isSecurityEnabled()) { UserGroupInformation.loginUserFromKeytab("vijay@US-WEST-2.COMPUTE.INTERNAL", "/etc/vijay.keytab"); }//from w w w .j a v a2 s. com }
From source file:com.datatorrent.stram.security.StramUserLogin.java
License:Apache License
public static void authenticate(String principal, String keytab) throws IOException { if ((principal != null) && !principal.isEmpty() && (keytab != null) && !keytab.isEmpty()) { try {/*from w w w . jav a2 s . c om*/ UserGroupInformation.loginUserFromKeytab(principal, keytab); LOG.info("Login user {}", UserGroupInformation.getCurrentUser().getUserName()); StramUserLogin.principal = principal; StramUserLogin.keytab = keytab; } catch (IOException ie) { LOG.error("Error login user with principal {}", principal, ie); throw ie; } } }
From source file:com.facebook.presto.hive.util.SecurityUtils.java
License:Apache License
/** * kerberos login/*from w w w .j a v a2 s .com*/ * * @param principalConf etc. hadoop-data/_HOST@SANKUAI.COM * etc. For UDDP umr-jc***@UCLOUD.CN * @param keytabFile keytab file * @return the login UserGroupInformation * * @throws IOException */ public static UserGroupInformation login(String principalConf, String keytabFile) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { String kerberosName = SecurityUtil.getServerPrincipal(principalConf, "umr-jcjky1"); UserGroupInformation.loginUserFromKeytab("umr-jcjky1@UCLOUD.CN", keytabFile); } return null; }
From source file:com.flipkart.foxtrot.core.datastore.impl.hbase.HBaseUtil.java
License:Apache License
public static Configuration create(final HbaseConfig hbaseConfig) throws IOException { Configuration configuration = HBaseConfiguration.create(); if (isValidFile(hbaseConfig.getCoreSite())) { configuration.addResource(new File(hbaseConfig.getCoreSite()).toURI().toURL()); }/*from w w w. j av a 2 s.c o m*/ if (isValidFile(hbaseConfig.getHdfsSite())) { configuration.addResource(new File(hbaseConfig.getHdfsSite()).toURI().toURL()); } if (isValidFile(hbaseConfig.getHbasePolicy())) { configuration.addResource(new File(hbaseConfig.getHbasePolicy()).toURI().toURL()); } if (isValidFile(hbaseConfig.getHbaseSite())) { configuration.addResource(new File(hbaseConfig.getHbaseSite()).toURI().toURL()); } if (hbaseConfig.isSecure() && isValidFile(hbaseConfig.getKeytabFileName())) { configuration.set("hbase.master.kerberos.principal", hbaseConfig.getAuthString()); configuration.set("hadoop.kerberos.kinit.command", hbaseConfig.getKinitPath()); UserGroupInformation.setConfiguration(configuration); System.setProperty("java.security.krb5.conf", hbaseConfig.getKerberosConfigFile()); UserGroupInformation.loginUserFromKeytab(hbaseConfig.getAuthString(), hbaseConfig.getKeytabFileName()); logger.info("Logged into Hbase with User: " + UserGroupInformation.getLoginUser()); } if (null != hbaseConfig.getHbaseZookeeperQuorum()) { configuration.set("hbase.zookeeper.quorum", hbaseConfig.getHbaseZookeeperQuorum()); } if (null != hbaseConfig.getHbaseZookeeperClientPort()) { configuration.setInt("hbase.zookeeper.property.clientPort", hbaseConfig.getHbaseZookeeperClientPort()); } return configuration; }
From source file:com.gemstone.gemfire.cache.hdfs.internal.HDFSStoreImpl.java
License:Apache License
