List of usage examples for org.apache.hadoop.security UserGroupInformation setConfiguration
@InterfaceAudience.Public @InterfaceStability.Evolving public static void setConfiguration(Configuration conf)
From source file:org.apache.ignite.internal.processors.hadoop.impl.delegate.HadoopKerberosFileSystemFactoryDelegate.java
License:Apache License
@Override public void start() throws IgniteException { super.start(); KerberosHadoopFileSystemFactory proxy0 = (KerberosHadoopFileSystemFactory) proxy; A.ensure(!F.isEmpty(proxy0.getKeyTab()), "keyTab cannot not be empty."); A.ensure(!F.isEmpty(proxy0.getKeyTabPrincipal()), "keyTabPrincipal cannot not be empty."); A.ensure(proxy0.getReloginInterval() >= 0, "reloginInterval cannot not be negative."); reloginInterval = proxy0.getReloginInterval(); try {//from w w w . jav a 2 s . c o m UserGroupInformation.setConfiguration(cfg); UserGroupInformation.loginUserFromKeytab(proxy0.getKeyTabPrincipal(), proxy0.getKeyTab()); } catch (IOException ioe) { throw new IgniteException("Failed login from keytab [keyTab=" + proxy0.getKeyTab() + ", keyTabPrincipal=" + proxy0.getKeyTabPrincipal() + ']', ioe); } }
From source file:org.apache.metron.rest.config.HadoopConfigTest.java
License:Apache License
@Test public void configurationShouldReturnProperKerberosConfiguration() throws IOException { when(environment.getProperty(MetronRestConstants.HDFS_URL_SPRING_PROPERTY, MetronRestConstants.DEFAULT_HDFS_URL)).thenReturn("default filesystem"); when(environment.getProperty(MetronRestConstants.KERBEROS_KEYTAB_SPRING_PROPERTY)) .thenReturn("metron keytabLocation"); when(environment.getProperty(MetronRestConstants.KERBEROS_PRINCIPLE_SPRING_PROPERTY)) .thenReturn("metron principal"); when(environment.getProperty(MetronRestConstants.KERBEROS_ENABLED_SPRING_PROPERTY, Boolean.class, false)) .thenReturn(true);/*w ww . j a v a 2s . c o m*/ Configuration configuration = hadoopConfig.configuration(); verifyStatic(); UserGroupInformation.setConfiguration(any(Configuration.class)); UserGroupInformation.loginUserFromKeytab("metron keytabLocation", "metron principal"); assertEquals("default filesystem", configuration.get("fs.defaultFS")); assertEquals("KERBEROS", configuration.get("hadoop.security.authentication")); }
From source file:org.apache.metron.rest.config.HadoopConfigTest.java
License:Apache License
@Test public void configurationShouldReturnProperConfiguration() throws IOException { when(environment.getProperty(MetronRestConstants.HDFS_URL_SPRING_PROPERTY, MetronRestConstants.DEFAULT_HDFS_URL)).thenReturn("default filesystem"); when(environment.getProperty(MetronRestConstants.KERBEROS_ENABLED_SPRING_PROPERTY, Boolean.class, false)) .thenReturn(false);// www . j av a 2 s . c o m Configuration configuration = hadoopConfig.configuration(); verifyStatic(never()); UserGroupInformation.setConfiguration(any(Configuration.class)); UserGroupInformation.loginUserFromKeytab(anyString(), anyString()); assertEquals("default filesystem", configuration.get("fs.defaultFS")); assertEquals("simple", configuration.get("hadoop.security.authentication")); }
From source file:org.apache.nifi.atlas.security.Kerberos.java
License:Apache License
@Override public AtlasClientV2 createClient(String[] baseUrls) { final Configuration hadoopConf = new Configuration(); hadoopConf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(hadoopConf); final UserGroupInformation ugi; try {/*from ww w.ja v a2s . c om*/ UserGroupInformation.loginUserFromKeytab(principal, keytab); ugi = UserGroupInformation.getCurrentUser(); } catch (IOException e) { throw new RuntimeException("Failed to login with Kerberos due to: " + e, e); } return new AtlasClientV2(ugi, null, baseUrls); }
From source file:org.apache.nifi.hadoop.SecurityUtil.java
License:Apache License
/** * Initializes UserGroupInformation with the given Configuration and performs the login for the given principal * and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying * UserGroupInformation.