public static SecurityContext installSecurityContext( Configuration configuration, String workingDirectory) throws Exception { SecurityConfiguration sc = new SecurityConfiguration(configuration); SecurityUtils.install(sc); return SecurityUtils.getInstalledContext(); }
public static void install(SecurityConfiguration config, Map<String, ClientSecurityConfiguration> clientSecurityConfigurationMap) throws Exception { SecurityUtils.install(config); // install dynamic JAAS entries for (SecurityModuleFactory factory : config.getSecurityModuleFactories()) { if (factory instanceof JaasModuleFactory) { DynamicConfiguration jaasConf = (DynamicConfiguration) javax.security.auth.login.Configuration.getConfiguration(); for (Map.Entry<String, ClientSecurityConfiguration> e : clientSecurityConfigurationMap.entrySet()) { AppConfigurationEntry entry = KerberosUtils.keytabEntry( e.getValue().getKeytab(), e.getValue().getPrincipal()); jaasConf.addAppConfigurationEntry(e.getKey(), entry); } break; } } }
if (moduleOpt.isPresent()) { HadoopModule hadoopModule = (HadoopModule) moduleOpt.get(); assertEquals("testuser1@domain", hadoopModule.getSecurityConfig().getPrincipal()); assertEquals(resourceDirPath + "/" + Utils.KEYTAB_FILE_NAME, hadoopModule.getSecurityConfig().getKeytab()); } else { fail("Can not find HadoopModule!");
private static AppConfigurationEntry[] getAppConfigurationEntries(SecurityConfiguration securityConfig) { AppConfigurationEntry userKerberosAce = null; if (securityConfig.useTicketCache()) { userKerberosAce = KerberosUtils.ticketCacheEntry(); } AppConfigurationEntry keytabKerberosAce = null; if (securityConfig.getKeytab() != null) { keytabKerberosAce = KerberosUtils.keytabEntry(securityConfig.getKeytab(), securityConfig.getPrincipal()); } AppConfigurationEntry[] appConfigurationEntry; if (userKerberosAce != null && keytabKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{keytabKerberosAce, userKerberosAce}; } else if (keytabKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{keytabKerberosAce}; } else if (userKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{userKerberosAce}; } else { return null; } return appConfigurationEntry; }
@Override public void install() throws SecurityInstallException { priorSaslEnable = System.getProperty(ZK_ENABLE_CLIENT_SASL, null); System.setProperty(ZK_ENABLE_CLIENT_SASL, String.valueOf(!securityConfig.isZkSaslDisable())); priorServiceName = System.getProperty(ZK_SASL_CLIENT_USERNAME, null); if (!"zookeeper".equals(securityConfig.getZooKeeperServiceName())) { System.setProperty(ZK_SASL_CLIENT_USERNAME, securityConfig.getZooKeeperServiceName()); } priorLoginContextName = System.getProperty(ZK_LOGIN_CONTEXT_NAME, null); if (!"Client".equals(securityConfig.getZooKeeperLoginContextName())) { System.setProperty(ZK_LOGIN_CONTEXT_NAME, securityConfig.getZooKeeperLoginContextName()); } }
@Override public SecurityModule createModule(SecurityConfiguration securityConfig) { // First check if we have Hadoop in the ClassPath. If not, we simply don't do anything. try { Class.forName( "org.apache.hadoop.conf.Configuration", false, HadoopModule.class.getClassLoader()); } catch (ClassNotFoundException e) { LOG.info("Cannot create Hadoop Security Module because Hadoop cannot be found in the Classpath."); return null; } try { Configuration hadoopConfiguration = HadoopUtils.getHadoopConfiguration(securityConfig.getFlinkConfig()); return new HadoopModule(securityConfig, hadoopConfiguration); } catch (LinkageError e) { LOG.error("Cannot create Hadoop Security Module.", e); return null; } } }
@Override public void install() throws SecurityInstallException { // ensure that a config file is always defined, for compatibility with // ZK and Kafka which check for the system property and existence of the file priorConfigFile = System.getProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, null); if (priorConfigFile == null) { File configFile = generateDefaultConfigFile(); System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, configFile.getAbsolutePath()); } // read the JAAS configuration file priorConfig = javax.security.auth.login.Configuration.getConfiguration(); // construct a dynamic JAAS configuration currentConfig = new DynamicConfiguration(priorConfig); // wire up the configured JAAS login contexts to use the krb5 entries AppConfigurationEntry[] krb5Entries = getAppConfigurationEntries(securityConfig); if (krb5Entries != null) { for (String app : securityConfig.getLoginContextNames()) { currentConfig.addAppConfigurationEntry(app, krb5Entries); } } javax.security.auth.login.Configuration.setConfiguration(currentConfig); }
