List of usage examples for org.apache.hadoop.security UserGroupInformation setConfiguration
@InterfaceAudience.Public @InterfaceStability.Evolving public static void setConfiguration(Configuration conf)
From source file:org.apache.falcon.security.AuthenticationInitializationService.java
License:Apache License
@Override public void init() throws FalconException { if (SecurityUtil.isSecurityEnabled()) { LOG.info("Falcon Kerberos Authentication Enabled!"); initializeKerberos();//from ww w. jav a2 s. c o m String authTokenValidity = StartupProperties.get().getProperty(AUTH_TOKEN_VALIDITY_SECONDS); long validateFrequency; try { // -100 so that revalidation is done before expiry. validateFrequency = (StringUtils.isNotEmpty(authTokenValidity)) ? (Long.parseLong(authTokenValidity) - 100) : DEFAULT_VALIDATE_FREQUENCY_SECS; if (validateFrequency < 0) { throw new NumberFormatException("Value provided for startup property \"" + AUTH_TOKEN_VALIDITY_SECONDS + "\" should be greater than 100."); } } catch (NumberFormatException nfe) { throw new FalconException("Invalid value provided for startup property \"" + AUTH_TOKEN_VALIDITY_SECONDS + "\", please provide a valid long number", nfe); } timer.schedule(new TokenValidationThread(), 0, validateFrequency * 1000); } else { LOG.info("Falcon Simple Authentication Enabled!"); Configuration ugiConf = new Configuration(); ugiConf.set("hadoop.security.authentication", "simple"); UserGroupInformation.setConfiguration(ugiConf); } }
From source file:org.apache.falcon.security.AuthenticationInitializationService.java
License:Apache License
protected static void initializeKerberos() throws FalconException { try {/*from w w w . ja v a2s . c o m*/ Properties configuration = StartupProperties.get(); String principal = configuration.getProperty(KERBEROS_PRINCIPAL); Validate.notEmpty(principal, "Missing required configuration property: " + KERBEROS_PRINCIPAL); principal = org.apache.hadoop.security.SecurityUtil.getServerPrincipal(principal, SecurityUtil.getLocalHostName()); String keytabFilePath = configuration.getProperty(KERBEROS_KEYTAB); Validate.notEmpty(keytabFilePath, "Missing required configuration property: " + KERBEROS_KEYTAB); checkIsReadable(keytabFilePath); Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(principal, keytabFilePath); LOG.info("Got Kerberos ticket, keytab: {}, Falcon principal: {}", keytabFilePath, principal); } catch (Exception ex) { throw new FalconException("Could not initialize " + SERVICE_NAME + ": " + ex.getMessage(), ex); } }
From source file:org.apache.falcon.security.BasicAuthFilterTest.java
License:Apache License
@Test public void testGetKerberosPrincipalWithSubstitutedHostSecure() throws Exception { String principal = StartupProperties.get().getProperty(BasicAuthFilter.KERBEROS_PRINCIPAL); String expectedPrincipal = "falcon/" + SecurityUtil.getLocalHostName() + "@Example.com"; try {//from ww w. j a v a 2s . com Configuration conf = new Configuration(false); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); Assert.assertTrue(UserGroupInformation.isSecurityEnabled()); StartupProperties.get().setProperty(BasicAuthFilter.KERBEROS_PRINCIPAL, "falcon/_HOST@Example.com"); BasicAuthFilter filter = new BasicAuthFilter(); Properties properties = filter.getConfiguration(BasicAuthFilter.FALCON_PREFIX, null); Assert.assertEquals(properties.get(KerberosAuthenticationHandler.PRINCIPAL), expectedPrincipal); } finally { StartupProperties.get().setProperty(BasicAuthFilter.KERBEROS_PRINCIPAL, principal); } }
From source file:org.apache.falcon.security.BasicAuthFilterTest.java
License:Apache License
@Test public void testGetKerberosPrincipalWithSubstitutedHostNonSecure() throws Exception { String principal = StartupProperties.get().getProperty(BasicAuthFilter.KERBEROS_PRINCIPAL); Configuration conf = new Configuration(false); conf.set("hadoop.security.authentication", "simple"); UserGroupInformation.setConfiguration(conf); Assert.assertFalse(UserGroupInformation.isSecurityEnabled()); BasicAuthFilter filter = new BasicAuthFilter(); Properties properties = filter.getConfiguration(BasicAuthFilter.FALCON_PREFIX, null); Assert.assertEquals(properties.get(KerberosAuthenticationHandler.PRINCIPAL), principal); }
From source file:org.apache.falcon.security.FalconAuthenticationFilterTest.java
License:Apache License
