List of usage examples for org.apache.hadoop.security UserGroupInformation loginUserFromKeytab
@InterfaceAudience.Public @InterfaceStability.Evolving public static void loginUserFromKeytab(String user, String path) throws IOException
From source file:com.kakao.hbase.common.HBaseClient.java
License:Apache License
private static synchronized void login(Args args, Configuration conf) throws Exception { if (args.has(Args.OPTION_DEBUG)) { System.setProperty("sun.security.krb5.debug", "true"); System.setProperty("sun.security.spnego.debug", "true"); }// w ww .ja v a2 s . c o m System.setProperty("java.security.auth.login.config", createJaasConfigFile(args, "hbase-client.jaas")); System.setProperty("java.security.krb5.conf", kerberosConfigFile(args)); Config krbConfig = Config.getInstance(); final String realm; if (args.has(Args.OPTION_REALM)) { realm = (String) args.valueOf(Args.OPTION_REALM); System.setProperty("java.security.krb5.realm", realm); System.setProperty("java.security.krb5.kdc", krbConfig.getKDCList(realm)); Config.refresh(); } else { realm = krbConfig.getDefaultRealm(); } updateConf(conf, realm); if (args.has(Args.OPTION_KEY_TAB)) { UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(principal(args), (String) args.valueOf(Args.OPTION_KEY_TAB)); } else if (args.has(Args.OPTION_KEY_TAB_SHORT)) { UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(principal(args), (String) args.valueOf(Args.OPTION_KEY_TAB_SHORT)); } else { loginWithPassword(args, conf); } UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); System.out.println(currentUser + "\n"); }
From source file:com.linkedin.drelephant.security.HadoopSecurity.java
License:Apache License
public void checkLogin() throws IOException { if (_loginUser == null) { logger.info("No login user. Creating login user"); logger.info("Logging with " + _keytabUser + " and " + _keytabLocation); UserGroupInformation.loginUserFromKeytab(_keytabUser, _keytabLocation); _loginUser = UserGroupInformation.getLoginUser(); logger.info("Logged in with user " + _loginUser); if (UserGroupInformation.isLoginKeytabBased()) { logger.info("Login is keytab based"); } else {// w ww . j av a2 s. c o m logger.info("Login is not keytab based"); } } else { _loginUser.checkTGTAndReloginFromKeytab(); } }
From source file:com.linkedin.pinot.common.segment.fetcher.HdfsSegmentFetcher.java
License:Apache License
private void authenticate(Configuration hadoopConf, org.apache.commons.configuration.Configuration configs) { String principal = configs.getString(PRINCIPLE); String keytab = configs.getString(KEYTAB); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { UserGroupInformation.setConfiguration(hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { try { if (!UserGroupInformation.getCurrentUser().hasKerberosCredentials() || !UserGroupInformation.getCurrentUser().getUserName().equals(principal)) { LOGGER.info("Trying to authenticate user [%s] with keytab [%s]..", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); }/*w w w . j a va 2 s .c o m*/ } catch (IOException e) { throw new RuntimeException(String.format( "Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab), e); } } } }
From source file:com.linkedin.pinot.filesystem.HadoopPinotFS.java
License:Apache License
private void authenticate(org.apache.hadoop.conf.Configuration hadoopConf, org.apache.commons.configuration.Configuration configs) { String principal = configs.getString(PRINCIPAL); String keytab = configs.getString(KEYTAB); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { UserGroupInformation.setConfiguration(hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { try { if (!UserGroupInformation.getCurrentUser().hasKerberosCredentials() || !UserGroupInformation.getCurrentUser().getUserName().equals(principal)) { LOGGER.info("Trying to authenticate user [%s] with keytab [%s]..", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); }//from w w w . j av a 2 s.com } catch (IOException e) { throw new RuntimeException(String.format( "Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab), e); } } } }
From source file:com.thinkbiganalytics.nifi.security.ApplySecurityPolicy.java
License:Apache License