private static AppConfigurationEntry[] getAppConfigurationEntries(SecurityConfiguration securityConfig) { AppConfigurationEntry userKerberosAce = null; if (securityConfig.useTicketCache()) { userKerberosAce = KerberosUtils.ticketCacheEntry(); } AppConfigurationEntry keytabKerberosAce = null; if (securityConfig.getKeytab() != null) { keytabKerberosAce = KerberosUtils.keytabEntry(securityConfig.getKeytab(), securityConfig.getPrincipal()); } AppConfigurationEntry[] appConfigurationEntry; if (userKerberosAce != null && keytabKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{keytabKerberosAce, userKerberosAce}; } else if (keytabKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{keytabKerberosAce}; } else if (userKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{userKerberosAce}; } else { return null; } return appConfigurationEntry; }
@Override public void install() throws SecurityInstallException { priorSaslEnable = System.getProperty(ZK_ENABLE_CLIENT_SASL, null); System.setProperty(ZK_ENABLE_CLIENT_SASL, String.valueOf(!securityConfig.isZkSaslDisable())); priorServiceName = System.getProperty(ZK_SASL_CLIENT_USERNAME, null); if (!"zookeeper".equals(securityConfig.getZooKeeperServiceName())) { System.setProperty(ZK_SASL_CLIENT_USERNAME, securityConfig.getZooKeeperServiceName()); } priorLoginContextName = System.getProperty(ZK_LOGIN_CONTEXT_NAME, null); if (!"Client".equals(securityConfig.getZooKeeperLoginContextName())) { System.setProperty(ZK_LOGIN_CONTEXT_NAME, securityConfig.getZooKeeperLoginContextName()); } }
@Override public SecurityModule createModule(SecurityConfiguration securityConfig) { // First check if we have Hadoop in the ClassPath. If not, we simply don't do anything. try { Class.forName( "org.apache.hadoop.conf.Configuration", false, HadoopModule.class.getClassLoader()); } catch (ClassNotFoundException e) { LOG.info("Cannot create Hadoop Security Module because Hadoop cannot be found in the Classpath."); return null; } try { Configuration hadoopConfiguration = HadoopUtils.getHadoopConfiguration(securityConfig.getFlinkConfig()); return new HadoopModule(securityConfig, hadoopConfiguration); } catch (LinkageError e) { LOG.error("Cannot create Hadoop Security Module.", e); return null; } } }
@Override public void install() throws SecurityInstallException { // ensure that a config file is always defined, for compatibility with // ZK and Kafka which check for the system property and existence of the file priorConfigFile = System.getProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, null); if (priorConfigFile == null) { File configFile = generateDefaultConfigFile(); System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, configFile.getAbsolutePath()); } // read the JAAS configuration file priorConfig = javax.security.auth.login.Configuration.getConfiguration(); // construct a dynamic JAAS configuration currentConfig = new DynamicConfiguration(priorConfig); // wire up the configured JAAS login contexts to use the krb5 entries AppConfigurationEntry[] krb5Entries = getAppConfigurationEntries(securityConfig); if (krb5Entries != null) { for (String app : securityConfig.getLoginContextNames()) { currentConfig.addAppConfigurationEntry(app, krb5Entries); } } javax.security.auth.login.Configuration.setConfiguration(currentConfig); }
SecurityConfiguration sc = new SecurityConfiguration(flinkConfig);
private static AppConfigurationEntry[] getAppConfigurationEntries(SecurityConfiguration securityConfig) { AppConfigurationEntry userKerberosAce = null; if (securityConfig.useTicketCache()) { userKerberosAce = KerberosUtils.ticketCacheEntry(); } AppConfigurationEntry keytabKerberosAce = null; if (securityConfig.getKeytab() != null) { keytabKerberosAce = KerberosUtils.keytabEntry(securityConfig.getKeytab(), securityConfig.getPrincipal()); } AppConfigurationEntry[] appConfigurationEntry; if (userKerberosAce != null && keytabKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{keytabKerberosAce, userKerberosAce}; } else if (keytabKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{keytabKerberosAce}; } else if (userKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{userKerberosAce}; } else { return null; } return appConfigurationEntry; }
