List of usage examples for org.apache.hadoop.security UserGroupInformation loginUserFromKeytabAndReturnUGI
public static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user, String path) throws IOException
From source file:co.cask.cdap.security.impersonation.DefaultUGIProvider.java
License:Apache License
/** * Resolves the {@link UserGroupInformation} for a given user, performing any keytab localization, if necessary. * * @return a {@link UserGroupInformation}, based upon the information configured for a particular user * @throws IOException if there was any IOException during localization of the keytab *///from w w w. j a va 2 s . com @Override protected UserGroupInformation createUGI(ImpersonationInfo impersonationInfo) throws IOException { LOG.debug("Configured impersonation info: {}", impersonationInfo); URI keytabURI = URI.create(impersonationInfo.getKeytabURI()); boolean isKeytabLocal = keytabURI.getScheme() == null || "file".equals(keytabURI.getScheme()); File localKeytabFile = isKeytabLocal ? new File(keytabURI.getPath()) : localizeKeytab(locationFactory.create(keytabURI)); try { String expandedPrincipal = SecurityUtil.expandPrincipal(impersonationInfo.getPrincipal()); LOG.debug("Logging in as: principal={}, keytab={}", expandedPrincipal, localKeytabFile); Preconditions.checkArgument(Files.isReadable(localKeytabFile.toPath()), "Keytab file is not a readable file: %s", localKeytabFile); return UserGroupInformation.loginUserFromKeytabAndReturnUGI(expandedPrincipal, localKeytabFile.getAbsolutePath()); } finally { if (!isKeytabLocal && !localKeytabFile.delete()) { LOG.warn("Failed to delete file: {}", localKeytabFile); } } }
From source file:com.datatorrent.stram.security.StramUserLogin.java
License:Apache License
public static long refreshTokens(long tokenLifeTime, String destinationDir, String destinationFile, final Configuration conf, String hdfsKeyTabFile, final Credentials credentials, final InetSocketAddress rmAddress, final boolean renewRMToken) throws IOException { long expiryTime = System.currentTimeMillis() + tokenLifeTime; //renew tokens final String tokenRenewer = conf.get(YarnConfiguration.RM_PRINCIPAL); if (tokenRenewer == null || tokenRenewer.length() == 0) { throw new IOException("Can't get Master Kerberos principal for the RM to use as renewer"); }/* w w w . j a va 2 s . co m*/ FileSystem fs = FileSystem.newInstance(conf); File keyTabFile; try { keyTabFile = FSUtil.copyToLocalFileSystem(fs, destinationDir, destinationFile, hdfsKeyTabFile, conf); } finally { fs.close(); } UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI( UserGroupInformation.getCurrentUser().getUserName(), keyTabFile.getAbsolutePath()); try { ugi.doAs(new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { FileSystem fs1 = FileSystem.newInstance(conf); YarnClient yarnClient = null; if (renewRMToken) { yarnClient = YarnClient.createYarnClient(); yarnClient.init(conf); yarnClient.start(); } Credentials creds = new Credentials(); try { fs1.addDelegationTokens(tokenRenewer, creds); if (renewRMToken) { org.apache.hadoop.yarn.api.records.Token rmDelToken = yarnClient .getRMDelegationToken(new Text(tokenRenewer)); Token<RMDelegationTokenIdentifier> rmToken = ConverterUtils.convertFromYarn(rmDelToken, rmAddress); creds.addToken(rmToken.getService(), rmToken); } } finally { fs1.close(); if (renewRMToken) { yarnClient.stop(); } } credentials.addAll(creds); return null; } }); UserGroupInformation.getCurrentUser().addCredentials(credentials); } catch (InterruptedException e) { LOG.error("Error while renewing tokens ", e); expiryTime = System.currentTimeMillis(); } catch (IOException e) { LOG.error("Error while renewing tokens ", e); expiryTime = System.currentTimeMillis(); } LOG.debug("number of tokens: {}", credentials.getAllTokens().size()); Iterator<Token<?>> iter = credentials.getAllTokens().iterator(); while (iter.hasNext()) { Token<?> token = iter.next(); LOG.debug("updated token: {}", token); } keyTabFile.delete(); return expiryTime; }
From source file:com.kappaware.hbtools.common.Utils.java
License:Apache License
public static Configuration buildHBaseConfiguration(HBaseParameters parameters) throws ConfigurationException, IOException { Configuration config = HBaseConfiguration.create(); for (String cf : parameters.getConfigFiles()) { File f = new File(cf); if (!f.canRead()) { throw new ConfigurationException(String.format("Unable to read file '%s'", cf)); }/* w w w . j a va2s . c o m*/ log.debug(String.format("Will load '%s'", cf)); config.addResource(new Path(cf)); } config.set("hbase.client.retries.number", Integer.toString(parameters.getClientRetries())); //config.reloadConfiguration(); if (Utils.hasText(parameters.getDumpConfigFile())) { Utils.dumpConfiguration(config, parameters.getDumpConfigFile()); } if (Utils.hasText(parameters.getKeytab()) && Utils.hasText(parameters.getPrincipal())) { // Check if keytab file exists and is readable File f = new File(parameters.getKeytab()); if (!f.canRead()) { throw new ConfigurationException( String.format("Unable to read keytab file: '%s'", parameters.getKeytab())); } UserGroupInformation.setConfiguration(config); if (!UserGroupInformation.isSecurityEnabled()) { throw new ConfigurationException( "Security is not enabled in core-site.xml while Kerberos principal and keytab are provided."); } try { UserGroupInformation userGroupInformation = UserGroupInformation .loginUserFromKeytabAndReturnUGI(parameters.getPrincipal(), parameters.getKeytab()); UserGroupInformation.setLoginUser(userGroupInformation); } catch (Exception e) { throw new ConfigurationException( String.format("Kerberos: Unable to authenticate with principal='%s' and keytab='%s': %s.", parameters.getPrincipal(), parameters.getKeytab(), e.getMessage())); } } return config; }