@Test public void testGetKerberosPrincipalWithSubstitutedHostSecure() throws Exception { String principal = StartupProperties.get().getProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL); String expectedPrincipal = "falcon/" + SecurityUtil.getLocalHostName().toLowerCase() + "@Example.com"; try {//from w ww. jav a 2 s. c om Configuration conf = new Configuration(false); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); Assert.assertTrue(UserGroupInformation.isSecurityEnabled()); StartupProperties.get().setProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL, "falcon/_HOST@Example.com"); FalconAuthenticationFilter filter = new FalconAuthenticationFilter(); Properties properties = filter.getConfiguration(FalconAuthenticationFilter.FALCON_PREFIX, null); Assert.assertEquals(properties.get(KerberosAuthenticationHandler.PRINCIPAL), expectedPrincipal); } finally { StartupProperties.get().setProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL, principal); } }
From source file:org.apache.falcon.security.FalconAuthenticationFilterTest.java
License:Apache License
@Test public void testGetKerberosPrincipalWithSubstitutedHostNonSecure() throws Exception { String principal = StartupProperties.get().getProperty(FalconAuthenticationFilter.KERBEROS_PRINCIPAL); Configuration conf = new Configuration(false); conf.set("hadoop.security.authentication", "simple"); UserGroupInformation.setConfiguration(conf); Assert.assertFalse(UserGroupInformation.isSecurityEnabled()); FalconAuthenticationFilter filter = new FalconAuthenticationFilter(); Properties properties = filter.getConfiguration(FalconAuthenticationFilter.FALCON_PREFIX, null); Assert.assertEquals(properties.get(KerberosAuthenticationHandler.PRINCIPAL), principal); }
From source file:org.apache.flink.runtime.security.modules.HadoopModule.java
License:Apache License
@Override public void install(SecurityUtils.SecurityConfiguration securityConfig) throws SecurityInstallException { UserGroupInformation.setConfiguration(securityConfig.getHadoopConfiguration()); try {// w w w .j a v a 2 s .c o m if (UserGroupInformation.isSecurityEnabled() && !StringUtils.isBlank(securityConfig.getKeytab()) && !StringUtils.isBlank(securityConfig.getPrincipal())) { String keytabPath = (new File(securityConfig.getKeytab())).getAbsolutePath(); UserGroupInformation.loginUserFromKeytab(securityConfig.getPrincipal(), keytabPath); loginUser = UserGroupInformation.getLoginUser(); // supplement with any available tokens String fileLocation = System.getenv(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION); if (fileLocation != null) { /* * Use reflection API since the API semantics are not available in Hadoop1 profile. Below APIs are * used in the context of reading the stored tokens from UGI. * Credentials cred = Credentials.readTokenStorageFile(new File(fileLocation), config.hadoopConf); * loginUser.addCredentials(cred); */ try { Method readTokenStorageFileMethod = Credentials.class.getMethod("readTokenStorageFile", File.class, org.apache.hadoop.conf.Configuration.class); Credentials cred = (Credentials) readTokenStorageFileMethod.invoke(null, new File(fileLocation), securityConfig.getHadoopConfiguration()); Method addCredentialsMethod = UserGroupInformation.class.getMethod("addCredentials", Credentials.class); addCredentialsMethod.invoke(loginUser, cred); } catch (NoSuchMethodException e) { LOG.warn("Could not find method implementations in the shaded jar. Exception: {}", e); } catch (InvocationTargetException e) { throw e.getTargetException(); } } } else { // login with current user credentials (e.g. ticket cache, OS login) // note that the stored tokens are read automatically try { //Use reflection API to get the login user object //UserGroupInformation.loginUserFromSubject(null); Method loginUserFromSubjectMethod = UserGroupInformation.class.getMethod("loginUserFromSubject", Subject.class); loginUserFromSubjectMethod.invoke(null, (Subject) null); } catch (NoSuchMethodException e) { LOG.warn("Could not find method implementations in the shaded jar. Exception: {}", e); } catch (InvocationTargetException e) { throw e.getTargetException(); } loginUser = UserGroupInformation.getLoginUser(); } if (UserGroupInformation.isSecurityEnabled()) { // note: UGI::hasKerberosCredentials inaccurately reports false // for logins based on a keytab (fixed in Hadoop 2.6.1, see HADOOP-10786), // so we check only in ticket cache scenario. if (securityConfig.useTicketCache() && !loginUser.hasKerberosCredentials()) { // a delegation token is an adequate substitute in most cases if (!HadoopUtils.hasHDFSDelegationToken()) { LOG.warn( "Hadoop security is enabled but current login user does not have Kerberos credentials"); } } } LOG.info("Hadoop user set to {}", loginUser); } catch (Throwable ex) { throw new SecurityInstallException("Unable to set the Hadoop login user", ex); } }
