public static UserGroupInformation loginAndReturnUGI(Configuration conf, String username) throws IOException { String hostname = InetAddress.getLocalHost().getHostName(); String keyTabFileConfKey = "hbase." + username + ".keytab.file"; String keyTabFileLocation = conf.get(keyTabFileConfKey); String principalConfKey = "hbase." + username + ".kerberos.principal"; String principal = org.apache.hadoop.security.SecurityUtil .getServerPrincipal(conf.get(principalConfKey), hostname); if (keyTabFileLocation == null || principal == null) { LOG.warn("Principal or key tab file null for : " + principalConfKey + ", " + keyTabFileConfKey); } UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keyTabFileLocation); return ugi; } }
private void login(PropertyKey keytabFileKey, String keytabFile, PropertyKey principalKey, String principal, String hostname) throws IOException { org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration(); conf.set(keytabFileKey.toString(), keytabFile); conf.set(principalKey.toString(), principal); SecurityUtil.login(conf, keytabFileKey.toString(), principalKey.toString(), hostname); }
/** * Select a delegation token from all tokens in credentials, based on url. */ @InterfaceAudience.Private public org.apache.hadoop.security.token.Token<? extends TokenIdentifier> selectDelegationToken(URL url, Credentials creds) { final InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(), url.getPort()); final Text service = SecurityUtil.buildTokenService(serviceAddr); org.apache.hadoop.security.token.Token<? extends TokenIdentifier> dToken = creds.getToken(service); LOG.debug("Using delegation token {} from service:{}", dToken, service); return dToken; }
/** * Login as a principal specified in config. Substitute $host in * user's Kerberos principal name with a dynamically looked-up fully-qualified * domain name of the current host. * * @param conf * conf to use * @param keytabFileKey * the key to look for keytab file in conf * @param userNameKey * the key to look for user's Kerberos principal name in conf * @throws IOException if login fails */ @InterfaceAudience.Public @InterfaceStability.Evolving public static void login(final Configuration conf, final String keytabFileKey, final String userNameKey) throws IOException { login(conf, keytabFileKey, userNameKey, getLocalHostName(conf)); }
/** * Try to locate the required token for the server. * * @param authType of the SASL client * @return Token for server, or null if no token available * @throws IOException - token selector cannot be instantiated */ private Token<?> getServerToken(SaslAuth authType) throws IOException { TokenInfo tokenInfo = SecurityUtil.getTokenInfo(protocol, conf); LOG.debug("Get token info proto:" + protocol + " info:" + tokenInfo); if (tokenInfo == null) { // protocol has no support for tokens return null; } TokenSelector<?> tokenSelector = null; try { tokenSelector = tokenInfo.value().newInstance(); } catch (InstantiationException | IllegalAccessException e) { throw new IOException(e.toString(), e); } return tokenSelector.selectToken( SecurityUtil.buildTokenService(serverAddr), ugi.getTokens()); }
KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf); LOG.debug("Get kerberos info proto:" + protocol + " info:" + krbInfo); if (krbInfo == null) { // protocol has no support for kerberos String serverKeyPattern = conf.get(serverKey + ".pattern"); if (serverKeyPattern != null && !serverKeyPattern.isEmpty()) { Pattern pattern = GlobPattern.compile(serverKeyPattern); String confPrincipal = SecurityUtil.getServerPrincipal( conf.get(serverKey), serverAddr.getAddress()); if (LOG.isDebugEnabled()) { LOG.debug("getting serverKey: " + serverKey + " conf value: " + conf.get(serverKey) + " principal: " + confPrincipal);
