transport = SecurityUtils.getSSLSocket(host, port, clientSocketTimeout, trustStorePath, trustStorePassword); LOG.info("Opened an SSL connection to metastore, current connections"); String tokenStrForm = SecurityUtils.getTokenStrForm(tokenSig); UserGroupInformation ugi = SecurityUtils.getUGI(); client.set_ugi(ugi.getUserName(), Arrays.asList(ugi.getGroupNames())); } catch (LoginException e) {
public String getDelegationToken(String renewerKerberosPrincipalName) throws MetaException, TException, IOException { //a convenience method that makes the intended owner for the delegation //token request the current user String owner = SecurityUtils.getUser(); return getDelegationToken(owner, renewerKerberosPrincipalName); }
/** * Create a delegation token object for the given token string and service. Add the token to given * UGI * * @param ugi * @param tokenStr * @param tokenService * @throws IOException */ public static void setTokenStr(UserGroupInformation ugi, String tokenStr, String tokenService) throws IOException { Token<DelegationTokenIdentifier> delegationToken = createToken(tokenStr, tokenService); ugi.addToken(delegationToken); }
/** * @return the user name set in hadoop.job.ugi param or the current user from System * @throws IOException if underlying Hadoop call throws LoginException */ public static String getUser() throws IOException { try { UserGroupInformation ugi = getUGI(); return ugi.getUserName(); } catch (LoginException le) { throw new IOException(le); } }
serverSocket = SecurityUtils.getServerSocket(msHost, port); } else { String keyStorePath = MetastoreConf.getVar(conf, ConfVars.SSL_KEYSTORE_PATH).trim(); serverSocket = SecurityUtils.getServerSSLSocket(msHost, port, keyStorePath, keyStorePassword, sslVersionBlacklist);
public static TTransport getSSLSocket(String host, int port, int loginTimeout, String trustStorePath, String trustStorePassWord) throws TTransportException { TSSLTransportFactory.TSSLTransportParameters params = new TSSLTransportFactory.TSSLTransportParameters(); params.setTrustStore(trustStorePath, trustStorePassWord); params.requireClientAuth(true); // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT and // SSLContext created with the given params TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params); return getSSLSocketWithHttps(tSSLSocket); }
String delegationTokenPropString = "DelegationTokenForHiveMetaStoreServer"; String delegationTokenStr = getDelegationToken(proxyUser, proxyUser); SecurityUtils.setTokenStr(UserGroupInformation.getCurrentUser(), delegationTokenStr, delegationTokenPropString); MetastoreConf.setVar(this.conf, ConfVars.TOKEN_SIGNATURE, delegationTokenPropString);
/** * Check the permissions on a file. * @param fs Filesystem the file is contained in * @param stat Stat info for the file * @param action action to be performed * @throws IOException If thrown by Hadoop * @throws AccessControlException if the file cannot be accessed */ public static void checkFileAccess(FileSystem fs, FileStatus stat, FsAction action) throws IOException, LoginException { checkFileAccess(fs, stat, action, SecurityUtils.getUGI()); }
serverSocket = SecurityUtils.getServerSocket(null, port); } else { String keyStorePath = MetastoreConf.getVar(conf, ConfVars.SSL_KEYSTORE_PATH).trim(); serverSocket = SecurityUtils.getServerSSLSocket(null, port, keyStorePath, keyStorePassword, sslVersionBlacklist);
public static TTransport getSSLSocket(String host, int port, int loginTimeout, String trustStorePath, String trustStorePassWord) throws TTransportException { TSSLTransportFactory.TSSLTransportParameters params = new TSSLTransportFactory.TSSLTransportParameters(); params.setTrustStore(trustStorePath, trustStorePassWord); params.requireClientAuth(true); // The underlying SSLSocket object is bound to host:port with the given SO_TIMEOUT and // SSLContext created with the given params TSocket tSSLSocket = TSSLTransportFactory.getClientSocket(host, port, loginTimeout, params); return getSSLSocketWithHttps(tSSLSocket); }