//from w w w . j a v a2s . c o m * <p/> * As of Apache NiFi 1.5.0, this method uses {@link UserGroupInformation#loginUserFromKeytab(String, String)} to * authenticate the given <code>principal</code>, which sets the static variable <code>loginUser</code> in the * {@link UserGroupInformation} instance. Setting <code>loginUser</code> is necessary for * {@link org.apache.hadoop.ipc.Client.Connection#handleSaslConnectionFailure(int, int, Exception, Random, UserGroupInformation)} * to be able to attempt a relogin during a connection failure. The <code>handleSaslConnectionFailure</code> method * calls <code>UserGroupInformation.getLoginUser().reloginFromKeytab()</code> statically, which can return null * if <code>loginUser</code> is not set, resulting in failure of the hadoop operation. * <p/> * In previous versions of NiFi, {@link UserGroupInformation#loginUserFromKeytabAndReturnUGI(String, String)} was * used to authenticate the <code>principal</code>, which does not set <code>loginUser</code>, making it impossible * for a * {@link org.apache.hadoop.ipc.Client.Connection#handleSaslConnectionFailure(int, int, Exception, Random, UserGroupInformation)} * to be able to implicitly relogin the principal. * * @param config the configuration instance * @param principal the principal to authenticate as * @param keyTab the keytab to authenticate with * * @return the UGI for the given principal * * @throws IOException if login failed */ public static synchronized UserGroupInformation loginKerberos(final Configuration config, final String principal, final String keyTab) throws IOException { Validate.notNull(config); Validate.notNull(principal); Validate.notNull(keyTab); UserGroupInformation.setConfiguration(config); UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim()); return UserGroupInformation.getCurrentUser(); }
From source file:org.apache.nifi.ranger.authorization.ManagedRangerAuthorizerTest.java
License:Apache License
@Before public void setup() { // have to initialize this system property before anything else File krb5conf = new File("src/test/resources/krb5.conf"); assertTrue(krb5conf.exists());//ww w . ja v a 2 s . co m System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath()); // rest the authentication to simple in case any tests set it to kerberos final Configuration securityConf = new Configuration(); securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); UserGroupInformation.setConfiguration(securityConf); assertFalse(UserGroupInformation.isSecurityEnabled()); }
From source file:org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer.java
License:Apache License
@Override public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException { try {// w ww. ja v a2 s. c o m if (nifiPlugin == null) { logger.info("RangerNiFiAuthorizer(): initializing base plugin"); final PropertyValue securityConfigValue = configurationContext .getProperty(RANGER_SECURITY_PATH_PROP); addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue); final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP); addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue); final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString()); rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false; if (rangerKerberosEnabled) { // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled() final Configuration securityConf = new Configuration(); securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION); UserGroupInformation.setConfiguration(securityConf); // login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab(); final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal(); final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation(); if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) { throw new AuthorizerCreationException( "Principal and Keytab must be provided when Kerberos is enabled"); } UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim()); } final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE); final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID); nifiPlugin = createRangerBasePlugin(serviceType, appId); nifiPlugin.init(); defaultAuditHandler = new RangerDefaultAuditHandler(); rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null); } else { logger.info("RangerNiFiAuthorizer(): base plugin already initialized"); } } catch (Throwable t) { throw new AuthorizerCreationException("Error creating RangerBasePlugin", t); } }
From source file:org.apache.nifi.ranger.authorization.TestRangerNiFiAuthorizer.java
License:Apache License
@Before public void setup() { // have to initialize this system property before anything else File krb5conf = new File("src/test/resources/krb5.conf"); assertTrue(krb5conf.exists());/*from www . ja va 2 s . c om*/ System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath()); // rest the authentication to simple in case any tests set it to kerberos final Configuration securityConf = new Configuration(); securityConf.set(RangerNiFiAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); UserGroupInformation.setConfiguration(securityConf); configurationContext = createMockConfigContext(); rangerBasePlugin = Mockito.mock(RangerBasePluginWithPolicies.class); authorizer = new MockRangerNiFiAuthorizer(rangerBasePlugin); authorizer.onConfigured(configurationContext); assertFalse(UserGroupInformation.isSecurityEnabled()); allowedResult = Mockito.mock(RangerAccessResult.class); when(allowedResult.getIsAllowed()).thenReturn(true); notAllowedResult = Mockito.mock(RangerAccessResult.class); when(notAllowedResult.getIsAllowed()).thenReturn(false); }
