List of usage examples for org.apache.hadoop.security UserGroupInformation toString
@Override
public String toString()
From source file:azkaban.security.commons.SecurityUtils.java
License:Apache License
/** * Create a proxied user, taking all parameters, including which user to proxy * from provided Properties.//from w w w. j a va 2s . c o m */ public static UserGroupInformation getProxiedUser(Properties prop, Logger log, Configuration conf) throws IOException { String toProxy = verifySecureProperty(prop, TO_PROXY, log); UserGroupInformation user = getProxiedUser(toProxy, prop, log, conf); if (user == null) throw new IOException("Proxy as any user in unsecured grid is not supported!" + prop.toString()); log.info("created proxy user for " + user.getUserName() + user.toString()); return user; }
From source file:org.apache.hoya.tools.HoyaUtils.java
License:Apache License
/** * Turn on security. This is setup to only run once. * @param conf configuration to build up security * @return true if security was initialized in this call * @throws IOException IO/Net problems//w w w .j av a 2s . com * @throws BadConfigException the configuration and system state are inconsistent */ public static boolean initProcessSecurity(Configuration conf) throws IOException, BadConfigException { if (processSecurityAlreadyInitialized.compareAndSet(true, true)) { //security is already inited return false; } log.info("JVM initialized into secure mode with kerberos realm {}", HoyaUtils.getKerberosRealm()); //this gets UGI to reset its previous world view (i.e simple auth) //security log.debug("java.security.krb5.realm={}", System.getProperty("java.security.krb5.realm", "")); log.debug("java.security.krb5.kdc={}", System.getProperty("java.security.krb5.kdc", "")); SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, conf); UserGroupInformation.setConfiguration(conf); UserGroupInformation authUser = UserGroupInformation.getCurrentUser(); log.debug("Authenticating as " + authUser.toString()); log.debug("Login user is {}", UserGroupInformation.getLoginUser()); if (!UserGroupInformation.isSecurityEnabled()) { throw new BadConfigException("Although secure mode is enabled," + "the application has already set up its user as an insecure entity %s", authUser); } if (authUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.SIMPLE) { throw new BadConfigException("Auth User is not Kerberized %s" + " -security has already been set up with the wrong authentication method", authUser); } HoyaUtils.verifyPrincipalSet(conf, YarnConfiguration.RM_PRINCIPAL); HoyaUtils.verifyPrincipalSet(conf, DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY); return true; }
From source file:org.apache.hoya.yarn.appmaster.HoyaAppMaster.java
License:Apache License
@Override //AbstractService public synchronized void serviceInit(Configuration conf) throws Exception { // Load in the server configuration - if it is actually on the Classpath Configuration serverConf = ConfigHelper.loadFromResource(SERVER_RESOURCE); ConfigHelper.mergeConfigurations(conf, serverConf, SERVER_RESOURCE); AbstractActionArgs action = serviceArgs.getCoreAction(); HoyaAMCreateAction createAction = (HoyaAMCreateAction) action; //sort out the location of the AM serviceArgs.applyDefinitions(conf);/* w w w .j a va 2 s. co m*/ serviceArgs.applyFileSystemURL(conf); String rmAddress = createAction.getRmAddress(); if (rmAddress != null) { log.debug("Setting rm address from the command line: {}", rmAddress); HoyaUtils.setRmSchedulerAddress(conf, rmAddress); } serviceArgs.applyDefinitions(conf); serviceArgs.applyFileSystemURL(conf); //init security with our conf if (HoyaUtils.isClusterSecure(conf)) { log.info("Secure mode with kerberos realm {}", HoyaUtils.getKerberosRealm()); UserGroupInformation.setConfiguration(conf); UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); log.debug("Authenticating as " + ugi.toString()); HoyaUtils.verifyPrincipalSet(conf, DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY); // always enforce protocol to be token-based. conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, SaslRpcServer.AuthMethod.TOKEN.toString()); } log.info("Login user is {}", UserGroupInformation.getLoginUser()); //look at settings of Hadoop Auth, to pick up a problem seen once checkAndWarnForAuthTokenProblems(); super.serviceInit(conf); }
From source file:org.apache.slider.common.tools.SliderUtils.java
License:Apache License
/** * Turn on security. This is setup to only run once. * @param conf configuration to build up security * @return true if security was initialized in this call * @throws IOException IO/Net problems/* w ww . j av a 2 s . c om*/ * @throws BadConfigException the configuration and system state are inconsistent */ public static boolean initProcessSecurity(Configuration conf) throws IOException, BadConfigException { if (processSecurityAlreadyInitialized.compareAndSet(true, true)) { //security is already inited return false; } log.info("JVM initialized into secure mode with kerberos realm {}", SliderUtils.getKerberosRealm()); //this gets UGI to reset its previous world view (i.e simple auth) //security log.debug("java.security.krb5.realm={}", System.getProperty(JAVA_SECURITY_KRB5_REALM, "")); log.debug("java.security.krb5.kdc={}", System.getProperty(JAVA_SECURITY_KRB5_KDC, "")); log.debug("hadoop.security.authentication={}", conf.get(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION)); log.debug("hadoop.security.authorization={}", conf.get(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION)); /* SecurityUtil.setAuthenticationMethod( UserGroupInformation.AuthenticationMethod.KERBEROS, conf);*/ UserGroupInformation.setConfiguration(conf); UserGroupInformation authUser = UserGroupInformation.getCurrentUser(); log.debug("Authenticating as " + authUser.toString()); log.debug("Login user is {}", UserGroupInformation.getLoginUser()); if (!UserGroupInformation.isSecurityEnabled()) { throw new BadConfigException("Although secure mode is enabled," + "the application has already set up its user as an insecure entity %s", authUser); } if (authUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.SIMPLE) { throw new BadConfigException("Auth User is not Kerberized %s" + " -security has already been set up with the wrong authentication method. " + "This can occur if a file system has already been created prior to the loading of " + "the security configuration.", authUser); } SliderUtils.verifyPrincipalSet(conf, YarnConfiguration.RM_PRINCIPAL); SliderUtils.verifyPrincipalSet(conf, DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY); return true; }
From source file:uk.ac.gla.terrier.probos.controller.ControllerServer.java
License:Open Source License
protected void checkOwnerOrRoot(JobInformation ji) throws Exception { if (ji == null) return;// you can do what you want if there is no job to act upon it UserGroupInformation caller = Server.getRemoteUser(); if (ji != null) { //craigm@AD.DCS.GLA.AC.UK (auth:KERBEROS) denied access, //expected craigm (auth:PROXY) via probos/salt@DCS.GLA.AC.UK (auth:KERBEROS) //we just check that shortusername match if (!ji.proxyUser.getShortUserName().equals(caller.getShortUserName())) { SecurityException se = new SecurityException("No permission to access this information"); LOG.warn(caller.toString() + " denied access, job owner was " + ji.proxyUser.toString(), se); throw se; }/* ww w . java 2 s . co m*/ } }