List of usage examples for org.apache.hadoop.security UserGroupInformation loginUserFromKeytab
@InterfaceAudience.Public @InterfaceStability.Evolving public static void loginUserFromKeytab(String user, String path) throws IOException
From source file:org.apache.ignite.internal.processors.hadoop.impl.delegate.HadoopKerberosFileSystemFactoryDelegate.java
License:Apache License
@Override public void start() throws IgniteException { super.start(); KerberosHadoopFileSystemFactory proxy0 = (KerberosHadoopFileSystemFactory) proxy; A.ensure(!F.isEmpty(proxy0.getKeyTab()), "keyTab cannot not be empty."); A.ensure(!F.isEmpty(proxy0.getKeyTabPrincipal()), "keyTabPrincipal cannot not be empty."); A.ensure(proxy0.getReloginInterval() >= 0, "reloginInterval cannot not be negative."); reloginInterval = proxy0.getReloginInterval(); try {//from ww w. j a v a 2 s . c o m UserGroupInformation.setConfiguration(cfg); UserGroupInformation.loginUserFromKeytab(proxy0.getKeyTabPrincipal(), proxy0.getKeyTab()); } catch (IOException ioe) { throw new IgniteException("Failed login from keytab [keyTab=" + proxy0.getKeyTab() + ", keyTabPrincipal=" + proxy0.getKeyTabPrincipal() + ']', ioe); } }
From source file:org.apache.metron.rest.config.HadoopConfigTest.java
License:Apache License
@Test public void configurationShouldReturnProperKerberosConfiguration() throws IOException { when(environment.getProperty(MetronRestConstants.HDFS_URL_SPRING_PROPERTY, MetronRestConstants.DEFAULT_HDFS_URL)).thenReturn("default filesystem"); when(environment.getProperty(MetronRestConstants.KERBEROS_KEYTAB_SPRING_PROPERTY)) .thenReturn("metron keytabLocation"); when(environment.getProperty(MetronRestConstants.KERBEROS_PRINCIPLE_SPRING_PROPERTY)) .thenReturn("metron principal"); when(environment.getProperty(MetronRestConstants.KERBEROS_ENABLED_SPRING_PROPERTY, Boolean.class, false)) .thenReturn(true);/*from w w w . j a v a 2s. c o m*/ Configuration configuration = hadoopConfig.configuration(); verifyStatic(); UserGroupInformation.setConfiguration(any(Configuration.class)); UserGroupInformation.loginUserFromKeytab("metron keytabLocation", "metron principal"); assertEquals("default filesystem", configuration.get("fs.defaultFS")); assertEquals("KERBEROS", configuration.get("hadoop.security.authentication")); }
From source file:org.apache.metron.rest.config.HadoopConfigTest.java
License:Apache License
@Test public void configurationShouldReturnProperConfiguration() throws IOException { when(environment.getProperty(MetronRestConstants.HDFS_URL_SPRING_PROPERTY, MetronRestConstants.DEFAULT_HDFS_URL)).thenReturn("default filesystem"); when(environment.getProperty(MetronRestConstants.KERBEROS_ENABLED_SPRING_PROPERTY, Boolean.class, false)) .thenReturn(false);// ww w. ja va 2s. c o m Configuration configuration = hadoopConfig.configuration(); verifyStatic(never()); UserGroupInformation.setConfiguration(any(Configuration.class)); UserGroupInformation.loginUserFromKeytab(anyString(), anyString()); assertEquals("default filesystem", configuration.get("fs.defaultFS")); assertEquals("simple", configuration.get("hadoop.security.authentication")); }
From source file:org.apache.nifi.atlas.security.Kerberos.java
License:Apache License
@Override public AtlasClientV2 createClient(String[] baseUrls) { final Configuration hadoopConf = new Configuration(); hadoopConf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(hadoopConf); final UserGroupInformation ugi; try {//w ww. ja va2s. c o m UserGroupInformation.loginUserFromKeytab(principal, keytab); ugi = UserGroupInformation.getCurrentUser(); } catch (IOException e) { throw new RuntimeException("Failed to login with Kerberos due to: " + e, e); } return new AtlasClientV2(ugi, null, baseUrls); }
From source file:org.apache.nifi.hadoop.SecurityUtil.java
License:Apache License
