public static void main(String[] args) throws Exception { ParameterTool pt = ParameterTool.fromArgs(args); String configDir = pt.getRequired("configDir"); LOG.info("Loading configuration from {}", configDir); final Configuration flinkConfig = GlobalConfiguration.loadConfiguration(configDir); // run the history server SecurityUtils.install(new SecurityUtils.SecurityConfiguration(flinkConfig)); try { SecurityUtils.getInstalledContext().runSecured(new Callable<Integer>() { @Override public Integer call() throws Exception { HistoryServer hs = new HistoryServer(flinkConfig); hs.run(); return 0; } }); System.exit(0); } catch (UndeclaredThrowableException ute) { Throwable cause = ute. getUndeclaredThrowable(); LOG.error("Failed to run HistoryServer.", cause); cause.printStackTrace(); System.exit(1); } catch (Exception e) { LOG.error("Failed to run HistoryServer.", e); e.printStackTrace(); System.exit(1); } }
/** * Installs a process-wide security configuration. * * Applies the configuration using the available security modules (i.e. Hadoop, JAAS). */ public static void install(SecurityConfiguration config) throws Exception { // install the security modules List<SecurityModule> modules = new ArrayList<>(); try { for (Class<? extends SecurityModule> moduleClass : config.getSecurityModules()) { SecurityModule module = moduleClass.newInstance(); module.install(config); modules.add(module); } } catch(Exception ex) { throw new Exception("unable to establish the security context", ex); } installedModules = modules; // install a security context // use the Hadoop login user as the subject of the installed security context if (!(installedContext instanceof NoOpSecurityContext)) { LOG.warn("overriding previous security context"); } UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); installedContext = new HadoopSecurityContext(loginUser); }
@Override public void install(SecurityUtils.SecurityConfiguration configuration) throws SecurityInstallException { priorSaslEnable = System.getProperty(ZK_ENABLE_CLIENT_SASL, null); System.setProperty(ZK_ENABLE_CLIENT_SASL, String.valueOf(!configuration.isZkSaslDisable())); priorServiceName = System.getProperty(ZK_SASL_CLIENT_USERNAME, null); if (!"zookeeper".equals(configuration.getZooKeeperServiceName())) { System.setProperty(ZK_SASL_CLIENT_USERNAME, configuration.getZooKeeperServiceName()); } priorLoginContextName = System.getProperty(ZK_LOGIN_CONTEXT_NAME, null); if (!"Client".equals(configuration.getZooKeeperLoginContextName())) { System.setProperty(ZK_LOGIN_CONTEXT_NAME, configuration.getZooKeeperLoginContextName()); } }
@Override public void install(SecurityUtils.SecurityConfiguration securityConfig) throws SecurityInstallException { UserGroupInformation.setConfiguration(securityConfig.getHadoopConfiguration()); !StringUtils.isBlank(securityConfig.getKeytab()) && !StringUtils.isBlank(securityConfig.getPrincipal())) { String keytabPath = (new File(securityConfig.getKeytab())).getAbsolutePath(); UserGroupInformation.loginUserFromKeytab(securityConfig.getPrincipal(), keytabPath); File.class, org.apache.hadoop.conf.Configuration.class); Credentials cred = (Credentials) readTokenStorageFileMethod.invoke(null, new File(fileLocation), securityConfig.getHadoopConfiguration()); if (securityConfig.useTicketCache() && !loginUser.hasKerberosCredentials()) {
flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, testPrincipal); flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS, "Client,KafkaClient"); SecurityUtils.SecurityConfiguration ctx = new SecurityUtils.SecurityConfiguration(flinkConfig); TestingSecurityContext.install(ctx, getClientSecurityConfigurationMap());
/** * Submits the job based on the arguments */ public static void main(final String[] args) { EnvironmentInformation.logEnvironmentInfo(LOG, "Command Line Client", args); try { final CliFrontend cli = new CliFrontend(); SecurityUtils.install(new SecurityUtils.SecurityConfiguration(cli.config)); int retCode = SecurityUtils.getInstalledContext() .runSecured(new Callable<Integer>() { @Override public Integer call() { return cli.parseParameters(args); } }); System.exit(retCode); } catch (Throwable t) { LOG.error("Fatal error while running command line interface.", t); t.printStackTrace(); System.exit(31); } }
@Override public void install(SecurityUtils.SecurityConfiguration securityConfig) throws SecurityInstallException { // ensure that a config file is always defined, for compatibility with // ZK and Kafka which check for the system property and existence of the file priorConfigFile = System.getProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, null); if (priorConfigFile == null) { File configFile = generateDefaultConfigFile(); System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, configFile.getAbsolutePath()); } // read the JAAS configuration file priorConfig = javax.security.auth.login.Configuration.getConfiguration(); // construct a dynamic JAAS configuration currentConfig = new DynamicConfiguration(priorConfig); // wire up the configured JAAS login contexts to use the krb5 entries AppConfigurationEntry[] krb5Entries = getAppConfigurationEntries(securityConfig); if(krb5Entries != null) { for (String app : securityConfig.getLoginContextNames()) { currentConfig.addAppConfigurationEntry(app, krb5Entries); } } javax.security.auth.login.Configuration.setConfiguration(currentConfig); }
private static AppConfigurationEntry[] getAppConfigurationEntries(SecurityUtils.SecurityConfiguration securityConfig) { AppConfigurationEntry userKerberosAce = null; if (securityConfig.useTicketCache()) { userKerberosAce = KerberosUtils.ticketCacheEntry(); } AppConfigurationEntry keytabKerberosAce = null; if (securityConfig.getKeytab() != null) { keytabKerberosAce = KerberosUtils.keytabEntry(securityConfig.getKeytab(), securityConfig.getPrincipal()); } AppConfigurationEntry[] appConfigurationEntry; if (userKerberosAce != null && keytabKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{keytabKerberosAce, userKerberosAce}; } else if (keytabKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{keytabKerberosAce}; } else if (userKerberosAce != null) { appConfigurationEntry = new AppConfigurationEntry[]{userKerberosAce}; } else { return null; } return appConfigurationEntry; }
public static void install(SecurityUtils.SecurityConfiguration config, Map<String, ClientSecurityConfiguration> clientSecurityConfigurationMap) throws Exception { SecurityUtils.install(config); // install dynamic JAAS entries checkArgument(config.getSecurityModules().contains(JaasModule.class)); DynamicConfiguration jaasConf = (DynamicConfiguration) javax.security.auth.login.Configuration.getConfiguration(); for(Map.Entry<String,ClientSecurityConfiguration> e : clientSecurityConfigurationMap.entrySet()) { AppConfigurationEntry entry = KerberosUtils.keytabEntry(e.getValue().getKeytab(), e.getValue().getPrincipal()); jaasConf.addAppConfigurationEntry(e.getKey(), entry); } }