Java Code Examples for org.apache.hadoop.security.UserGroupInformation.createProxyUser()

The following are Jave code examples for showing how to use createProxyUser() of the org.apache.hadoop.security.UserGroupInformation class. You can vote up the examples you like. Your votes will be used in our system to get more good examples.
+ Save this method
Example 1
Project: hadoop-oss   File: AbstractDelegationTokenIdentifier.java   View Source Code Vote up 7 votes
/**
 * Get the username encoded in the token identifier
 * 
 * @return the username or owner
 */
@Override
public UserGroupInformation getUser() {
  if ( (owner == null) || (owner.toString().isEmpty())) {
    return null;
  }
  final UserGroupInformation realUgi;
  final UserGroupInformation ugi;
  if ((realUser == null) || (realUser.toString().isEmpty())
      || realUser.equals(owner)) {
    ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString());
  } else {
    realUgi = UserGroupInformation.createRemoteUser(realUser.toString());
    ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi);
  }
  realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
  return ugi;
}
 
Example 2
Project: hadoop-oss   File: ProtoUtil.java   View Source Code Vote up 6 votes
public static UserGroupInformation getUgi(UserInformationProto userInfo) {
  UserGroupInformation ugi = null;
  String effectiveUser = userInfo.hasEffectiveUser() ? userInfo
      .getEffectiveUser() : null;
  String realUser = userInfo.hasRealUser() ? userInfo.getRealUser() : null;
  if (effectiveUser != null) {
    if (realUser != null) {
      UserGroupInformation realUserUgi = UserGroupInformation
          .createRemoteUser(realUser);
      ugi = UserGroupInformation
          .createProxyUser(effectiveUser, realUserUgi);
    } else {
      ugi = org.apache.hadoop.security.UserGroupInformation
          .createRemoteUser(effectiveUser);
    }
  }
  return ugi;
}
 
Example 3
Project: ditb   File: ConnectionCache.java   View Source Code Vote up 6 votes
/**
 * Get the cached connection for the current user.
 * If none or timed out, create a new one.
 */
ConnectionInfo getCurrentConnection() throws IOException {
  String userName = getEffectiveUser();
  ConnectionInfo connInfo = connections.get(userName);
  if (connInfo == null || !connInfo.updateAccessTime()) {
    Lock lock = locker.acquireLock(userName);
    try {
      connInfo = connections.get(userName);
      if (connInfo == null) {
        UserGroupInformation ugi = realUser;
        if (!userName.equals(realUserName)) {
          ugi = UserGroupInformation.createProxyUser(userName, realUser);
        }
        User user = userProvider.create(ugi);
        Connection conn = ConnectionFactory.createConnection(conf, user);
        connInfo = new ConnectionInfo(conn, userName);
        connections.put(userName, connInfo);
      }
    } finally {
      lock.unlock();
    }
  }
  return connInfo;
}
 
Example 4
Project: QDrill   File: ImpersonationUtil.java   View Source Code Vote up 6 votes
/**
 * Create and return proxy user {@link org.apache.hadoop.security.UserGroupInformation} for give user name.
 *
 * TODO: we may want to cache the {@link org.apache.hadoop.security.UserGroupInformation} instances as we try to
 * create different instances for the same user which is an unnecessary overhead.
 *
 * @param proxyUserName Proxy user name (must be valid)
 * @return
 */
public static UserGroupInformation createProxyUgi(String proxyUserName) {
  try {
    if (Strings.isNullOrEmpty(proxyUserName)) {
      throw new DrillRuntimeException("Invalid value for proxy user name");
    }

    // If the request proxy user is same as process user name, return the process UGI.
    if (proxyUserName.equals(getProcessUserName())) {
      return getProcessUserUGI();
    }

    return UserGroupInformation.createProxyUser(proxyUserName, UserGroupInformation.getLoginUser());
  } catch(IOException e) {
    final String errMsg = "Failed to create proxy user UserGroupInformation object: " + e.getMessage();
    logger.error(errMsg, e);
    throw new DrillRuntimeException(errMsg, e);
  }
}
 
Example 5
Project: hadoop   File: DelegationTokenRenewer.java   View Source Code Vote up 6 votes
@VisibleForTesting
protected Token<?>[] obtainSystemTokensForUser(String user,
    final Credentials credentials) throws IOException, InterruptedException {
  // Get new hdfs tokens on behalf of this user
  UserGroupInformation proxyUser =
      UserGroupInformation.createProxyUser(user,
        UserGroupInformation.getLoginUser());
  Token<?>[] newTokens =
      proxyUser.doAs(new PrivilegedExceptionAction<Token<?>[]>() {
        @Override
        public Token<?>[] run() throws Exception {
          FileSystem fs = FileSystem.get(getConfig());
          try {
            return fs.addDelegationTokens(
                UserGroupInformation.getLoginUser().getUserName(),
                credentials);
          } finally {
            // Close the FileSystem created by the new proxy user,
            // So that we don't leave an entry in the FileSystem cache
            fs.close();
          }
        }
      });
  return newTokens;
}
 