String delegationTokenPropString = "DelegationTokenForHiveMetaStoreServer"; String delegationTokenStr = getDelegationToken(proxyUser, proxyUser); SecurityUtils.setTokenStr(UserGroupInformation.getCurrentUser(), delegationTokenStr, delegationTokenPropString); MetastoreConf.setVar(this.conf, ConfVars.TOKEN_SIGNATURE, delegationTokenPropString);
private void verifyIsWritablePath(Path dir) throws MetaException { try { if (!wh.isWritable(dir.getParent())) { throw new MetaException("Table partition not deleted since " + dir.getParent() + " is not writable by " + SecurityUtils.getUser()); } } catch (IOException ex) { LOG.warn("Error from isWritable", ex); throw new MetaException("Table partition not deleted since " + dir.getParent() + " access cannot be checked: " + ex.getMessage()); } }
transport = SecurityUtils.getSSLSocket(store.getHost(), store.getPort(), clientSocketTimeout, trustStorePath, trustStorePassword ); LOG.debug("Opened an SSL connection to metastore, current connections: " + connCount.incrementAndGet()); tokenStrForm = SecurityUtils.getTokenStrForm(tokenSig); UserGroupInformation ugi = SecurityUtils.getUGI(); client.set_ugi(ugi.getUserName(), Arrays.asList(ugi.getGroupNames())); } catch (LoginException e) {
private static void logAuditEvent(String cmd) { if (cmd == null) { return; } UserGroupInformation ugi; try { ugi = SecurityUtils.getUGI(); } catch (Exception ex) { throw new RuntimeException(ex); } String address = getIPAddress(); if (address == null) { address = "unknown-ip-addr"; } auditLog.info("ugi={} ip={} cmd={} ", ugi.getUserName(), address, cmd); }
/** * Create a delegation token object for the given token string and service. Add the token to given * UGI * * @param ugi * @param tokenStr * @param tokenService * @throws IOException */ public static void setTokenStr(UserGroupInformation ugi, String tokenStr, String tokenService) throws IOException { Token<DelegationTokenIdentifier> delegationToken = createToken(tokenStr, tokenService); ugi.addToken(delegationToken); }
public String getDelegationToken(String renewerKerberosPrincipalName) throws MetaException, TException, IOException { //a convenience method that makes the intended owner for the delegation //token request the current user String owner = SecurityUtils.getUser(); return getDelegationToken(owner, renewerKerberosPrincipalName); }
transport = SecurityUtils.getSSLSocket(store.getHost(), store.getPort(), clientSocketTimeout, trustStorePath, trustStorePassword ); LOG.info("Opened an SSL connection to metastore, current connections: " + connCount.incrementAndGet()); tokenStrForm = SecurityUtils.getTokenStrForm(tokenSig); UserGroupInformation ugi = SecurityUtils.getUGI(); client.set_ugi(ugi.getUserName(), Arrays.asList(ugi.getGroupNames())); } catch (LoginException e) {
private void authorizeProxyPrivilege() throws Exception { // Skip the auth in embedded mode or if the auth is disabled if (!isMetaStoreRemote() || !MetastoreConf.getBoolVar(conf, ConfVars.EVENT_DB_NOTIFICATION_API_AUTH)) { return; } String user = null; try { user = SecurityUtils.getUGI().getShortUserName(); } catch (Exception ex) { LOG.error("Cannot obtain username", ex); throw ex; } if (!MetaStoreServerUtils.checkUserHasHostProxyPrivileges(user, conf, getIPAddress())) { throw new MetaException("User " + user + " is not allowed to perform this API call"); } }
public PrivilegeGrantInfo build() throws MetaException { if (privilege == null) { throw new MetaException("Privilege must be provided."); } if (grantor == null) { try { grantor = SecurityUtils.getUser(); grantorType = PrincipalType.USER; } catch (IOException e) { throw MetaStoreUtils.newMetaException(e); } } return new PrivilegeGrantInfo(privilege, createTime, grantor, grantorType, grantOption); } }
private UserGroupInformation ugiInvalidUserValidGroups() throws LoginException, IOException { UserGroupInformation ugi = Mockito.mock(UserGroupInformation.class); Mockito.when(ugi.getShortUserName()).thenReturn("nosuchuser"); Mockito.when(ugi.getGroupNames()).thenReturn(SecurityUtils.getUGI().getGroupNames()); return ugi; }