/** * Get the username encoded in the token identifier * * @return the username or owner */ @Override public UserGroupInformation getUser() { if ( (owner == null) || (owner.toString().isEmpty())) { return null; } final UserGroupInformation realUgi; final UserGroupInformation ugi; if ((realUser == null) || (realUser.toString().isEmpty()) || realUser.equals(owner)) { ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString()); } else { realUgi = UserGroupInformation.createRemoteUser(realUser.toString()); ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi); } realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN); return ugi; }
/** * Create a user from a login name. It is intended to be used for remote * users in RPC, since it won't have any credentials. * @param user the full user principal name, must not be empty or null * @return the UserGroupInformation for the remote user. */ @InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createRemoteUser(String user, AuthMethod authMethod) { if (user == null || user.isEmpty()) { throw new IllegalArgumentException("Null user"); } Subject subject = new Subject(); subject.getPrincipals().add(new User(user)); UserGroupInformation result = new UserGroupInformation(subject); result.setAuthenticationMethod(authMethod); return result; }
/** * Create UserGroupInformation for specified user and credentials. * * @param user User. * @param credentialsBytes Credentials byte array. */ public static UserGroupInformation createUGI(String user, byte[] credentialsBytes) throws IOException { Credentials credentials = new Credentials(); HadoopUtils.deserialize(credentials, credentialsBytes); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); ugi.addCredentials(credentials); if (credentials.numberOfTokens() > 0) ugi.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.TOKEN); return ugi; } }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws IOException { UserGroupInformation authorizedUgi; if (authMethod == AuthMethod.DIGEST) { TokenIdentifier tokenId = HBaseSaslRpcServer.getIdentifier(authorizedId, this.rpcServer.secretManager); authorizedUgi = tokenId.getUser(); if (authorizedUgi == null) { throw new AccessDeniedException( "Can't retrieve username from tokenIdentifier."); } authorizedUgi.addTokenIdentifier(tokenId); } else { authorizedUgi = UserGroupInformation.createRemoteUser(authorizedId); } authorizedUgi.setAuthenticationMethod(authMethod.authenticationMethod.getAuthMethod()); return authorizedUgi; }
@Test public void mrTaskSumbitViaChildWithImpersonation() throws IOException, LoginException { Utils.getUGI().setAuthenticationMethod(PROXY); Context ctx = Mockito.mock(Context.class); when(ctx.getLocalTmpPath()).thenReturn(new Path(System.getProperty("java.io.tmpdir"))); DriverContext dctx = new DriverContext(ctx); QueryState queryState = new QueryState.Builder().build(); HiveConf conf= queryState.getConf(); conf.setBoolVar(HiveConf.ConfVars.SUBMITVIACHILD, true); MapredWork mrWork = new MapredWork(); mrWork.setMapWork(Mockito.mock(MapWork.class)); MapRedTask mrTask = Mockito.spy(new MapRedTask()); mrTask.setWork(mrWork); mrTask.initialize(queryState, null, dctx, null); mrTask.jobExecHelper = Mockito.mock(HadoopJobExecHelper.class); when(mrTask.jobExecHelper.progressLocal(Mockito.any(Process.class), Mockito.anyString())).thenReturn(0); mrTask.execute(dctx); ArgumentCaptor<String[]> captor = ArgumentCaptor.forClass(String[].class); verify(mrTask).spawn(Mockito.anyString(), Mockito.anyString(), captor.capture()); String expected = "HADOOP_PROXY_USER=" + Utils.getUGI().getUserName(); Assert.assertTrue(Arrays.asList(captor.getValue()).contains(expected)); }
} else { user.setAuthenticationMethod(authMethod);
ugi = protocolUser; if (ugi != null) { ugi.setAuthenticationMethod(AuthMethod.SIMPLE.authenticationMethod); ugi.setAuthenticationMethod(authMethod.authenticationMethod); .getUserName(), realUser); ugi.setAuthenticationMethod(AuthenticationMethod.PROXY);
ugi.setAuthenticationMethod(secureAuthMethod);
@Test public void testUGIAuthMethod() throws Exception { final UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); final AuthenticationMethod am = AuthenticationMethod.KERBEROS; ugi.setAuthenticationMethod(am); Assert.assertEquals(am, ugi.getAuthenticationMethod()); ugi.doAs(new PrivilegedExceptionAction<Object>() { public Object run() throws IOException { Assert.assertEquals(am, UserGroupInformation.getCurrentUser() .getAuthenticationMethod()); return null; } }); }
public static UserGroupInformation createUserGroupInformationForSubject(Subject subject) { requireNonNull(subject, "subject is null"); Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); if (kerberosPrincipals.isEmpty()) { throw new IllegalArgumentException("subject must contain a KerberosPrincipal"); } if (kerberosPrincipals.size() != 1) { throw new IllegalArgumentException("subject must contain only a single KerberosPrincipal"); } KerberosPrincipal principal = kerberosPrincipals.iterator().next(); User user = new User(principal.getName(), KERBEROS, null); subject.getPrincipals().add(user); UserGroupInformation userGroupInformation = new UserGroupInformation(subject); userGroupInformation.setAuthenticationMethod(KERBEROS); return userGroupInformation; } }