private static KerberosPrincipal createKerberosPrincipal(String principal) { try { return new KerberosPrincipal(getServerPrincipal(principal, InetAddress.getLocalHost().getCanonicalHostName())); } catch (IOException e) { throw new UncheckedIOException(e); } }
@Override public int run(String[] args) throws Exception { logProcessInfo(getConf()); final boolean loadBalancerEnabled = getConf().getBoolean(QueryServices.PHOENIX_QUERY_SERVER_LOADBALANCER_ENABLED, QueryServicesOptions.DEFAULT_PHOENIX_QUERY_SERVER_LOADBALANCER_ENABLED); try { final boolean isKerberos = "kerberos".equalsIgnoreCase(getConf().get( QueryServices.QUERY_SERVER_HBASE_SECURITY_CONF_ATTRIB)); final boolean disableSpnego = getConf().getBoolean(QueryServices.QUERY_SERVER_SPNEGO_AUTH_DISABLED_ATTRIB, QueryServicesOptions.DEFAULT_QUERY_SERVER_SPNEGO_AUTH_DISABLED); String hostname; QueryServices.QUERY_SERVER_KERBEROS_PRINCIPAL_ATTRIB) + "."); SecurityUtil.login(getConf(), QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB, QueryServices.QUERY_SERVER_KERBEROS_PRINCIPAL_ATTRIB, hostname); LOG.info("Login successful."); } else { hostname = InetAddress.getLocalHost().getHostName(); LOG.info(" Kerberos is off and hostname is : "+hostname);
protected RpcConnection(Configuration conf, HashedWheelTimer timeoutTimer, ConnectionId remoteId, String clusterId, boolean isSecurityEnabled, Codec codec, CompressionCodec compressor) throws IOException { if (remoteId.getAddress().isUnresolved()) { throw new UnknownHostException("unknown host: " + remoteId.getAddress().getHostName()); .get(tokenKind); if (tokenSelector != null) { token = tokenSelector.selectToken(new Text(clusterId), ticket.getTokens()); } else if (LOG.isDebugEnabled()) { LOG.debug("No token selector found for type " + tokenKind); throw new IOException("Can't obtain server Kerberos config key from SecurityInfo"); serverPrincipal = SecurityUtil.getServerPrincipal(conf.get(serverKey), remoteId.address.getAddress().getCanonicalHostName().toLowerCase()); if (LOG.isDebugEnabled()) { LOG.debug("RPC Server Kerberos principal name for service=" + remoteId.getServiceName() + ", sasl=" + useSasl); reloginMaxBackoff = conf.getInt("hbase.security.relogin.maxbackoff", 5000); this.remoteId = remoteId;
public static void refreshLensTGT(HiveConf conf) throws IOException, IllegalArgumentException { String principalString = conf.get(LensConfConstants.LENS_PRINCIPAL); Validate.notEmpty(principalString, "Missing required configuration property: " + LensConfConstants.LENS_PRINCIPAL); String principal = SecurityUtil.getServerPrincipal( principalString, InetAddress.getLocalHost().getCanonicalHostName()); String keytabFilePath = conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB); Validate.notEmpty(keytabFilePath, "Missing required configuration property: " + HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB.toString()); checkIsReadable(keytabFilePath); Configuration hadoopConf = new Configuration(); hadoopConf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(hadoopConf); UserGroupInformation.loginUserFromKeytab(principal, keytabFilePath); log.info("RetryingThriftCLIServiceClientSasl : Got Kerberos ticket, keytab: {}, Lens principal: {}", keytabFilePath, principal); } }
KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf); String clientPrincipal = null; if (krbInfo != null) { if (clientKey != null && !clientKey.isEmpty()) { try { clientPrincipal = SecurityUtil.getServerPrincipal( conf.get(clientKey), addr); } catch (IOException e) { throw (AuthorizationException) new AuthorizationException( if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { String cause = clientPrincipal != null ? String hostAddress = addr.getHostAddress(); if (hosts.length != 2 || !hosts[0].includes(hostAddress) || hosts[1].includes(hostAddress)) {
private static void secureLogin(Configuration conf) throws IOException { UserGroupInformation.setConfiguration(conf); String addr = conf.get(DFSConfigKeys.DFS_SPS_ADDRESS_KEY, DFSConfigKeys.DFS_SPS_ADDRESS_DEFAULT); InetSocketAddress socAddr = NetUtils.createSocketAddr(addr, 0, DFSConfigKeys.DFS_SPS_ADDRESS_KEY); SecurityUtil.login(conf, DFSConfigKeys.DFS_SPS_KEYTAB_FILE_KEY, DFSConfigKeys.DFS_SPS_KERBEROS_PRINCIPAL_KEY, socAddr.getHostName()); }
/** * Requests a delegation token using the configured <code>Authenticator</code> * for authentication. * * @param url the URL to get the delegation token from. Only HTTP/S URLs are * supported. * @param token the authentication token being used for the user where the * Delegation token will be stored. * @param renewer the renewer user. * @param doAsUser the user to do as, which will be the token owner. * @throws IOException if an IO error occurred. * @throws AuthenticationException if an authentication exception occurred. */ public Token<AbstractDelegationTokenIdentifier> getDelegationToken(URL url, AuthenticatedURL.Token token, String renewer, String doAsUser) throws IOException, AuthenticationException { Map json = doDelegationTokenOperation(url, token, DelegationTokenOperation.GETDELEGATIONTOKEN, renewer, null, true, doAsUser); json = (Map) json.get(DELEGATION_TOKEN_JSON); String tokenStr = (String) json.get(DELEGATION_TOKEN_URL_STRING_JSON); Token<AbstractDelegationTokenIdentifier> dToken = new Token<AbstractDelegationTokenIdentifier>(); dToken.decodeFromUrlString(tokenStr); InetSocketAddress service = new InetSocketAddress(url.getHost(), url.getPort()); SecurityUtil.setTokenService(dToken, service); return dToken; }
resolvedPrincipal = SecurityUtil.getServerPrincipal(principal, ""); } catch (IOException e) { throw new IllegalArgumentException("Host lookup error resolving kerberos principal (" if (!UserGroupInformation.isSecurityEnabled()) { Configuration conf = new Configuration(false); conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos"); UserGroupInformation.setConfiguration(conf); curUser = UserGroupInformation.getLoginUser(); if (curUser != null && !curUser.hasKerberosCredentials()) { curUser = null;
.setConf(conf).setACL(new AccessControlList(conf.get(DFS_ADMIN, " "))) .setSecurityEnabled(UserGroupInformation.isSecurityEnabled()) .setUsernameConfKey(spnegoUserNameKey) .setKeytabConfKey(getSpnegoKeytabKey(conf, spnegoKeytabFileKey)); if (UserGroupInformation.isSecurityEnabled()) { LOG.info("Starting web server as: " + SecurityUtil.getServerPrincipal(conf.get(spnegoUserNameKey), httpAddr.getHostName())); if (httpAddr.getPort() == 0) { builder.setFindPort(true); URI uri = URI.create("http://" + NetUtils.getHostPortString(httpAddr)); builder.addEndpoint(uri); LOG.info("Starting Web-server for " + name + " at: " + uri); loadSslConfToHttpServerBuilder(builder, sslConf); if (httpsAddr.getPort() == 0) { builder.setFindPort(true); URI uri = URI.create("https://" + NetUtils.getHostPortString(httpsAddr)); builder.addEndpoint(uri); LOG.info("Starting Web-server for " + name + " at: " + uri);
