List of usage examples for org.apache.hadoop.security UserGroupInformation setConfiguration
@InterfaceAudience.Public @InterfaceStability.Evolving public static void setConfiguration(Configuration conf)
From source file:org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory.java
License:Apache License
/** * Create a new factory instance and atach it to a connection pool instance. * @param conf Configuration// w ww . j a va2 s. c o m */ private SentryGenericServiceClientFactory(Configuration conf) { if (transportConfig.isKerberosEnabled(conf) && transportConfig.useUserGroupInformation(conf)) { LOGGER.info("Using UserGroupInformation authentication"); UserGroupInformation.setConfiguration(conf); } this.conf = conf; transportPool = new SentryTransportPool(this.conf, transportConfig, new SentryTransportFactory(this.conf, transportConfig)); }
From source file:org.apache.sentry.api.service.thrift.SentryWebServer.java
License:Apache License
private static void validateConf(Configuration conf) { String authHandlerName = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE); Preconditions.checkNotNull(authHandlerName, "Web authHandler should not be null."); String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS); Preconditions.checkNotNull(allowUsers, "Allow connect user(s) should not be null."); if (ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS.equalsIgnoreCase(authHandlerName)) { String principal = conf.get(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL); Preconditions.checkNotNull(principal, "Kerberos principal should not be null."); Preconditions.checkArgument(principal.length() != 0, "Kerberos principal is not right."); String keytabFile = conf.get(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB); Preconditions.checkNotNull(keytabFile, "Keytab File should not be null."); Preconditions.checkArgument(keytabFile.length() != 0, "Keytab File is not right."); try {// w ww . java 2 s . com UserGroupInformation.setConfiguration(conf); String hostPrincipal = SecurityUtil.getServerPrincipal(principal, ServerConfig.RPC_ADDRESS_DEFAULT); UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytabFile); } catch (IOException ex) { throw new IllegalArgumentException("Can't use Kerberos authentication, principal [" + principal + "] keytab [" + keytabFile + "]", ex); } LOGGER.info("Using Kerberos authentication, principal [{}] keytab [{}]", principal, keytabFile); } }
From source file:org.apache.sentry.binding.hbaseindexer.authz.HBaseIndexerAuthzBinding.java
License:Apache License
/** * Initialize kerberos via UserGroupInformation. Will only attempt to login * during the first request, subsequent calls will have no effect. * @param keytabFile path to keytab file * @param principal principal used for authentication * @throws IllegalArgumentException/*from w w w . j av a2s . c o m*/ */ private void initKerberos(String keytabFile, String principal) { if (keytabFile == null || keytabFile.length() == 0) { throw new IllegalArgumentException(String.format( "Setting keytab file path required when kerberos is enabled. Use %s configuration entry to define keytab file.", HBASE_REGIONSERVER_KEYTAB_FILE)); } if (principal == null || principal.length() == 0) { throw new IllegalArgumentException(String.format( "Setting kerberos principal is required when kerberos is enabled. Use %s configuration entry to define principal.", HBASE_REGIONSERVER_KERBEROS_PRINCIPAL)); } if (kerberosInit.compareAndSet(false, true)) { // init kerberos if kerberosInit is false, then set it to true // let's avoid modifying the supplied configuration, just to be conservative final Configuration ugiConf = new Configuration(authzConf); UserGroupInformation.setConfiguration(ugiConf); LOG.info( "Attempting to acquire kerberos ticket for HBase Indexer binding with keytab: {}, principal: {} ", keytabFile, principal); try { UserGroupInformation.loginUserFromKeytab(principal, keytabFile); } catch (IOException ioe) { kerberosInit.set(false); throw new RuntimeException(ioe); } LOG.info("Got Kerberos ticket for HBase Indexer binding"); } }
From source file:org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl.java
License:Apache License
/** * Initialize kerberos via UserGroupInformation. Will only attempt to login * during the first request, subsequent calls will have no effect. *//*from w w w .j ava 2 s. co m*/ private void initKerberos(SolrAuthzConf authzConf, String keytabFile, String principal) { synchronized (SentrySolrPluginImpl.class) { UserGroupInformation.setConfiguration(authzConf); LOG.info("Attempting to acquire kerberos ticket with keytab: {}, principal: {} ", keytabFile, principal); try { UserGroupInformation.loginUserFromKeytab(principal, keytabFile); } catch (IOException ioe) { throw new SolrException(ErrorCode.SERVER_ERROR, ioe); } LOG.info("Got Kerberos ticket"); } }
From source file:org.apache.sentry.hdfs.SentryHdfsServiceIntegrationBase.java
License:Apache License
@Before public void before() throws Exception { conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath()); connectToHdfsSyncService();//from ww w . j ava2 s. com }
From source file:org.apache.sentry.kafka.binding.KafkaAuthBinding.java
License:Apache License
/** * Initialize kerberos via UserGroupInformation. Will only attempt to login * during the first request, subsequent calls will have no effect. *//* ww w .j av a 2 s . c om*/ private void initKerberos(String keytabFile, String principal) { if (keytabFile == null || keytabFile.length() == 0) { throw new IllegalArgumentException("keytabFile required because kerberos is enabled"); } if (principal == null || principal.length() == 0) { throw new IllegalArgumentException("principal required because kerberos is enabled"); } synchronized (KafkaAuthBinding.class) { if (kerberosInit == null) { kerberosInit = Boolean.TRUE; // let's avoid modifying the supplied configuration, just to be conservative final Configuration ugiConf = new Configuration(); ugiConf.set(HADOOP_SECURITY_AUTHENTICATION, ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS); UserGroupInformation.setConfiguration(ugiConf); LOG.info("Attempting to acquire kerberos ticket with keytab: {}, principal: {} ", keytabFile, principal); try { UserGroupInformation.loginUserFromKeytab(principal, keytabFile); } catch (IOException ioe) { throw new RuntimeException( "Failed to login user with Principal: " + principal + " and Keytab file: " + keytabFile, ioe); } LOG.info("Got Kerberos ticket"); } } }