From source file:org.apache.flink.runtime.security.SecurityContext.java
License:Apache License
public static void install(SecurityConfiguration config) throws Exception { // perform static initialization of UGI, JAAS if (installedContext != null) { LOG.warn("overriding previous security context"); }//from www . j a v a2 s . c om // establish the JAAS config JaasConfiguration jaasConfig = new JaasConfiguration(config.keytab, config.principal); javax.security.auth.login.Configuration.setConfiguration(jaasConfig); populateSystemSecurityProperties(config.flinkConf); // establish the UGI login user UserGroupInformation.setConfiguration(config.hadoopConf); UserGroupInformation loginUser; if (UserGroupInformation.isSecurityEnabled() && config.keytab != null && !StringUtils.isBlank(config.principal)) { String keytabPath = (new File(config.keytab)).getAbsolutePath(); UserGroupInformation.loginUserFromKeytab(config.principal, keytabPath); loginUser = UserGroupInformation.getLoginUser(); // supplement with any available tokens String fileLocation = System.getenv(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION); if (fileLocation != null) { /* * Use reflection API since the API semantics are not available in Hadoop1 profile. Below APIs are * used in the context of reading the stored tokens from UGI. * Credentials cred = Credentials.readTokenStorageFile(new File(fileLocation), config.hadoopConf); * loginUser.addCredentials(cred); */ try { Method readTokenStorageFileMethod = Credentials.class.getMethod("readTokenStorageFile", File.class, org.apache.hadoop.conf.Configuration.class); Credentials cred = (Credentials) readTokenStorageFileMethod.invoke(null, new File(fileLocation), config.hadoopConf); Method addCredentialsMethod = UserGroupInformation.class.getMethod("addCredentials", Credentials.class); addCredentialsMethod.invoke(loginUser, cred); } catch (NoSuchMethodException e) { LOG.warn("Could not find method implementations in the shaded jar. Exception: {}", e); } } } else { // login with current user credentials (e.g. ticket cache) try { //Use reflection API to get the login user object //UserGroupInformation.loginUserFromSubject(null); Method loginUserFromSubjectMethod = UserGroupInformation.class.getMethod("loginUserFromSubject", Subject.class); Subject subject = null; loginUserFromSubjectMethod.invoke(null, subject); } catch (NoSuchMethodException e) { LOG.warn("Could not find method implementations in the shaded jar. Exception: {}", e); } loginUser = UserGroupInformation.getLoginUser(); // note that the stored tokens are read automatically } boolean delegationToken = false; final Text HDFS_DELEGATION_KIND = new Text("HDFS_DELEGATION_TOKEN"); Collection<Token<? extends TokenIdentifier>> usrTok = loginUser.getTokens(); for (Token<? extends TokenIdentifier> token : usrTok) { final Text id = new Text(token.getIdentifier()); LOG.debug("Found user token " + id + " with " + token); if (token.getKind().equals(HDFS_DELEGATION_KIND)) { delegationToken = true; } } if (UserGroupInformation.isSecurityEnabled() && !loginUser.hasKerberosCredentials()) { //throw an error in non-yarn deployment if kerberos cache is not available if (!delegationToken) { LOG.error("Hadoop Security is enabled but current login user does not have Kerberos Credentials"); throw new RuntimeException( "Hadoop Security is enabled but current login user does not have Kerberos Credentials"); } } installedContext = new SecurityContext(loginUser); }
From source file:org.apache.flink.runtime.security.SecurityUtils.java
License:Apache License
public static boolean isSecurityEnabled() { UserGroupInformation.setConfiguration(hdConf); return UserGroupInformation.isSecurityEnabled(); }
From source file:org.apache.flink.runtime.security.SecurityUtils.java
License:Apache License
public static <T> T runSecured(final FlinkSecuredRunner<T> runner) throws Exception { UserGroupInformation.setConfiguration(hdConf); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); if (!ugi.hasKerberosCredentials()) { LOG.error("Security is enabled but no Kerberos credentials have been found. " + "You may authenticate using the kinit command."); }/*from w w w. j av a2s .c om*/ return ugi.doAs(new PrivilegedExceptionAction<T>() { @Override public T run() throws Exception { return runner.run(); } }); }