private static boolean getRestrictParserDefault(Object resource) { if (resource instanceof String) { return false; } UserGroupInformation user; try { user = UserGroupInformation.getCurrentUser(); } catch (IOException e) { throw new RuntimeException("Unable to determine current user", e); } return user.getRealUser() != null; } }
protected UserGroupInformation getUGI() { UserGroupInformation ticket = remoteId.getTicket().getUGI(); if (authMethod == AuthMethod.KERBEROS) { if (ticket != null && ticket.getRealUser() != null) { ticket = ticket.getRealUser(); } } return ticket; }
/** * Return the username. */ @Override public String toString() { StringBuilder sb = new StringBuilder(getUserName()); sb.append(" (auth:"+getAuthenticationMethod()+")"); if (getRealUser() != null) { sb.append(" via ").append(getRealUser().toString()); } return sb.toString(); }
/** * Get the authentication method from the real user's subject. If there * is no real user, return the given user's authentication method. * * @return AuthenticationMethod in the subject, null if not present. */ public synchronized AuthenticationMethod getRealAuthenticationMethod() { UserGroupInformation ugi = getRealUser(); if (ugi == null) { ugi = this; } return ugi.getAuthenticationMethod(); }
private static boolean getRestrictParserDefault(Object resource) { if (resource instanceof String || !UserGroupInformation.isInitialized()) { return false; } UserGroupInformation user; try { user = UserGroupInformation.getCurrentUser(); } catch (IOException e) { throw new RuntimeException("Unable to determine current user", e); } return user.getRealUser() != null; } }
public Token<LlapTokenIdentifier> createLlapToken( String appId, String user, boolean isSignatureRequired) throws IOException { Text realUser = null, renewer = null; if (user == null) { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); user = ugi.getUserName(); if (ugi.getRealUser() != null) { realUser = new Text(ugi.getRealUser().getUserName()); } renewer = new Text(ugi.getShortUserName()); } else { renewer = new Text(user); } LlapTokenIdentifier llapId = new LlapTokenIdentifier( new Text(user), renewer, realUser, clusterId, appId, isSignatureRequired); // TODO: note that the token is not renewable right now and will last for 2 weeks by default. Token<LlapTokenIdentifier> token = new Token<LlapTokenIdentifier>(llapId, this); if (LOG.isInfoEnabled()) { LOG.info("Created LLAP token {}", token); } return token; }
private String buildHcatDelegationToken(String user) throws IOException, InterruptedException, TException { final HiveConf c = new HiveConf(); LOG.debug("Creating hive metastore delegation token for user " + user); final UserGroupInformation ugi = UgiFactory.getUgi(user); UserGroupInformation real = ugi.getRealUser(); return real.doAs(new PrivilegedExceptionAction<String>() { @Override public String run() throws IOException, TException, InterruptedException { final IMetaStoreClient client = HCatUtil.getHiveMetastoreClient(c); return ugi.doAs(new PrivilegedExceptionAction<String>() { @Override public String run() throws IOException, TException, InterruptedException { String u = ugi.getUserName(); return client.getDelegationToken(c.getUser(),u); } }); } }); } }
private UserInformation getUserInfo(UserGroupInformation ugi) { if (ugi == null || authMethod == AuthMethod.DIGEST) { // Don't send user for token auth return null; } UserInformation.Builder userInfoPB = UserInformation.newBuilder(); if (authMethod == AuthMethod.KERBEROS) { // Send effective user for Kerberos auth userInfoPB.setEffectiveUser(ugi.getUserName()); } else if (authMethod == AuthMethod.SIMPLE) { // Send both effective user and real user for simple auth userInfoPB.setEffectiveUser(ugi.getUserName()); if (ugi.getRealUser() != null) { userInfoPB.setRealUser(ugi.getRealUser().getUserName()); } } return userInfoPB.build(); }
/** * @param ugi A user group information. * @return true if delegation token operation is allowed */ private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException { AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); if (authMethod == AuthenticationMethod.PROXY) { authMethod = ugi.getRealUser().getAuthenticationMethod(); } if (authMethod != AuthenticationMethod.KERBEROS && authMethod != AuthenticationMethod.KERBEROS_SSL && authMethod != AuthenticationMethod.CERTIFICATE) { return false; } return true; }
/** * Returns the authentication method of a ugi. If the authentication method is * PROXY, returns the authentication method of the real user. * * @param ugi * @return AuthenticationMethod */ public static AuthenticationMethod getRealAuthenticationMethod( UserGroupInformation ugi) { AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); if (authMethod == AuthenticationMethod.PROXY) { authMethod = ugi.getRealUser().getAuthenticationMethod(); } return authMethod; }
@SuppressWarnings("unchecked") public Token<? extends AbstractDelegationTokenIdentifier> createToken( UserGroupInformation ugi, String renewer, String service) { LOG.debug("Creating token with ugi:{}, renewer:{}, service:{}.", ugi, renewer, service !=null ? service : ""); renewer = (renewer == null) ? ugi.getShortUserName() : renewer; String user = ugi.getUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.getRealUser() != null) { realUser = new Text(ugi.getRealUser().getUserName()); } AbstractDelegationTokenIdentifier tokenIdentifier = (AbstractDelegationTokenIdentifier) secretManager.createIdentifier(); tokenIdentifier.setOwner(owner); tokenIdentifier.setRenewer(new Text(renewer)); tokenIdentifier.setRealUser(realUser); Token token = new Token(tokenIdentifier, secretManager); if (service != null) { token.setService(new Text(service)); } return token; }