public boolean validateUserWithKerberos(ComponentLog loggerInstance, String HadoopConfigurationResources, String Principal, String KeyTab) throws Exception { ClassLoader savedClassLoader = Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader()); try {//from ww w. ja v a2 s . c om loggerInstance.info("Start of hadoop configuration read"); Configuration config = getConfigurationFromResources(HadoopConfigurationResources); config.set("hadoop.security.authentication", "Kerberos"); loggerInstance.info("End of hadoop configuration read"); // first check for timeout on HDFS connection, because FileSystem has a hard coded 15 minute timeout loggerInstance.info("Start of HDFS timeout check"); checkHdfsUriForTimeout(config); loggerInstance.info("End of HDFS timeout check"); // disable caching of Configuration and FileSystem objects, else we cannot reconfigure the processor without a complete // restart String disableCacheName = String.format("fs.%s.impl.disable.cache", FileSystem.getDefaultUri(config).getScheme()); // If kerberos is enabled, create the file system as the kerberos principal // -- use RESOURCE_LOCK to guarantee UserGroupInformation is accessed by only a single thread at at time FileSystem fs; UserGroupInformation ugi; synchronized (RESOURCES_LOCK) { if (SecurityUtil.isSecurityEnabled(config)) { loggerInstance.info("Start of Kerberos Security Check"); UserGroupInformation.setConfiguration(config); UserGroupInformation.loginUserFromKeytab(Principal, KeyTab); loggerInstance.info("End of Kerberos Security Check"); } else { config.set("ipc.client.fallback-to-simple-auth-allowed", "true"); config.set("hadoop.security.authentication", "simple"); ugi = SecurityUtil.loginSimple(config); fs = getFileSystemAsUser(config, ugi); } } config.set(disableCacheName, "true"); return true; } catch (Exception e) { loggerInstance.error("Unable to validate user : " + e.getMessage()); return false; } finally { Thread.currentThread().setContextClassLoader(savedClassLoader); } }
From source file:com.yahoo.omid.committable.hbase.HBaseLogin.java
License:Apache License
public static UserGroupInformation loginIfNeeded(Config config) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { LOG.info("Security is enabled, logging in with principal={}, keytab={}", config.getPrincipal(), config.getKeytab());/*from w w w. jav a 2 s . com*/ UserGroupInformation.loginUserFromKeytab(config.getPrincipal(), config.getKeytab()); } return UserGroupInformation.getCurrentUser(); }
From source file:com.yahoo.ycsb.db.HBaseClient10.java
License:Apache License
/** * Initialize any state for this DB. Called once per DB instance; there is one * DB instance per client thread.//from w ww . j a v a 2 s.co m */ @Override public void init() throws DBException { if ("true".equals(getProperties().getProperty("clientbuffering", "false"))) { this.clientSideBuffering = true; } if (getProperties().containsKey("writebuffersize")) { writeBufferSize = Long.parseLong(getProperties().getProperty("writebuffersize")); } if (getProperties().getProperty("durability") != null) { this.durability = Durability.valueOf(getProperties().getProperty("durability")); } if ("kerberos".equalsIgnoreCase(config.get("hbase.security.authentication"))) { config.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(config); } if ((getProperties().getProperty("principal") != null) && (getProperties().getProperty("keytab") != null)) { try { UserGroupInformation.loginUserFromKeytab(getProperties().getProperty("principal"), getProperties().getProperty("keytab")); } catch (IOException e) { System.err.println("Keytab file is not readable or not found"); throw new DBException(e); } } try { threadCount.getAndIncrement(); synchronized (CONNECTION_LOCK) { if (connection == null) { // Initialize if not set up already. connection = ConnectionFactory.createConnection(config); } } } catch (java.io.IOException e) { throw new DBException(e); } if ((getProperties().getProperty("debug") != null) && (getProperties().getProperty("debug").compareTo("true") == 0)) { debug = true; } if ("false".equals(getProperties().getProperty("hbase.usepagefilter", "true"))) { usePageFilter = false; } columnFamily = getProperties().getProperty("columnfamily"); if (columnFamily == null) { System.err.println("Error, must specify a columnfamily for HBase table"); throw new DBException("No columnfamily specified"); } columnFamilyBytes = Bytes.toBytes(columnFamily); // Terminate right now if table does not exist, since the client // will not propagate this error upstream once the workload // starts. String table = com.yahoo.ycsb.workloads.CoreWorkload.table; try { final TableName tName = TableName.valueOf(table); synchronized (CONNECTION_LOCK) { connection.getTable(tName).getTableDescriptor(); } } catch (IOException e) { throw new DBException(e); } }