Example 6
Project: hadoop   File: TestRMProxyUsersConf.java   View Source Code Vote up 6 votes
@Test
public void testProxyUserConfiguration() throws Exception {
  MockRM rm = null;
  try {
    rm = new MockRM(conf);
    rm.start();
    // wait for web server starting
    Thread.sleep(10000);
    UserGroupInformation proxyUser =
        UserGroupInformation.createProxyUser(
            BAR_USER.getShortUserName(), FOO_USER);
    try {
      ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser,
          ipAddress);
    } catch (AuthorizationException e) {
      // Exception is not expected
      Assert.fail();
    }
  } finally {
    if (rm != null) {
      rm.stop();
      rm.close();
    }
  }
}
 
Example 7
Project: hadoop   File: BaseTestHttpFSWith.java   View Source Code Vote up 6 votes
@Test
@TestDir
@TestJetty
@TestHdfs
public void testOperationDoAs() throws Exception {
  createHttpFSServer();
  UserGroupInformation ugi = UserGroupInformation.createProxyUser(HadoopUsersConfTestHelper.getHadoopUsers()[0],
                                                                  UserGroupInformation.getCurrentUser());
  ugi.doAs(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      operation(operation);
      return null;
    }
  });
}
 
Example 8
Project: hadoop   File: DFSClientCache.java   View Source Code Vote up 6 votes
/**
 * This method uses the currentUser, and real user to create a proxy
 * @param effectiveUser The user who is being proxied by the real user
 * @param realUser The actual user who does the command
 * @return Proxy UserGroupInformation
 * @throws IOException If proxying fails
 */
UserGroupInformation getUserGroupInformation(
        String effectiveUser,
        UserGroupInformation realUser)
        throws IOException {
  Preconditions.checkNotNull(effectiveUser);
  Preconditions.checkNotNull(realUser);
  realUser.checkTGTAndReloginFromKeytab();

  UserGroupInformation ugi =
          UserGroupInformation.createProxyUser(effectiveUser, realUser);
  if (LOG.isDebugEnabled()){
    LOG.debug(String.format("Created ugi:" +
            " %s for username: %s", ugi, effectiveUser));
  }
  return ugi;
}
 
Example 9
Project: ditb   File: RpcServer.java   View Source Code Vote up 6 votes
private UserGroupInformation createUser(ConnectionHeader head) {
  UserGroupInformation ugi = null;

  if (!head.hasUserInfo()) {
    return null;
  }
  UserInformation userInfoProto = head.getUserInfo();
  String effectiveUser = null;
  if (userInfoProto.hasEffectiveUser()) {
    effectiveUser = userInfoProto.getEffectiveUser();
  }
  String realUser = null;
  if (userInfoProto.hasRealUser()) {
    realUser = userInfoProto.getRealUser();
  }
  if (effectiveUser != null) {
    if (realUser != null) {
      UserGroupInformation realUserUgi =
          UserGroupInformation.createRemoteUser(realUser);
      ugi = UserGroupInformation.createProxyUser(effectiveUser, realUserUgi);
    } else {
      ugi = UserGroupInformation.createRemoteUser(effectiveUser);
    }
  }
  return ugi;
}
 
Example 10
Project: hadoop   File: AbstractDelegationTokenIdentifier.java   View Source Code Vote up 6 votes
/**
 * Get the username encoded in the token identifier
 * 
 * @return the username or owner
 */
@Override
public UserGroupInformation getUser() {
  if ( (owner == null) || (owner.toString().isEmpty())) {
    return null;
  }
  final UserGroupInformation realUgi;
  final UserGroupInformation ugi;
  if ((realUser == null) || (realUser.toString().isEmpty())
      || realUser.equals(owner)) {
    ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString());
  } else {
    realUgi = UserGroupInformation.createRemoteUser(realUser.toString());
    ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi);
  }
  realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
  return ugi;
}
 
Example 11
Project: hadoop-oss   File: TestRpcBase.java   View Source Code Vote up 5 votes
@Override
public UserGroupInformation getUser() {
  if (realUser.toString().isEmpty()) {
    return UserGroupInformation.createRemoteUser(tokenid.toString());
  } else {
    UserGroupInformation realUgi = UserGroupInformation
        .createRemoteUser(realUser.toString());
    return UserGroupInformation
        .createProxyUser(tokenid.toString(), realUgi);
  }
}
 