/** * @return a collection of all configured NN Kerberos principals. */ public static Set<String> getAllNnPrincipals(Configuration conf) throws IOException { Set<String> principals = new HashSet<String>(); for (String nsId : DFSUtilClient.getNameServiceIds(conf)) { if (HAUtil.isHAEnabled(conf, nsId)) { for (String nnId : DFSUtilClient.getNameNodeIds(conf, nsId)) { Configuration confForNn = new Configuration(conf); NameNode.initializeGenericKeys(confForNn, nsId, nnId); String principal = SecurityUtil.getServerPrincipal(confForNn .get(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY), DFSUtilClient.getNNAddress(confForNn).getHostName()); principals.add(principal); } } else { Configuration confForNn = new Configuration(conf); NameNode.initializeGenericKeys(confForNn, nsId, null); String principal = SecurityUtil.getServerPrincipal(confForNn .get(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY), DFSUtilClient.getNNAddress(confForNn).getHostName()); principals.add(principal); } } return principals; }
final Configuration zkConf = new Configuration(conf); long tokenLifetime = HiveConf.getTimeVar( conf, ConfVars.LLAP_DELEGATION_TOKEN_LIFETIME, TimeUnit.SECONDS); zkConf.setLong(DelegationTokenManager.MAX_LIFETIME, tokenLifetime); zkConf.setLong(DelegationTokenManager.RENEW_INTERVAL, tokenLifetime); try { zkConf.set(ZK_DTSM_ZK_KERBEROS_PRINCIPAL, SecurityUtil.getServerPrincipal(llapPrincipal, "0.0.0.0")); } catch (IOException e) { throw new RuntimeException(e);
private void login(Configuration configuration) throws IOException { if (configuration.get(HIVE_KEYTAB_FILE_KEY) == null) { configuration.set(HIVE_KEYTAB_FILE_KEY, hiveKeytab); } if (configuration.get(HIVE_PRINCIPAL_KEY) == null) { configuration.set(HIVE_PRINCIPAL_KEY, hivePrincipal); } SecurityUtil.login(configuration, HIVE_KEYTAB_FILE_KEY, HIVE_PRINCIPAL_KEY); LOG.info("Logged into hive with principal {}", configuration.get(HIVE_PRINCIPAL_KEY)); }
CommandLineOpts commandLineOpts) throws IOException { final InetSocketAddress infoSocAddr = getHttpAddress(conf); final String infoBindAddress = infoSocAddr.getHostName(); UserGroupInformation.setConfiguration(conf); if (UserGroupInformation.isSecurityEnabled()) { SecurityUtil.login(conf, DFSConfigKeys.DFS_SECONDARY_NAMENODE_KEYTAB_FILE_KEY, DFSConfigKeys.DFS_SECONDARY_NAMENODE_KERBEROS_PRINCIPAL_KEY, infoBindAddress); conf.get(DFSConfigKeys.DFS_METRICS_SESSION_ID_KEY), DefaultMetricsSystem.instance()); NamenodeProtocol.class, UserGroupInformation.getCurrentUser(), true).getProxy(); "SecondaryNameNodeInfo", this); legacyOivImageDir = conf.get( DFSConfigKeys.DFS_NAMENODE_LEGACY_OIV_IMAGE_DIR_KEY);
LOG.debug("Validating request made by " + remotePrincipal + " / " + remoteShortName + ". This user is: " + UserGroupInformation.getLoginUser()); try { validRequestors.add( SecurityUtil.getServerPrincipal(conf .get(DFSConfigKeys.DFS_SECONDARY_NAMENODE_KERBEROS_PRINCIPAL_KEY), SecondaryNameNode.getHttpAddress(conf).getHostName())); } catch (Exception e) { "SecondaryNameNode principal not considered, %s = %s, %s = %s", DFSConfigKeys.DFS_SECONDARY_NAMENODE_KERBEROS_PRINCIPAL_KEY, conf.get(DFSConfigKeys.DFS_SECONDARY_NAMENODE_KERBEROS_PRINCIPAL_KEY), DFSConfigKeys.DFS_NAMENODE_SECONDARY_HTTP_ADDRESS_KEY, conf.get(DFSConfigKeys.DFS_NAMENODE_SECONDARY_HTTP_ADDRESS_KEY, DFSConfigKeys.DFS_NAMENODE_SECONDARY_HTTP_ADDRESS_DEFAULT)); LOG.warn(msg); UserGroupInformation.getLoginUser().getShortUserName())) { if (LOG.isDebugEnabled()) LOG.debug("isValidRequestor is allowing other JN principal: " +