private FileSystem createFileSystem(Configuration hconf, String configFile, boolean forceNew) throws IOException { FileSystem filesystem = null; // load hdfs client config file if specified. The path is on local file // system//from w w w.j a va 2 s .c o m if (configFile != null) { if (logger.isDebugEnabled()) { logger.debug("{}Adding resource config file to hdfs configuration:" + configFile, logPrefix); } hconf.addResource(new Path(configFile)); if (!new File(configFile).exists()) { logger.warn(LocalizedMessage.create(LocalizedStrings.HOPLOG_HDFS_CLIENT_CONFIG_FILE_ABSENT, configFile)); } } // This setting disables shutdown hook for file system object. Shutdown // hook may cause FS object to close before the cache or store and // unpredictable behavior. This setting is provided for GFXD like server // use cases where FS close is managed by a server. This setting is not // supported by old versions of hadoop, HADOOP-4829 hconf.setBoolean("fs.automatic.close", false); // Hadoop has a configuration parameter io.serializations that is a list of serialization // classes which can be used for obtaining serializers and deserializers. This parameter // by default contains avro classes. When a sequence file is created, it calls // SerializationFactory.getSerializer(keyclass). This internally creates objects using // reflection of all the classes that were part of io.serializations. But since, there is // no avro class available it throws an exception. // Before creating a sequenceFile, override the io.serializations parameter and pass only the classes // that are important to us. hconf.setStrings("io.serializations", new String[] { "org.apache.hadoop.io.serializer.WritableSerialization" }); // create writer SchemaMetrics.configureGlobally(hconf); String nameNodeURL = null; if ((nameNodeURL = getNameNodeURL()) == null) { nameNodeURL = hconf.get("fs.default.name"); } URI namenodeURI = URI.create(nameNodeURL); //if (! GemFireCacheImpl.getExisting().isHadoopGfxdLonerMode()) { String authType = hconf.get("hadoop.security.authentication"); //The following code handles Gemfire XD with secure HDFS //A static set is used to cache all known secure HDFS NameNode urls. UserGroupInformation.setConfiguration(hconf); //Compare authentication method ignoring case to make GFXD future version complaint //At least version 2.0.2 starts complaining if the string "kerberos" is not in all small case. //However it seems current version of hadoop accept the authType in any case if (authType.equalsIgnoreCase("kerberos")) { String principal = hconf.get(HoplogConfig.KERBEROS_PRINCIPAL); String keyTab = hconf.get(HoplogConfig.KERBEROS_KEYTAB_FILE); if (!PERFORM_SECURE_HDFS_CHECK) { if (logger.isDebugEnabled()) logger.debug("{}Ignore secure hdfs check", logPrefix); } else { if (!secureNameNodes.contains(nameNodeURL)) { if (logger.isDebugEnabled()) logger.debug("{}Executing secure hdfs check", logPrefix); try { filesystem = FileSystem.newInstance(namenodeURI, hconf); //Make sure no IOExceptions are generated when accessing insecure HDFS. filesystem.listFiles(new Path("/"), false); throw new HDFSIOException( "Gemfire XD HDFS client and HDFS cluster security levels do not match. The configured HDFS Namenode is not secured."); } catch (IOException ex) { secureNameNodes.add(nameNodeURL); } finally { //Close filesystem to avoid resource leak if (filesystem != null) { closeFileSystemIgnoreError(filesystem); } } } } // check to ensure the namenode principal is defined String nameNodePrincipal = hconf.get("dfs.namenode.kerberos.principal"); if (nameNodePrincipal == null) { throw new IOException(LocalizedStrings.GF_KERBEROS_NAMENODE_PRINCIPAL_UNDEF.toLocalizedString()); } // ok, the user specified a gfxd principal so we will try to login if (principal != null) { //If NameNode principal is the same as Gemfire XD principal, there is a //potential security hole String regex = "[/@]"; if (nameNodePrincipal != null) { String HDFSUser = nameNodePrincipal.split(regex)[0]; String GFXDUser = principal.split(regex)[0]; if (HDFSUser.equals(GFXDUser)) { logger.warn( LocalizedMessage.create(LocalizedStrings.HDFS_USER_IS_SAME_AS_GF_USER, GFXDUser)); } } // a keytab must exist if the user specifies a principal if (keyTab == null) { throw new