Example 12
Project: flume-release-1.7.0   File: KerberosAuthenticator.java   View Source Code Vote up 5 votes
@Override
public synchronized PrivilegedExecutor proxyAs(String proxyUserName) {
  if (proxyUserName == null || proxyUserName.isEmpty()) {
    return this;
  }
  if (proxyCache.get(proxyUserName) == null) {
    UserGroupInformation proxyUgi;
    proxyUgi = UserGroupInformation.createProxyUser(proxyUserName, ugi);
    printUGI(proxyUgi);
    proxyCache.put(proxyUserName, new UGIExecutor(proxyUgi));
  }
  return proxyCache.get(proxyUserName);
}
 
Example 13
Project: hadoop   File: TestMiniMRProxyUser.java   View Source Code Vote up 5 votes
public void testValidProxyUser() throws Exception {
  UserGroupInformation ugi = UserGroupInformation.createProxyUser("u1", UserGroupInformation.getLoginUser());
  ugi.doAs(new PrivilegedExceptionAction<Void>() {
      public Void run() throws Exception {
        mrRun();
        return null;
      }

 
  });
}
 
Example 14
Project: hadoop   File: TestSaslRPC.java   View Source Code Vote up 5 votes
@Override
public UserGroupInformation getUser() {
  if (realUser.toString().isEmpty()) {
    return UserGroupInformation.createRemoteUser(tokenid.toString());
  } else {
    UserGroupInformation realUgi = UserGroupInformation
        .createRemoteUser(realUser.toString());
    return UserGroupInformation
        .createProxyUser(tokenid.toString(), realUgi);
  }
}
 
Example 15
Project: hadoop-oss   File: Server.java   View Source Code Vote up 4 votes
/** Reads the connection context following the connection header
 * @param dis - DataInputStream from which to read the header 
 * @throws WrappedRpcServerException - if the header cannot be
 *         deserialized, or the user is not authorized
 */ 
private void processConnectionContext(DataInputStream dis)
    throws WrappedRpcServerException {
  // allow only one connection context during a session
  if (connectionContextRead) {
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_INVALID_RPC_HEADER,
        "Connection context already processed");
  }
  connectionContext = decodeProtobufFromStream(
      IpcConnectionContextProto.newBuilder(), dis);
  protocolName = connectionContext.hasProtocol() ? connectionContext
      .getProtocol() : null;

  UserGroupInformation protocolUser = ProtoUtil.getUgi(connectionContext);
  if (saslServer == null) {
    user = protocolUser;
  } else {
    // user is authenticated
    user.setAuthenticationMethod(authMethod);
    //Now we check if this is a proxy user case. If the protocol user is
    //different from the 'user', it is a proxy user scenario. However, 
    //this is not allowed if user authenticated with DIGEST.
    if ((protocolUser != null)
        && (!protocolUser.getUserName().equals(user.getUserName()))) {
      if (authMethod == AuthMethod.TOKEN) {
        // Not allowed to doAs if token authentication is used
        throw new WrappedRpcServerException(
            RpcErrorCodeProto.FATAL_UNAUTHORIZED,
            new AccessControlException("Authenticated user (" + user
                + ") doesn't match what the client claims to be ("
                + protocolUser + ")"));
      } else {
        // Effective user can be different from authenticated user
        // for simple auth or kerberos auth
        // The user is the real user. Now we create a proxy user
        UserGroupInformation realUser = user;
        user = UserGroupInformation.createProxyUser(protocolUser
            .getUserName(), realUser);
      }
    }
  }
  authorizeConnection();
  // don't set until after authz because connection isn't established
  connectionContextRead = true;
}
 
Example 16
Project: QDrill   File: DrillUser.java   View Source Code Vote up 4 votes
public DrillUser(String userName) throws IOException {
  this.hadoopUser = UserGroupInformation.createProxyUser(userName, UserGroupInformation.getCurrentUser());
}
 
Example 17
Project: hadoop   File: FileSystemAccessService.java   View Source Code Vote up 4 votes
protected UserGroupInformation getUGI(String user) throws IOException {
  return UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser());
}
 
Example 18
Project: dremio-oss   File: ImpersonationUtil.java   View Source Code Vote up 4 votes
@Override
public UserGroupInformation load(Key key) throws Exception {
  return UserGroupInformation.createProxyUser(key.proxyUserName, key.loginUser);
}
 