From source file:gobblin.compliance.purger.HivePurgerPublisher.java
License:Apache License
public void initHiveMetastoreClient() throws Exception { if (this.state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION)) { String superUser = this.state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String realm = this.state.getProp(ConfigurationKeys.KERBEROS_REALM); String keytabLocation = this.state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); log.info("Establishing MetastoreClient connection using " + keytabLocation); UserGroupInformation.loginUserFromKeytab(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation);/*from w w w . j a v a 2 s . c om*/ UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws TException { HivePurgerPublisher.this.client = new HiveMetaStoreClient(new HiveConf()); return null; } }); } else { HivePurgerPublisher.this.client = new HiveMetaStoreClient(new HiveConf()); } }
From source file:gobblin.compliance.utils.ProxyUtils.java
License:Apache License
public static void cancelTokens(State state) throws IOException, InterruptedException, TException { Preconditions.checkArgument(state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION), "Missing required property " + ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); Preconditions.checkArgument(state.contains(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER), "Missing required property " + ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); Preconditions.checkArgument(state.contains(ConfigurationKeys.KERBEROS_REALM), "Missing required property " + ConfigurationKeys.KERBEROS_REALM); String superUser = state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String keytabLocation = state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String realm = state.getProp(ConfigurationKeys.KERBEROS_REALM); UserGroupInformation.loginUserFromKeytab(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation);//w w w .ja v a 2 s. c om UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); Credentials credentials = realUser.getCredentials(); for (Token<?> token : credentials.getAllTokens()) { if (token.getKind().equals(DelegationTokenIdentifier.HIVE_DELEGATION_KIND)) { log.info("Cancelling hive token"); HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(new HiveConf()); hiveClient.cancelDelegationToken(token.encodeToUrlString()); } } }
From source file:gobblin.hadoop.token.TokenUtils.java
License:Open Source License
/** * Get Hadoop tokens (tokens for job history server, job tracker and HDFS) using Kerberos keytab. * * @param state A {@link State} object that should contain property {@link #USER_TO_PROXY}, * {@link #KEYTAB_USER} and {@link #KEYTAB_LOCATION}. To obtain tokens for * other namenodes, use property {@link #OTHER_NAMENODES} with comma separated HDFS URIs. * @return A {@link File} containing the negotiated credentials. *///from w ww .j ava2s . c o m public static File getHadoopTokens(final State state) throws IOException, InterruptedException { Preconditions.checkArgument(state.contains(KEYTAB_USER), "Missing required property " + KEYTAB_USER); Preconditions.checkArgument(state.contains(KEYTAB_LOCATION), "Missing required property " + KEYTAB_LOCATION); Configuration configuration = new Configuration(); configuration.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS); UserGroupInformation.setConfiguration(configuration); UserGroupInformation.loginUserFromKeytab(state.getProp(KEYTAB_USER), state.getProp(KEYTAB_LOCATION)); final Optional<String> userToProxy = Strings.isNullOrEmpty(state.getProp(USER_TO_PROXY)) ? Optional.<String>absent() : Optional.fromNullable(state.getProp(USER_TO_PROXY)); final Configuration conf = new Configuration(); final Credentials cred = new Credentials(); LOG.info("Getting tokens for " + userToProxy); getJhToken(conf, cred); getFsAndJtTokens(state, conf, userToProxy, cred); File tokenFile = File.createTempFile("mr-azkaban", ".token"); persistTokens(cred, tokenFile); return tokenFile; }