public static UserGroupInformation createUserGroupInformationForSubject(Subject subject) { requireNonNull(subject, "subject is null"); Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); if (kerberosPrincipals.isEmpty()) { throw new IllegalArgumentException("subject must contain a KerberosPrincipal"); } if (kerberosPrincipals.size() != 1) { throw new IllegalArgumentException("subject must contain only a single KerberosPrincipal"); } KerberosPrincipal principal = kerberosPrincipals.iterator().next(); User user = new User(principal.getName(), KERBEROS, null); subject.getPrincipals().add(user); UserGroupInformation userGroupInformation = new UserGroupInformation(subject); userGroupInformation.setAuthenticationMethod(KERBEROS); return userGroupInformation; } }
/** * Create a user from a login name. It is intended to be used for remote * users in RPC, since it won't have any credentials. * @param user the full user principal name, must not be empty or null * @return the UserGroupInformation for the remote user. */ @InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createRemoteUser(String user, AuthMethod authMethod) { if (user == null || user.isEmpty()) { throw new IllegalArgumentException("Null user"); } Subject subject = new Subject(); subject.getPrincipals().add(new User(user)); UserGroupInformation result = new UserGroupInformation(subject); result.setAuthenticationMethod(authMethod); return result; }
@POST @Path(RMWSConsts.DELEGATION_TOKEN) @Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 }) @Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML }) @Override public Response postDelegationToken(DelegationToken tokenData, @Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception { UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); initForWritableEndpoints(callerUGI, false); try { createKerberosUserGroupInformation(hsr, callerUGI); callerUGI.setAuthenticationMethod(AuthenticationMethod.KERBEROS); } catch (YarnException ye) { return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build(); } return createDelegationToken(tokenData, hsr, callerUGI); }
@Test (timeout = 30000) public void testUGIAuthMethod() throws Exception { final UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); final AuthenticationMethod am = AuthenticationMethod.KERBEROS; ugi.setAuthenticationMethod(am); Assert.assertEquals(am, ugi.getAuthenticationMethod()); ugi.doAs(new PrivilegedExceptionAction<Object>() { @Override public Object run() throws IOException { Assert.assertEquals(am, UserGroupInformation.getCurrentUser() .getAuthenticationMethod()); return null; } }); }
@Test (timeout = 30000) public void testUGIAuthMethod() throws Exception { final UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); final AuthenticationMethod am = AuthenticationMethod.KERBEROS; ugi.setAuthenticationMethod(am); Assert.assertEquals(am, ugi.getAuthenticationMethod()); ugi.doAs(new PrivilegedExceptionAction<Object>() { @Override public Object run() throws IOException { Assert.assertEquals(am, UserGroupInformation.getCurrentUser() .getAuthenticationMethod()); return null; } }); }
@BeforeClass public static void setupSecretManager() throws IOException { ResourceManager rm = mock(ResourceManager.class); RMContext rmContext = mock(RMContext.class); when(rmContext.getStateStore()).thenReturn(new NullRMStateStore()); when(rm.getRMContext()).thenReturn(rmContext); when(rmContext.getResourceManager()).thenReturn(rm); dtsm = new RMDelegationTokenSecretManager(60000, 60000, 60000, 60000, rmContext); dtsm.startThreads(); Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.auth_to_local", kerberosRule); UserGroupInformation.setConfiguration(conf); UserGroupInformation.getLoginUser() .setAuthenticationMethod(AuthenticationMethod.KERBEROS); }
@Test (timeout = 30000) public void testTestAuthMethod() throws Exception { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); // verify the reverse mappings works for (AuthenticationMethod am : AuthenticationMethod.values()) { if (am.getAuthMethod() != null) { ugi.setAuthenticationMethod(am.getAuthMethod()); assertEquals(am, ugi.getAuthenticationMethod()); } } }
@Test (timeout = 30000) public void testTestAuthMethod() throws Exception { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); // verify the reverse mappings works for (AuthenticationMethod am : AuthenticationMethod.values()) { if (am.getAuthMethod() != null) { ugi.setAuthenticationMethod(am.getAuthMethod()); assertEquals(am, ugi.getAuthenticationMethod()); } } }
@Test (timeout = 30000) public void testGetRealAuthenticationMethod() { UserGroupInformation ugi = UserGroupInformation.createRemoteUser("user1"); ugi.setAuthenticationMethod(AuthenticationMethod.SIMPLE); assertEquals(AuthenticationMethod.SIMPLE, ugi.getAuthenticationMethod()); assertEquals(AuthenticationMethod.SIMPLE, ugi.getRealAuthenticationMethod()); ugi = UserGroupInformation.createProxyUser("user2", ugi); assertEquals(AuthenticationMethod.PROXY, ugi.getAuthenticationMethod()); assertEquals(AuthenticationMethod.SIMPLE, ugi.getRealAuthenticationMethod()); }
@Test (timeout = 30000) public void testGetRealAuthenticationMethod() { UserGroupInformation ugi = UserGroupInformation.createRemoteUser("user1"); ugi.setAuthenticationMethod(AuthenticationMethod.SIMPLE); assertEquals(AuthenticationMethod.SIMPLE, ugi.getAuthenticationMethod()); assertEquals(AuthenticationMethod.SIMPLE, ugi.getRealAuthenticationMethod()); ugi = UserGroupInformation.createProxyUser("user2", ugi); assertEquals(AuthenticationMethod.PROXY, ugi.getAuthenticationMethod()); assertEquals(AuthenticationMethod.SIMPLE, ugi.getRealAuthenticationMethod()); }