public static void checkPermissions( String clusterId, String userName, String appId, Object hint) throws IOException { if (!UserGroupInformation.isSecurityEnabled()) return; Preconditions.checkNotNull(userName); UserGroupInformation current = UserGroupInformation.getCurrentUser(); String kerberosName = current.hasKerberosCredentials() ? current.getShortUserName() : null; List<LlapTokenIdentifier> tokens = getLlapTokens(current, clusterId); checkPermissionsInternal(kerberosName, tokens, userName, appId, hint); }
private void authenticate(Configuration hadoopConf, org.apache.commons.configuration.Configuration configs) { String principal = configs.getString(PRINCIPAL); String keytab = configs.getString(KEYTAB); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { UserGroupInformation.setConfiguration(hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { try { if (!UserGroupInformation.getCurrentUser().hasKerberosCredentials() || !UserGroupInformation.getCurrentUser() .getUserName().equals(principal)) { LOGGER.info("Trying to authenticate user [%s] with keytab [%s]..", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); } } catch (IOException e) { throw new RuntimeException( String.format("Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab), e); } } } }
private void authenticate(org.apache.hadoop.conf.Configuration hadoopConf, org.apache.commons.configuration.Configuration configs) { String principal = configs.getString(PRINCIPAL); String keytab = configs.getString(KEYTAB); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { UserGroupInformation.setConfiguration(hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { try { if (!UserGroupInformation.getCurrentUser().hasKerberosCredentials() || !UserGroupInformation.getCurrentUser() .getUserName().equals(principal)) { LOGGER.info("Trying to authenticate user [%s] with keytab [%s]..", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); } } catch (IOException e) { throw new RuntimeException( String.format("Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab), e); } } } }
public static LlapTokenInfo getTokenInfo(String clusterId) throws IOException { if (!UserGroupInformation.isSecurityEnabled()) return NO_SECURITY; UserGroupInformation current = UserGroupInformation.getCurrentUser(); String kerberosName = current.hasKerberosCredentials() ? current.getShortUserName() : null; List<LlapTokenIdentifier> tokens = getLlapTokens(current, clusterId); if ((tokens == null || tokens.isEmpty()) && kerberosName == null) { throw new SecurityException("No tokens or kerberos for " + current); } warnMultipleTokens(tokens); return getTokenInfoInternal(kerberosName, tokens); }
private void reloginUGI(UserGroupInformation ugi) { try { if (ugi.hasKerberosCredentials()) { long now = System.currentTimeMillis(); if (now - lastReloginAttempt < MIN_TIME_BEFORE_RELOGIN) { return; } lastReloginAttempt = now; ugi.checkTGTAndReloginFromKeytab(); } } catch (IOException e) { throw new SecurityException("Error trying to relogin from keytab for user " + ugi.getUserName(), e); } }
/** * Is this user logged in from a ticket (but no keytab) managed by the UGI? * @return true if the credentials are from a ticket cache. */ private boolean isFromTicket() { return hasKerberosCredentials() && isHadoopLogin() && getKeytab() == null; }
/** * Is this user logged in from a keytab file managed by the UGI? * @return true if the credentials are from a keytab file. */ public boolean isFromKeytab() { // can't simply check if keytab is present since a relogin failure will // have removed the keytab from priv creds. instead, check login params. return hasKerberosCredentials() && isHadoopLogin() && getKeytab() != null; }
@Override public void checkOutputSpecs(FileSystem fs, JobConf jc) throws IOException { //obtain delegation tokens for the job if (UserGroupInformation.getCurrentUser().hasKerberosCredentials()) { TableMapReduceUtil.initCredentials(jc); } String hbaseTableName = jc.get(HBaseSerDe.HBASE_TABLE_NAME); jc.set(TableOutputFormat.OUTPUT_TABLE, hbaseTableName); Job job = new Job(jc); JobContext jobContext = ShimLoader.getHadoopShims().newJobContext(job); try { checkOutputSpecs(jobContext); } catch (InterruptedException e) { throw new IOException(e); } }
/** * Dose authenticate against a secured hadoop cluster * In case of any bug fix make sure to fix the code at HdfsStorageAuthentication#authenticate as well. * * @param config containing the principal name and keytab path. */ public static void authenticate(HadoopDruidIndexerConfig config) { String principal = config.HADOOP_KERBEROS_CONFIG.getPrincipal(); String keytab = config.HADOOP_KERBEROS_CONFIG.getKeytab(); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { Configuration conf = new Configuration(); UserGroupInformation.setConfiguration(conf); if (UserGroupInformation.isSecurityEnabled()) { try { if (UserGroupInformation.getCurrentUser().hasKerberosCredentials() == false || !UserGroupInformation.getCurrentUser().getUserName().equals(principal)) { log.info("trying to authenticate user [%s] with keytab [%s]", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); } } catch (IOException e) { throw new ISE(e, "Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab); } } } }
protected boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); return authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser)); }
/** Builds the client. */ public MutatorClient build() throws ClientException, MetaException { String user = authenticatedUser == null ? System.getProperty("user.name") : authenticatedUser.getShortUserName(); boolean secureMode = authenticatedUser == null ? false : authenticatedUser.hasKerberosCredentials(); configuration = HiveConfFactory.newInstance(configuration, this.getClass(), metaStoreUri); IMetaStoreClient metaStoreClient; try { metaStoreClient = new UgiMetaStoreClientFactory(metaStoreUri, configuration, authenticatedUser, user, secureMode) .newInstance(HCatUtil.getHiveMetastoreClient(configuration)); } catch (IOException e) { throw new ClientException("Could not create meta store client.", e); } return new MutatorClient(metaStoreClient, configuration, lockFailureListener, user, tables.values()); }
/** * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket. * @return a ScheduledChore for renewals. */ @InterfaceAudience.Private public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user) { if (!user.hasKerberosCredentials()) { return null; } Stoppable stoppable = createDummyStoppable(); // if you're in debug mode this is useful to avoid getting spammed by the getTGT() // you can increase this, keeping in mind that the default refresh window is 0.8 // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min final int CHECK_TGT_INTERVAL = 30 * 1000; // 30sec return new ScheduledChore("RefreshCredentials", stoppable, CHECK_TGT_INTERVAL) { @Override protected void chore() { try { user.checkTGTAndReloginFromKeytab(); } catch (IOException e) { LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e); } } }; }
/** * Dose authenticate against a secured hadoop cluster * In case of any bug fix make sure to fix the code in JobHelper#authenticate as well. */ @LifecycleStart public void authenticate() { String principal = hdfsKerberosConfig.getPrincipal(); String keytab = hdfsKerberosConfig.getKeytab(); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { UserGroupInformation.setConfiguration(hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { try { if (UserGroupInformation.getCurrentUser().hasKerberosCredentials() == false || !UserGroupInformation.getCurrentUser().getUserName().equals(principal)) { log.info("Trying to authenticate user [%s] with keytab [%s]..", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); } } catch (IOException e) { throw new ISE(e, "Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab); } } } }
private static IMetaStoreClient getHMS(HiveConf conf) { UserGroupInformation loggedInUser = null; try { loggedInUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.warn("Unable to get logged in user via UGI. err: {}", e.getMessage()); } boolean secureMode = loggedInUser != null && loggedInUser.hasKerberosCredentials(); if (secureMode) { MetastoreConf.setBoolVar(conf, MetastoreConf.ConfVars.USE_THRIFT_SASL, true); } try { LOG.info("Creating metastore client for {}", "PreUpgradeTool"); return RetryingMetaStoreClient.getProxy(conf, true); } catch (MetaException e) { throw new RuntimeException("Error connecting to Hive Metastore URI: " + conf.getVar(HiveConf.ConfVars.METASTOREURIS) + ". " + e.getMessage(), e); } } /**
@InterfaceAudience.Private @InterfaceStability.Unstable public boolean shouldRelogin() { return hasKerberosCredentials() && isHadoopLogin(); }
private synchronized boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); if (authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser))) { return true; } return false; }
private static IMetaStoreClient getHMS(HiveConf conf) { UserGroupInformation loggedInUser = null; try { loggedInUser = UserGroupInformation.getLoginUser(); } catch (IOException e) { LOG.warn("Unable to get logged in user via UGI. err: {}", e.getMessage()); } boolean secureMode = loggedInUser != null && loggedInUser.hasKerberosCredentials(); if (secureMode) { conf.setBoolVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL, true); } try { LOG.info("Creating metastore client for {}", "PreUpgradeTool"); /* I'd rather call return RetryingMetaStoreClient.getProxy(conf, true) which calls HiveMetaStoreClient(HiveConf, Boolean) which exists in (at least) 2.1.0.2.6.5.0-292 and later but not in 2.1.0.2.6.0.3-8 (the HDP 2.6 release) i.e. RetryingMetaStoreClient.getProxy(conf, true) is broken in 2.6.0*/ return RetryingMetaStoreClient.getProxy(conf, new Class[]{HiveConf.class, HiveMetaHookLoader.class, Boolean.class}, new Object[]{conf, getHookLoader(), Boolean.TRUE}, null, HiveMetaStoreClient.class.getName()); } catch (MetaException e) { throw new RuntimeException("Error connecting to Hive Metastore URI: " + conf.getVar(HiveConf.ConfVars.METASTOREURIS) + ". " + e.getMessage(), e); } }
try { if (UserGroupInformation.getCurrentUser().hasKerberosCredentials() == false || !UserGroupInformation.getCurrentUser().getUserName().equals(internalClientPrincipal)) { log.info("trying to authenticate user [%s] with keytab [%s]", internalClientPrincipal, internalClientKeytab);
private PartitionHelper newMetaStorePartitionHelper() throws MetaException, WorkerException { String user = authenticatedUser == null ? System.getProperty("user.name") : authenticatedUser.getShortUserName(); boolean secureMode = authenticatedUser == null ? false : authenticatedUser.hasKerberosCredentials(); try { IMetaStoreClient metaStoreClient = new UgiMetaStoreClientFactory(metaStoreUri, configuration, authenticatedUser, user, secureMode).newInstance(HCatUtil.getHiveMetastoreClient(configuration)); String tableLocation = table.getTable().getSd().getLocation(); Path tablePath = new Path(tableLocation); return new MetaStorePartitionHelper(metaStoreClient, table.getDatabaseName(), table.getTableName(), tablePath); } catch (IOException e) { throw new WorkerException("Could not create meta store client.", e); } }
/** * Validate the UGI: verify it is kerberized. * @param messagePrefix message in exceptions * @param user user to validate */ private void validateUGI(String messagePrefix, UserGroupInformation user) { if (verify(user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS, CAT_LOGIN, "User %s is not authenticated by Kerberos", user)) { verify(user.hasKerberosCredentials(), CAT_LOGIN, "%s: No kerberos credentials for %s", messagePrefix, user); verify(user.getAuthenticationMethod() != null, CAT_LOGIN, "%s: Null AuthenticationMethod for %s", messagePrefix, user); } }