/** * Initializes UserGroupInformation with the given Configuration and performs the login for the given principal * and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying * UserGroupInformation./*from w w w. j a v a 2 s. c o m*/ * <p/> * As of Apache NiFi 1.5.0, this method uses {@link UserGroupInformation#loginUserFromKeytab(String, String)} to * authenticate the given <code>principal</code>, which sets the static variable <code>loginUser</code> in the * {@link UserGroupInformation} instance. Setting <code>loginUser</code> is necessary for * {@link org.apache.hadoop.ipc.Client.Connection#handleSaslConnectionFailure(int, int, Exception, Random, UserGroupInformation)} * to be able to attempt a relogin during a connection failure. The <code>handleSaslConnectionFailure</code> method * calls <code>UserGroupInformation.getLoginUser().reloginFromKeytab()</code> statically, which can return null * if <code>loginUser</code> is not set, resulting in failure of the hadoop operation. * <p/> * In previous versions of NiFi, {@link UserGroupInformation#loginUserFromKeytabAndReturnUGI(String, String)} was * used to authenticate the <code>principal</code>, which does not set <code>loginUser</code>, making it impossible * for a * {@link org.apache.hadoop.ipc.Client.Connection#handleSaslConnectionFailure(int, int, Exception, Random, UserGroupInformation)} * to be able to implicitly relogin the principal. * * @param config the configuration instance * @param principal the principal to authenticate as * @param keyTab the keytab to authenticate with * * @return the UGI for the given principal * * @throws IOException if login failed */ public static synchronized UserGroupInformation loginKerberos(final Configuration config, final String principal, final String keyTab) throws IOException { Validate.notNull(config); Validate.notNull(principal); Validate.notNull(keyTab); UserGroupInformation.setConfiguration(config); UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim()); return UserGroupInformation.getCurrentUser(); }
From source file:org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer.java
License:Apache License
@Override public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException { try {/*ww w . j a v a 2 s.c o m*/ if (nifiPlugin == null) { logger.info("RangerNiFiAuthorizer(): initializing base plugin"); final PropertyValue securityConfigValue = configurationContext .getProperty(RANGER_SECURITY_PATH_PROP); addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue); final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP); addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue); final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString()); rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false; if (rangerKerberosEnabled) { // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled() final Configuration securityConf = new Configuration(); securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION); UserGroupInformation.setConfiguration(securityConf); // login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab(); final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal(); final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation(); if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) { throw new AuthorizerCreationException( "Principal and Keytab must be provided when Kerberos is enabled"); } UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim()); } final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE); final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID); nifiPlugin = createRangerBasePlugin(serviceType, appId); nifiPlugin.init(); defaultAuditHandler = new RangerDefaultAuditHandler(); rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null); } else { logger.info("RangerNiFiAuthorizer(): base plugin already initialized"); } } catch (Throwable t) { throw new AuthorizerCreationException("Error creating RangerBasePlugin", t); } }
From source file:org.apache.nifi.registry.ranger.RangerAuthorizer.java
License:Apache License
@Override public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException { final String userGroupProviderKey = configurationContext.getProperty(USER_GROUP_PROVIDER).getValue(); if (StringUtils.isEmpty(userGroupProviderKey)) { throw new SecurityProviderCreationException(USER_GROUP_PROVIDER + " must be specified."); }//from w w w . j av a 2s . com userGroupProvider = userGroupProviderLookup.getUserGroupProvider(userGroupProviderKey); // ensure the desired access policy provider has a user group provider if (userGroupProvider == null) { throw new SecurityProviderCreationException( String.format("Unable to locate configured User Group Provider: %s", userGroupProviderKey)); } try { if (rangerPlugin == null) { logger.info("initializing base plugin"); final PropertyValue securityConfigValue = configurationContext .getProperty(RANGER_SECURITY_PATH_PROP); addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue); final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP); addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue); boolean