for (SecurityModuleFactory moduleFactory : config.getSecurityModuleFactories()) { SecurityModule module = moduleFactory.createModule(config);
@Override public void install() throws SecurityInstallException { priorSaslEnable = System.getProperty(ZK_ENABLE_CLIENT_SASL, null); System.setProperty(ZK_ENABLE_CLIENT_SASL, String.valueOf(!securityConfig.isZkSaslDisable())); priorServiceName = System.getProperty(ZK_SASL_CLIENT_USERNAME, null); if (!"zookeeper".equals(securityConfig.getZooKeeperServiceName())) { System.setProperty(ZK_SASL_CLIENT_USERNAME, securityConfig.getZooKeeperServiceName()); } priorLoginContextName = System.getProperty(ZK_LOGIN_CONTEXT_NAME, null); if (!"Client".equals(securityConfig.getZooKeeperLoginContextName())) { System.setProperty(ZK_LOGIN_CONTEXT_NAME, securityConfig.getZooKeeperLoginContextName()); } }
@Override public SecurityModule createModule(SecurityConfiguration securityConfig) { // First check if we have Hadoop in the ClassPath. If not, we simply don't do anything. try { Class.forName( "org.apache.hadoop.conf.Configuration", false, HadoopModule.class.getClassLoader()); } catch (ClassNotFoundException e) { LOG.info("Cannot create Hadoop Security Module because Hadoop cannot be found in the Classpath."); return null; } try { Configuration hadoopConfiguration = HadoopUtils.getHadoopConfiguration(securityConfig.getFlinkConfig()); return new HadoopModule(securityConfig, hadoopConfiguration); } catch (LinkageError e) { LOG.error("Cannot create Hadoop Security Module.", e); return null; } } }
@Override public void install() throws SecurityInstallException { // ensure that a config file is always defined, for compatibility with // ZK and Kafka which check for the system property and existence of the file priorConfigFile = System.getProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, null); if (priorConfigFile == null) { File configFile = generateDefaultConfigFile(); System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, configFile.getAbsolutePath()); } // read the JAAS configuration file priorConfig = javax.security.auth.login.Configuration.getConfiguration(); // construct a dynamic JAAS configuration currentConfig = new DynamicConfiguration(priorConfig); // wire up the configured JAAS login contexts to use the krb5 entries AppConfigurationEntry[] krb5Entries = getAppConfigurationEntries(securityConfig); if (krb5Entries != null) { for (String app : securityConfig.getLoginContextNames()) { currentConfig.addAppConfigurationEntry(app, krb5Entries); } } javax.security.auth.login.Configuration.setConfiguration(currentConfig); }
public static void main(String[] args) throws Exception { ParameterTool pt = ParameterTool.fromArgs(args); String configDir = pt.getRequired("configDir"); LOG.info("Loading configuration from {}", configDir); final Configuration flinkConfig = GlobalConfiguration.loadConfiguration(configDir); try { FileSystem.initialize(flinkConfig); } catch (IOException e) { throw new Exception("Error while setting the default filesystem scheme from configuration.", e); } // run the history server SecurityUtils.install(new SecurityConfiguration(flinkConfig)); try { SecurityUtils.getInstalledContext().runSecured(new Callable<Integer>() { @Override public Integer call() throws Exception { HistoryServer hs = new HistoryServer(flinkConfig); hs.run(); return 0; } }); System.exit(0); } catch (Throwable t) { final Throwable strippedThrowable = ExceptionUtils.stripException(t, UndeclaredThrowableException.class); LOG.error("Failed to run HistoryServer.", strippedThrowable); strippedThrowable.printStackTrace(); System.exit(1); } }
!StringUtils.isBlank(securityConfig.getKeytab()) && !StringUtils.isBlank(securityConfig.getPrincipal())) { String keytabPath = (new File(securityConfig.getKeytab())).getAbsolutePath(); UserGroupInformation.loginUserFromKeytab(securityConfig.getPrincipal(), keytabPath); if (securityConfig.useTicketCache() && !loginUser.hasKerberosCredentials()) {
for (SecurityModuleFactory moduleFactory : config.getSecurityModuleFactories()) { SecurityModule module = moduleFactory.createModule(config);