IOException(LocalizedStrings.GF_KERBEROS_KEYTAB_UNDEF.toLocalizedString()); } // the keytab must exist as well File f = new File(keyTab); if (!f.exists()) { throw new FileNotFoundException( LocalizedStrings.GF_KERBEROS_KEYTAB_FILE_ABSENT.toLocalizedString(f.getAbsolutePath())); } //Authenticate Gemfire XD principal to Kerberos KDC using Gemfire XD keytab file String principalWithValidHost = SecurityUtil.getServerPrincipal(principal, ""); UserGroupInformation.loginUserFromKeytab(principalWithValidHost, keyTab); } else { logger.warn(LocalizedMessage.create(LocalizedStrings.GF_KERBEROS_PRINCIPAL_UNDEF)); } } //} filesystem = getFileSystemFactory().create(namenodeURI, hconf, forceNew); if (logger.isDebugEnabled()) { logger.debug("{}Initialized FileSystem linked to " + filesystem.getUri() + " " + filesystem.hashCode(), logPrefix); } return filesystem; }
From source file:com.github.sakserv.minicluster.impl.KdcLocalClusterHBaseIntegrationTest.java
License:Apache License
@Test public void testHBase() throws Exception { UserGroupInformation.loginUserFromKeytab(kdcLocalCluster.getKrbPrincipalWithRealm("hbase"), kdcLocalCluster.getKeytabForPrincipal("hbase")); assertTrue(UserGroupInformation.isSecurityEnabled()); assertTrue(UserGroupInformation.isLoginKeytabBased()); Configuration configuration = hbaseLocalCluster.getHbaseConfiguration(); configuration.set("hbase.client.retries.number", "1"); configuration.set("hbase.client.pause", "1000"); configuration.set("zookeeper.recovery.retry", "1"); // Write data try (Connection connection = ConnectionFactory.createConnection(configuration)) { Admin admin = connection.getAdmin(); TableName tableName = TableName.valueOf("test-kdc"); if (admin.tableExists(tableName)) { admin.disableTable(tableName); admin.deleteTable(tableName); }//from w ww . j a v a 2 s . c o m admin.createTable(new HTableDescriptor(tableName).addFamily(new HColumnDescriptor("cf"))); try (BufferedMutator mutator = connection.getBufferedMutator(tableName)) { mutator.mutate(new Put(Bytes.toBytes("key")).addColumn(Bytes.toBytes("cf"), Bytes.toBytes("col1"), Bytes.toBytes("azerty"))); } } // Log out LOG.info("Logout..."); UserGroupInformation.getLoginUser().logoutUserFromKeytab(); UserGroupInformation.reset(); try { Configuration unauthenticatedConfiguration = HBaseConfiguration.create(); hbaseLocalCluster.configure(unauthenticatedConfiguration); unauthenticatedConfiguration.set("hbase.client.retries.number", "1"); unauthenticatedConfiguration.set("hbase.client.pause", "1000"); unauthenticatedConfiguration.set("zookeeper.recovery.retry", "1"); UserGroupInformation.setConfiguration(unauthenticatedConfiguration); try (Connection connection = ConnectionFactory.createConnection(unauthenticatedConfiguration)) { Admin admin = connection.getAdmin(); TableName tableName = TableName.valueOf("test-kdc2"); if (admin.tableExists(tableName)) { admin.disableTable(tableName); admin.deleteTable(tableName); } try (BufferedMutator mutator = connection.getBufferedMutator(tableName)) { mutator.mutate(new Put(Bytes.toBytes("key")).addColumn(Bytes.toBytes("cf"), Bytes.toBytes("col1"), Bytes.toBytes("azerty"))); } } fail(); } catch (RetriesExhaustedException e) { LOG.info("Alright, this is expected!", e); assertTrue(e.getCause() instanceof IOException); System.out.println("Not authenticated!"); } }
From source file:com.github.sakserv.minicluster.impl.KdcLocalClusterHdfsIntegrationTest.java
License:Apache License