From source file:org.apache.sentry.service.thrift.HiveSimpleConnectionFactory.java
License:Apache License
/** * Initialize the Factory./*from w w w . j a v a 2s . c o m*/ * For insecure connections there is nothing to initialize. * For Kerberos connections sets up ticket renewal thread. * @throws IOException * @throws LoginException */ public void init() throws IOException, LoginException { if (insecure) { LOGGER.info("Using insecure connection to HMS"); return; } LOGGER.info("Using secured connection to HMS"); int port = conf.getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT); String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), "%s is required", ServerConfig.PRINCIPAL); String principal = SecurityUtil.getServerPrincipal(rawPrincipal, NetUtils .createSocketAddr(conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT), port) .getAddress()); LOGGER.debug("Opening kerberos connection to HMS using kerberos principal {}", principal); String[] principalParts = SaslRpcServer.splitKerberosName(principal); Preconditions.checkArgument(principalParts.length == 3, "Kerberos principal %s should have 3 parts", principal); String keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB), "Configuration is missing required %s paraeter", ServerConfig.KEY_TAB); File keytabFile = new File(keytab); Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(), "Keytab %s does not exist or is not readable", keytab); // Instantiating SentryKerberosContext in non-server mode handles the ticket renewal. kerberosContext = new SentryKerberosContext(principal, keytab, false); UserGroupInformation.setConfiguration(conf); LOGGER.info("Using secure connection to HMS"); }
From source file:org.apache.sentry.service.thrift.SentryServiceIntegrationBase.java
License:Apache License
public static void setupConf() throws Exception { if (kerberos) { setupKdc();// w w w .j a v a 2s . co m kdc = SentryMiniKdcTestcase.getKdc(); kdcWorkDir = SentryMiniKdcTestcase.getWorkDir(); serverKeytab = new File(kdcWorkDir, "server.keytab"); clientKeytab = new File(kdcWorkDir, "client.keytab"); kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL); kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL); conf.set(ServerConfig.PRINCIPAL, getServerKerberosName()); conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath()); conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME); conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL, getServerKerberosName()); conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB, serverKeytab.getPath()); conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath()); clientUgi = UserGroupInformation.getLoginUser(); } else { LOGGER.info("Stopped KDC"); conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE); } if (webServerEnabled) { conf.set(ServerConfig.SENTRY_WEB_ENABLE, "true"); conf.set(ServerConfig.SENTRY_WEB_PORT, String.valueOf(webServerPort)); conf.set(ServerConfig.SENTRY_WEB_PUBSUB_SERVLET_ENABLED, "true"); if (webSecurity) { httpKeytab = new File(kdcWorkDir, "http.keytab"); kdc.createPrincipal(httpKeytab, HTTP_PRINCIPAL); conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS); conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL); conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath()); conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowedUsers); } else { conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE, ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE); } } else { conf.set(ServerConfig.SENTRY_WEB_ENABLE, "false"); } if (pooled) { conf.set(ApiConstants.ClientConfig.SENTRY_POOL_ENABLED, "true"); } if (useSSL) { String keystorePath = Resources.getResource("keystore.jks").getPath(); conf.set(ServerConfig.SENTRY_WEB_USE_SSL, "true"); conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, keystorePath); conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "password"); LOGGER.debug("{} is at {}", ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, keystorePath); } conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false"); conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP); conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST); conf.set(ServerConfig.RPC_PORT, String.valueOf(0)); dbDir = new File(Files.createTempDir(), "sentry_policy_db"); conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true"); conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy"); server = SentryServiceFactory.create(conf); conf.set(ApiConstants.ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName()); conf.set(ApiConstants.ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort())); conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING); }
From source file:org.apache.sentry.tests.e2e.hdfs.TestDbHdfsBase.java
License:Apache License
protected static void kinitFromKeytabFile(String user, String keyTabFile) throws IOException { Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", authenticationType); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(user, keyTabFile); }
From source file:org.apache.sentry.tests.e2e.hive.fs.TestFSBase.java
License:Apache License
protected static void kinitFromKeytabFile(String user, String keyTabFile) throws IOException { Configuration conf = new Configuration(); conf.set(TestFSContants.SENTRY_E2E_TEST_SECURITY_AUTH, authenticationType); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(user, keyTabFile); }