rangerKerberosEnabled = Boolean.valueOf(getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString())); if (rangerKerberosEnabled) { // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled() final Configuration securityConf = new Configuration(); securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION); UserGroupInformation.setConfiguration(securityConf); // login with the nifi registry principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab(); final String registryPrincipal = registryProperties.getKerberosServicePrincipal(); final String registryKeytab = registryProperties.getKerberosServiceKeytabLocation(); if (StringUtils.isBlank(registryPrincipal) || StringUtils.isBlank(registryKeytab)) { throw new SecurityProviderCreationException( "Principal and Keytab must be provided when Kerberos is enabled"); } UserGroupInformation.loginUserFromKeytab(registryPrincipal.trim(), registryKeytab.trim()); } final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE); final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID); rangerPlugin = createRangerBasePlugin(serviceType, appId); rangerPlugin.init(); defaultAuditHandler = new RangerDefaultAuditHandler(); rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null); } else { logger.info("base plugin already initialized"); } } catch (Throwable t) { throw new SecurityProviderCreationException("Error creating RangerBasePlugin", t); } }
From source file:org.apache.omid.tools.hbase.HBaseLogin.java
License:Apache License
public static UserGroupInformation loginIfNeeded(SecureHBaseConfig config) throws IOException { if (UserGroupInformation.isSecurityEnabled()) { LOG.info("Security is enabled, logging in with principal={}, keytab={}", config.getPrincipal(), config.getKeytab());/*www . ja v a 2 s . c om*/ UserGroupInformation.loginUserFromKeytab(config.getPrincipal(), config.getKeytab()); } return UserGroupInformation.getCurrentUser(); }
From source file:org.apache.oozie.service.HadoopAccessorService.java
License:Apache License
private void kerberosInit(Configuration serviceConf) throws ServiceException { try {/*from w ww. ja va2 s. co m*/ String keytabFile = ConfigurationService.get(serviceConf, KERBEROS_KEYTAB).trim(); if (keytabFile.length() == 0) { throw new ServiceException(ErrorCode.E0026, KERBEROS_KEYTAB); } String principal = SecurityUtil.getServerPrincipal( serviceConf.get(KERBEROS_PRINCIPAL, "oozie/localhost@LOCALHOST"), InetAddress.getLocalHost().getCanonicalHostName()); if (principal.length() == 0) { throw new ServiceException(ErrorCode.E0026, KERBEROS_PRINCIPAL); } Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(principal, keytabFile); LOG.info("Got Kerberos ticket, keytab [{0}], Oozie principal principal [{1}]", keytabFile, principal); } catch (ServiceException ex) { throw ex; } catch (Exception ex) { throw new ServiceException(ErrorCode.E0100, getClass().getName(), ex.getMessage(), ex); } }
From source file:org.apache.oozie.service.KerberosHadoopAccessorService.java
License:Open Source License
public void init(Configuration serviceConf) throws ServiceException { boolean kerberosAuthOn = serviceConf.getBoolean(KERBEROS_AUTH_ENABLED, true); XLog.getLog(getClass()).info("Oozie Kerberos Authentication [{0}]", (kerberosAuthOn) ? "enabled" : "disabled"); if (kerberosAuthOn) { try {//www . j a v a 2 s . c o m String keytabFile = serviceConf .get(KERBEROS_KEYTAB, System.getProperty("user.home") + "/oozie.keytab").trim(); if (keytabFile.length() == 0) { throw new ServiceException(ErrorCode.E0026, KERBEROS_KEYTAB); } String principal = serviceConf.get(KERBEROS_PRINCIPAL, "oozie/localhost@LOCALHOST"); if (principal.length() == 0) { throw new ServiceException(ErrorCode.E0026, KERBEROS_PRINCIPAL); } Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(principal, keytabFile); XLog.getLog(getClass()).info("Got Kerberos ticket, keytab [{0}], Oozie principal principal [{1}]", keytabFile, principal); } catch (ServiceException ex) { throw ex; } catch (Exception ex) { throw new ServiceException(ErrorCode.E0100, getClass().getName(), ex.getMessage(), ex); } } else { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "simple"); UserGroupInformation.setConfiguration(conf); } localRealm = serviceConf.get("local.realm"); userUgiMap = new ConcurrentHashMap<String, UserGroupInformation>(); }