@Test public void testHdfs() throws Exception { FileSystem hdfsFsHandle = hdfsLocalCluster.getHdfsFileSystemHandle(); UserGroupInformation.loginUserFromKeytab(kdcLocalCluster.getKrbPrincipalWithRealm("hdfs"), kdcLocalCluster.getKeytabForPrincipal("hdfs")); assertTrue(UserGroupInformation.isSecurityEnabled()); assertTrue(UserGroupInformation.isLoginKeytabBased()); // Write a file to HDFS containing the test string FSDataOutputStream writer = hdfsFsHandle .create(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); writer.writeUTF(propertyParser.getProperty(ConfigVars.HDFS_TEST_STRING_KEY)); writer.close();//w w w. j a v a 2s. c om // Read the file and compare to test string FSDataInputStream reader = hdfsFsHandle .open(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); assertEquals(reader.readUTF(), propertyParser.getProperty(ConfigVars.HDFS_TEST_STRING_KEY)); reader.close(); // Log out UserGroupInformation.getLoginUser().logoutUserFromKeytab(); UserGroupInformation.reset(); try { Configuration conf = new Configuration(); UserGroupInformation.setConfiguration(conf); FileSystem.get(hdfsFsHandle.getUri(), conf) .open(new Path(propertyParser.getProperty(ConfigVars.HDFS_TEST_FILE_KEY))); fail(); } catch (AccessControlException e) { LOG.info("Not authenticated!"); } }
From source file:com.huayu.metis.flume.sink.hdfs.HDFSEventSink.java
License:Apache License
/** * Static synchronized method for static Kerberos login. <br/> * Static synchronized due to a thundering herd problem when multiple Sinks * attempt to log in using the same principal at the same time with the * intention of impersonating different users (or even the same user). * If this is not controlled, MIT Kerberos v5 believes it is seeing a replay * attach and it returns:/* w w w . j ava2 s . c o m*/ * <blockquote>Request is a replay (34) - PROCESS_TGS</blockquote> * In addition, since the underlying Hadoop APIs we are using for * impersonation are static, we define this method as static as well. * * @param principal Fully-qualified principal to use for authentication. * @param keytab Location of keytab file containing credentials for principal. * @return Logged-in user * @throws java.io.IOException if login fails. */ private static synchronized UserGroupInformation kerberosLogin(HDFSEventSink sink, String principal, String keytab) throws IOException { // if we are the 2nd user thru the lock, the login should already be // available statically if login was successful UserGroupInformation curUser = null; try { curUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { // not a big deal but this shouldn't typically happen because it will // generally fall back to the UNIX user LOG.debug("Unable to get login user before Kerberos auth attempt.", e); } // we already have logged in successfully if (curUser != null && curUser.getUserName().equals(principal)) { LOG.debug("{}: Using existing principal ({}): {}", new Object[] { sink, principal, curUser }); // no principal found } else { LOG.info("{}: Attempting kerberos login as principal ({}) from keytab " + "file ({})", new Object[] { sink, principal, keytab }); // attempt static kerberos login UserGroupInformation.loginUserFromKeytab(principal, keytab); curUser = UserGroupInformation.getLoginUser(); } return curUser; }
From source file:com.indeed.imhotep.builder.tsv.KerberosUtils.java
License:Apache License
private static void with(String principal, String keytabPath) throws IOException { log.info("Setting keytab file of " + keytabPath + ", and principal to " + principal); checkArgument(!Strings.isNullOrEmpty(principal), "Unable to use a null/empty principal for keytab"); checkArgument(!Strings.isNullOrEmpty(keytabPath), "Unable to use a null/empty keytab path"); // do hostname substitution final String realPrincipal = SecurityUtil.getServerPrincipal(principal, (String) null); // actually login try {//from w w w .j a va 2 s. c o m UserGroupInformation.loginUserFromKeytab(realPrincipal, keytabPath); } catch (IOException e) { checkKnownErrors(realPrincipal, e); throw e; } }