From source file:com.thinkbiganalytics.kerberos.KerberosTicketGenerator.java
License:Apache License
public UserGroupInformation generateKerberosTicket(KerberosTicketConfiguration kerberosTicketConfiguration) throws IOException { Configuration config = new Configuration(); String[] resources = kerberosTicketConfiguration.getHadoopConfigurationResources().split(","); for (String resource : resources) { config.addResource(new Path(resource)); }//from w ww . j av a 2s . c o m config.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(config); log.debug("Generating Kerberos ticket for principal: " + kerberosTicketConfiguration.getKerberosPrincipal() + " at key tab location: " + kerberosTicketConfiguration.getKeytabLocation()); return UserGroupInformation.loginUserFromKeytabAndReturnUGI( kerberosTicketConfiguration.getKerberosPrincipal(), kerberosTicketConfiguration.getKeytabLocation()); }
From source file:com.thinkbiganalytics.kerberos.TestKerberosKinit.java
License:Apache License
private static UserGroupInformation generateKerberosTicket(Configuration configuration, String keytabLocation, String principal) throws IOException { System.setProperty("sun.security.krb5.debug", "false"); configuration.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(configuration); System.out.println("Generating Kerberos ticket for principal: " + principal + " at key tab location: " + keytabLocation);// w w w . j a v a 2 s .co m return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytabLocation); }
From source file:com.thinkbiganalytics.nifi.security.SecurityUtil.java
License:Apache License
/** * Initializes UserGroupInformation with the given Configuration and performs the login for the given principal * and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying * UserGroupInformation./*from w ww. j av a2s. c om*/ * * @param config the configuration instance * @param principal the principal to authenticate as * @param keyTab the keytab to authenticate with * @return the UGI for the given principal * @throws IOException if login failed */ public static synchronized UserGroupInformation loginKerberos(final Configuration config, final String principal, final String keyTab) throws IOException { Validate.notNull(config); Validate.notNull(principal); Validate.notNull(keyTab); config.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(config); return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal.trim(), keyTab.trim()); }
From source file:com.thinkbiganalytics.nifi.v2.hdfs.AbstractHadoopProcessor.java
License:Apache License
/** * Reset Hadoop Configuration and FileSystem based on the supplied configuration resources. * * @param configResources for configuration * @param dir the target directory * @param context for context, which gives access to the principal * @return An HdfsResources object//from w ww. ja v a 2s .c o m * @throws IOException if unable to access HDFS */ HdfsResources resetHDFSResources(String configResources, String dir, ProcessContext context) throws IOException { // org.apache.hadoop.conf.Configuration saves its current thread context class loader to use for threads that it creates // later to do I/O. We need this class loader to be the NarClassLoader instead of the magical // NarThreadContextClassLoader. ClassLoader savedClassLoader = Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader()); try { Configuration config = getConfigurationFromResources(configResources); // first check for timeout on HDFS connection, because FileSystem has a hard coded 15 minute timeout checkHdfsUriForTimeout(config); // disable caching of Configuration and FileSystem objects, else we cannot reconfigure the processor without a complete // restart String disableCacheName = String.format("fs.%s.impl.disable.cache", FileSystem.getDefaultUri(config).getScheme()); config.set(disableCacheName, "true"); // If kerberos is enabled, create the file system as the kerberos principal // -- use RESOURCE_LOCK to guarantee UserGroupInformation is accessed by only a single thread at at time FileSystem fs = null; UserGroupInformation ugi = null; synchronized (RESOURCES_LOCK) { if (config.get("hadoop.security.authentication").equalsIgnoreCase("kerberos")) { String principal = context.getProperty(kerberosPrincipal).getValue(); String keyTab = context.getProperty(kerberosKeytab).getValue(); UserGroupInformation.setConfiguration(config); ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keyTab); modifyConfig(context, config); fs = getFileSystemAsUser(config, ugi); lastKerberosReloginTime = System.currentTimeMillis() / 1000; } else { config.set("ipc.client.fallback-to-simple-auth-allowed", "true"); config.set("hadoop.security.authentication", "simple"); modifyConfig(context, config); fs = getFileSystem(config); } } getLog().info( "Initialized a new HDFS File System with working dir: {} default block size: {} default replication: {} config: {}", new Object[] { fs.getWorkingDirectory(), fs.getDefaultBlockSize(new Path(dir)), fs.getDefaultReplication(new Path(dir)), config.toString() }); return new HdfsResources(config, fs, ugi); } finally { Thread.currentThread().setContextClassLoader(savedClassLoader); } }