public static UserInformation toProtoUserInfo(User user) { UserInformation.Builder userInfoPB = UserInformation.newBuilder(); userInfoPB.setEffectiveUser(user.getName()); if (user.getUGI().getRealUser() != null) { userInfoPB.setRealUser(user.getUGI().getRealUser().getUserName()); } return userInfoPB.build(); }
protected boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); return authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser)); }
@Override public void authorize(UserGroupInformation user, String remoteAddress) throws AuthorizationException { if (user == null) { throw new IllegalArgumentException("user is null."); } UserGroupInformation realUser = user.getRealUser(); if (realUser == null) { return; } AccessControlList acl = proxyUserAcl.get(configPrefix + realUser.getShortUserName()); if (acl == null || !acl.isUserAllowed(user)) { throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + user.getUserName()); } MachineList MachineList = proxyHosts.get( getProxySuperuserIpConfKey(realUser.getShortUserName())); if(MachineList == null || !MachineList.includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + remoteAddress); } }
@VisibleForTesting UserGroupInformation getActualUgi() throws IOException { final UserGroupInformation currentUgi = UserGroupInformation .getCurrentUser(); UserGroupInformation.logAllUserInfo(LOG, currentUgi); // Use current user by default UserGroupInformation actualUgi = currentUgi; if (currentUgi.getRealUser() != null) { // Use real user for proxy user actualUgi = currentUgi.getRealUser(); } if (UserGroupInformation.isSecurityEnabled() && !containsKmsDt(actualUgi) && !actualUgi.shouldRelogin()) { // Use login user is only necessary when Kerberos is enabled // but the actual user does not have either // Kerberos credential or KMS delegation token for KMS operations LOG.debug("Using loginUser when Kerberos is enabled but the actual user" + " does not have either KMS Delegation Token or Kerberos Credentials"); actualUgi = UserGroupInformation.getLoginUser(); } return actualUgi; }
/** * Log all (current, real, login) UGI and token info into specified log. * @param ugi - UGI * @throws IOException */ @InterfaceAudience.LimitedPrivate({"HDFS", "KMS"}) @InterfaceStability.Unstable public static void logAllUserInfo(Logger log, UserGroupInformation ugi) throws IOException { if (log.isDebugEnabled()) { logUserInfo(log, "Current", ugi.getCurrentUser()); if (ugi.getRealUser() != null) { logUserInfo(log, "Real", ugi.getRealUser()); } logUserInfo(log, "Login", ugi.getLoginUser()); } }
private synchronized boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); if (authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser))) { return true; } return false; }
private void ensureValidAuth() { reloginUGI(ugi); if (ugi.getAuthenticationMethod().equals(AuthenticationMethod.PROXY)) { reloginUGI(ugi.getRealUser()); } }
public static void cancelTokens(State state) throws IOException, InterruptedException, TException { Preconditions.checkArgument(state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION), "Missing required property " + ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); Preconditions.checkArgument(state.contains(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER), "Missing required property " + ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); Preconditions.checkArgument(state.contains(ConfigurationKeys.KERBEROS_REALM), "Missing required property " + ConfigurationKeys.KERBEROS_REALM); String superUser = state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String keytabLocation = state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String realm = state.getProp(ConfigurationKeys.KERBEROS_REALM); UserGroupInformation.loginUserFromKeytab(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); Credentials credentials = realUser.getCredentials(); for (Token<?> token : credentials.getAllTokens()) { if (token.getKind().equals(DelegationTokenIdentifier.HIVE_DELEGATION_KIND)) { log.info("Cancelling hive token"); HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(new HiveConf()); hiveClient.cancelDelegationToken(token.encodeToUrlString()); } } }
private boolean authorizeConnection() throws IOException { try { // If auth method is DIGEST, the token was obtained by the // real user for the effective user, therefore not required to // authorize real user. doAs is allowed only for simple or kerberos // authentication if (ugi != null && ugi.getRealUser() != null && (authMethod != AuthMethod.DIGEST)) { ProxyUsers.authorize(ugi, this.getHostAddress(), this.rpcServer.conf); } this.rpcServer.authorize(ugi, connectionHeader, getHostInetAddress()); this.rpcServer.metrics.authorizationSuccess(); } catch (AuthorizationException ae) { if (RpcServer.LOG.isDebugEnabled()) { RpcServer.LOG.debug("Connection authorization failed: " + ae.getMessage(), ae); } this.rpcServer.metrics.authorizationFailure(); doRespond(getErrorResponse(ae.getMessage(), new AccessDeniedException(ae))); return false; } return true; }