From source file:org.apache.nifi.registry.ranger.RangerAuthorizer.java
License:Apache License
@Override public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException { final String userGroupProviderKey = configurationContext.getProperty(USER_GROUP_PROVIDER).getValue(); if (StringUtils.isEmpty(userGroupProviderKey)) { throw new SecurityProviderCreationException(USER_GROUP_PROVIDER + " must be specified."); }//from w w w. j a v a 2 s . co m userGroupProvider = userGroupProviderLookup.getUserGroupProvider(userGroupProviderKey); // ensure the desired access policy provider has a user group provider if (userGroupProvider == null) { throw new SecurityProviderCreationException( String.format("Unable to locate configured User Group Provider: %s", userGroupProviderKey)); } try { if (rangerPlugin == null) { logger.info("initializing base plugin"); final PropertyValue securityConfigValue = configurationContext .getProperty(RANGER_SECURITY_PATH_PROP); addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue); final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP); addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue); boolean rangerKerberosEnabled = Boolean.valueOf(getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString())); if (rangerKerberosEnabled) { // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled() final Configuration securityConf = new Configuration(); securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION); UserGroupInformation.setConfiguration(securityConf); // login with the nifi registry principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab(); final String registryPrincipal = registryProperties.getKerberosServicePrincipal(); final String registryKeytab = registryProperties.getKerberosServiceKeytabLocation(); if (StringUtils.isBlank(registryPrincipal) || StringUtils.isBlank(registryKeytab)) { throw new SecurityProviderCreationException( "Principal and Keytab must be provided when Kerberos is enabled"); } UserGroupInformation.loginUserFromKeytab(registryPrincipal.trim(), registryKeytab.trim()); } final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE); final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID); rangerPlugin = createRangerBasePlugin(serviceType, appId); rangerPlugin.init(); defaultAuditHandler = new RangerDefaultAuditHandler(); rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null); } else { logger.info("base plugin already initialized"); } } catch (Throwable t) { throw new SecurityProviderCreationException("Error creating RangerBasePlugin", t); } }
From source file:org.apache.nifi.registry.ranger.TestRangerAuthorizer.java
License:Apache License
private void setup(final NiFiRegistryProperties registryProperties, final UserGroupProvider userGroupProvider, final AuthorizerConfigurationContext configurationContext) { // have to initialize this system property before anything else File krb5conf = new File("src/test/resources/krb5.conf"); assertTrue(krb5conf.exists());//from www .ja va 2 s . c om System.setProperty("java.security.krb5.conf", krb5conf.getAbsolutePath()); // rest the authentication to simple in case any tests set it to kerberos final Configuration securityConf = new Configuration(); securityConf.set(RangerAuthorizer.HADOOP_SECURITY_AUTHENTICATION, "simple"); UserGroupInformation.setConfiguration(securityConf); rangerBasePlugin = mock(RangerBasePluginWithPolicies.class); authorizer = new MockRangerAuthorizer(rangerBasePlugin); final UserGroupProviderLookup userGroupProviderLookup = mock(UserGroupProviderLookup.class); when(userGroupProviderLookup.getUserGroupProvider(eq("user-group-provider"))).thenReturn(userGroupProvider); final AuthorizerInitializationContext initializationContext = mock(AuthorizerInitializationContext.class); when(initializationContext.getUserGroupProviderLookup()).thenReturn(userGroupProviderLookup); authorizer.setRegistryProperties(registryProperties); authorizer.initialize(initializationContext); authorizer.onConfigured(configurationContext); assertFalse(UserGroupInformation.isSecurityEnabled()); allowedResult = mock(RangerAccessResult.class); when(allowedResult.getIsAllowed()).thenReturn(true); notAllowedResult = mock(RangerAccessResult.class); when(notAllowedResult.getIsAllowed()).thenReturn(false); }