From source file:gobblin.compliance.HiveProxyQueryExecutor.java
License:Apache License
private synchronized void setProxiedConnection(final List<String> proxies) throws IOException, InterruptedException, TException { Preconditions.checkArgument(this.state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION), "Missing required property " + ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String superUser = this.state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String keytabLocation = this.state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String realm = this.state.getProp(ConfigurationKeys.KERBEROS_REALM); UserGroupInformation loginUser = UserGroupInformation.loginUserFromKeytabAndReturnUGI( HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override/*from www . j a v a 2 s .com*/ public Void run() throws MetaException, SQLException, ClassNotFoundException { for (String proxy : proxies) { HiveConnection hiveConnection = getHiveConnection(Optional.fromNullable(proxy)); Statement statement = hiveConnection.createStatement(); statementMap.put(proxy, statement); connectionMap.put(proxy, hiveConnection); for (String setting : settings) { statement.execute(setting); } } return null; } }); }
From source file:org.apache.accumulo.core.client.security.tokens.KerberosToken.java
License:Apache License
/** * Creates a token and logs in via {@link UserGroupInformation} using the provided principal and keytab. A key for the principal must exist in the keytab, * otherwise login will fail.// w w w. j a v a2 s .c o m * * @param principal * The Kerberos principal * @param keytab * A keytab file * @param replaceCurrentUser * Should the current Hadoop user be replaced with this user * @deprecated since 1.8.0, @see #KerberosToken(String, File) */ @Deprecated public KerberosToken(String principal, File keytab, boolean replaceCurrentUser) throws IOException { requireNonNull(principal, "Principal was null"); requireNonNull(keytab, "Keytab was null"); checkArgument(keytab.exists() && keytab.isFile(), "Keytab was not a normal file"); UserGroupInformation ugi; if (replaceCurrentUser) { UserGroupInformation.loginUserFromKeytab(principal, keytab.getAbsolutePath()); ugi = UserGroupInformation.getCurrentUser(); } else { ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab.getAbsolutePath()); } this.principal = ugi.getUserName(); this.keytab = keytab; }
From source file:org.apache.accumulo.monitor.rest.trace.TracesResource.java
License:Apache License
protected Pair<Scanner, UserGroupInformation> getScanner() throws AccumuloException, AccumuloSecurityException { AccumuloConfiguration conf = Monitor.getContext().getConfiguration(); final boolean saslEnabled = conf.getBoolean(Property.INSTANCE_RPC_SASL_ENABLED); UserGroupInformation traceUgi = null; final String principal; final AuthenticationToken at; Map<String, String> loginMap = conf.getAllPropertiesWithPrefix(Property.TRACE_TOKEN_PROPERTY_PREFIX); // May be null String keytab = loginMap.get(Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey() + "keytab"); if (keytab == null || keytab.length() == 0) { keytab = conf.getPath(Property.GENERAL_KERBEROS_KEYTAB); }//from ww w .ja va 2 s.c om if (saslEnabled && null != keytab) { principal = SecurityUtil.getServerPrincipal(conf.get(Property.TRACE_USER)); try { traceUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab); } catch (IOException e) { throw new RuntimeException("Failed to login as trace user", e); } } else { principal = conf.get(Property.TRACE_USER); } if (!saslEnabled) { if (loginMap.isEmpty()) { Property p = Property.TRACE_PASSWORD; at = new PasswordToken(conf.get(p).getBytes(UTF_8)); } else { Properties props = new Properties(); int prefixLength = Property.TRACE_TOKEN_PROPERTY_PREFIX.getKey().length(); for (Entry<String, String> entry : loginMap.entrySet()) { props.put(entry.getKey().substring(prefixLength), entry.getValue()); } AuthenticationToken token = Property.createInstanceFromPropertyName(conf, Property.TRACE_TOKEN_TYPE, AuthenticationToken.class, new PasswordToken()); token.init(props); at = token; } } else { at = null; } final String table = conf.get(Property.TRACE_TABLE); Scanner scanner; if (null != traceUgi) { try { scanner = traceUgi.doAs(new PrivilegedExceptionAction<Scanner>() { @Override public Scanner run() throws Exception { // Make the KerberosToken inside the doAs AuthenticationToken token = at; if (null == token) { token = new KerberosToken(); } return getScanner(table, principal, token); } }); } catch (IOException | InterruptedException e) { throw new RuntimeException("Failed to obtain scanner", e); } } else { if (null == at) { throw new AssertionError("AuthenticationToken should not be null"); } scanner = getScanner(table, principal, at); } return new Pair<>(scanner, traceUgi); }