Example 19
Project: ditb   File: RpcServer.java   View Source Code Vote up 4 votes
private void processConnectionHeader(byte[] buf) throws IOException {
  this.connectionHeader = ConnectionHeader.parseFrom(buf);
  String serviceName = connectionHeader.getServiceName();
  if (serviceName == null) throw new EmptyServiceNameException();
  this.service = getService(services, serviceName);
  if (this.service == null) throw new UnknownServiceException(serviceName);
  setupCellBlockCodecs(this.connectionHeader);
  UserGroupInformation protocolUser = createUser(connectionHeader);
  if (!useSasl) {
    ugi = protocolUser;
    if (ugi != null) {
      ugi.setAuthenticationMethod(AuthMethod.SIMPLE.authenticationMethod);
    }
    // audit logging for SASL authenticated users happens in saslReadAndProcess()
    if (authenticatedWithFallback) {
      LOG.warn("Allowed fallback to SIMPLE auth for " + ugi
          + " connecting from " + getHostAddress());
    }
    AUDITLOG.info(AUTH_SUCCESSFUL_FOR + ugi);
  } else {
    // user is authenticated
    ugi.setAuthenticationMethod(authMethod.authenticationMethod);
    //Now we check if this is a proxy user case. If the protocol user is
    //different from the 'user', it is a proxy user scenario. However,
    //this is not allowed if user authenticated with DIGEST.
    if ((protocolUser != null)
        && (!protocolUser.getUserName().equals(ugi.getUserName()))) {
      if (authMethod == AuthMethod.DIGEST) {
        // Not allowed to doAs if token authentication is used
        throw new AccessDeniedException("Authenticated user (" + ugi
            + ") doesn't match what the client claims to be ("
            + protocolUser + ")");
      } else {
        // Effective user can be different from authenticated user
        // for simple auth or kerberos auth
        // The user is the real user. Now we create a proxy user
        UserGroupInformation realUser = ugi;
        ugi = UserGroupInformation.createProxyUser(protocolUser
            .getUserName(), realUser);
        // Now the user is a proxy user, set Authentication method Proxy.
        ugi.setAuthenticationMethod(AuthenticationMethod.PROXY);
      }
    }
  }
  if (connectionHeader.hasVersionInfo()) {
    // see if this connection will support RetryImmediatelyException
    retryImmediatelySupported = VersionInfoUtil.hasMinimumVersion(getVersionInfo(), 1, 2);

    AUDITLOG.info("Connection from " + this.hostAddress + " port: " + this.remotePort
        + " with version info: "
        + TextFormat.shortDebugString(connectionHeader.getVersionInfo()));
  } else {
    AUDITLOG.info("Connection from " + this.hostAddress + " port: " + this.remotePort
        + " with unknown version info");
  }


}
 
Example 20
Project: hadoop   File: Server.java   View Source Code Vote up 4 votes
/** Reads the connection context following the connection header
 * @param dis - DataInputStream from which to read the header 
 * @throws WrappedRpcServerException - if the header cannot be
 *         deserialized, or the user is not authorized
 */ 
private void processConnectionContext(DataInputStream dis)
    throws WrappedRpcServerException {
  // allow only one connection context during a session
  if (connectionContextRead) {
    throw new WrappedRpcServerException(
        RpcErrorCodeProto.FATAL_INVALID_RPC_HEADER,
        "Connection context already processed");
  }
  connectionContext = decodeProtobufFromStream(
      IpcConnectionContextProto.newBuilder(), dis);
  protocolName = connectionContext.hasProtocol() ? connectionContext
      .getProtocol() : null;

  UserGroupInformation protocolUser = ProtoUtil.getUgi(connectionContext);
  if (saslServer == null) {
    user = protocolUser;
  } else {
    // user is authenticated
    user.setAuthenticationMethod(authMethod);
    //Now we check if this is a proxy user case. If the protocol user is
    //different from the 'user', it is a proxy user scenario. However, 
    //this is not allowed if user authenticated with DIGEST.
    if ((protocolUser != null)
        && (!protocolUser.getUserName().equals(user.getUserName()))) {
      if (authMethod == AuthMethod.TOKEN) {
        // Not allowed to doAs if token authentication is used
        throw new WrappedRpcServerException(
            RpcErrorCodeProto.FATAL_UNAUTHORIZED,
            new AccessControlException("Authenticated user (" + user
                + ") doesn't match what the client claims to be ("
                + protocolUser + ")"));
      } else {
        // Effective user can be different from authenticated user
        // for simple auth or kerberos auth
        // The user is the real user. Now we create a proxy user
        UserGroupInformation realUser = user;
        user = UserGroupInformation.createProxyUser(protocolUser
            .getUserName(), realUser);
      }
    }
  }
  authorizeConnection();
  // don't set until after authz because connection isn't established
  connectionContextRead = true;
}