Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getAuthenticationMethod()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#getAuthenticationMethod() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: BitConnectionConfig.java    From Bats with Apache License 2.0 6 votes vote down vote up
public Map<String, ?> getSaslClientProperties(final DrillbitEndpoint remoteEndpoint,
                                              final Map<String, String> overrides) throws IOException {
  final DrillProperties properties = DrillProperties.createEmpty();

  final UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  if (loginUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS) {
    final HadoopKerberosName loginPrincipal = new HadoopKerberosName(loginUser.getUserName());
    if (!useLoginPrincipal) {
      properties.setProperty(DrillProperties.SERVICE_PRINCIPAL,
          KerberosUtil.getPrincipalFromParts(loginPrincipal.getShortName(),
              remoteEndpoint.getAddress(),
              loginPrincipal.getRealm()));
    } else {
      properties.setProperty(DrillProperties.SERVICE_PRINCIPAL, loginPrincipal.toString());
    }
  }

  properties.merge(overrides);
  return properties.stringPropertiesAsMap();
}
 
Example 2
Source File: TestWebDelegationToken.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
    throws ServletException, IOException {
  UserGroupInformation ugi = HttpUserGroupInformation.get();
  if (ugi != null) {
    String ret = "remoteuser=" + req.getRemoteUser() + ":ugi=" +
        ugi.getShortUserName();
    if (ugi.getAuthenticationMethod() ==
        UserGroupInformation.AuthenticationMethod.PROXY) {
      ret = "realugi=" + ugi.getRealUser().getShortUserName() + ":" + ret;
    }
    resp.setStatus(HttpServletResponse.SC_OK);
    resp.getWriter().write(ret);
  } else {
    resp.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
  }
}
 
Example 3
Source File: TestWebDelegationToken.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
    throws ServletException, IOException {
  UserGroupInformation ugi = HttpUserGroupInformation.get();
  if (ugi != null) {
    String ret = "remoteuser=" + req.getRemoteUser() + ":ugi=" +
        ugi.getShortUserName();
    if (ugi.getAuthenticationMethod() ==
        UserGroupInformation.AuthenticationMethod.PROXY) {
      ret = "realugi=" + ugi.getRealUser().getShortUserName() + ":" + ret;
    }
    resp.setStatus(HttpServletResponse.SC_OK);
    resp.getWriter().write(ret);
  } else {
    resp.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
  }
}
 
Example 4
Source File: DelegationTokenKerberosFilter.java    From lucene-solr with Apache License 2.0 6 votes vote down vote up
@Override
public void doFilter(ServletRequest request, ServletResponse response,
    FilterChain filterChain) throws IOException, ServletException {
  // include Impersonator User Name in case someone (e.g. logger) wants it
  FilterChain filterChainWrapper = new FilterChain() {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse)
        throws IOException, ServletException {
      Locale.setDefault(defaultLocale);
      HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;

      UserGroupInformation ugi = HttpUserGroupInformation.get();
      if (ugi != null && ugi.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) {
        UserGroupInformation realUserUgi = ugi.getRealUser();
        if (realUserUgi != null) {
          httpRequest.setAttribute(KerberosPlugin.IMPERSONATOR_USER_NAME, realUserUgi.getShortUserName());
        }
      }
      filterChain.doFilter(servletRequest, servletResponse);
    }
  };

  // A hack until HADOOP-15681 get committed
  Locale.setDefault(Locale.US);
  super.doFilter(request, response, filterChainWrapper);
}
 
Example 5
Source File: HadoopAuthFilter.java    From lucene-solr with Apache License 2.0 6 votes vote down vote up
@Override
public void doFilter(ServletRequest request, ServletResponse response,
    FilterChain filterChain) throws IOException, ServletException {
  // include Impersonator User Name in case someone (e.g. logger) wants it
  FilterChain filterChainWrapper = new FilterChain() {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse)
        throws IOException, ServletException {
      Locale.setDefault(defaultLocale);
      HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;

      UserGroupInformation ugi = HttpUserGroupInformation.get();
      if (ugi != null && ugi.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) {
        UserGroupInformation realUserUgi = ugi.getRealUser();
        if (realUserUgi != null) {
          httpRequest.setAttribute(KerberosPlugin.IMPERSONATOR_USER_NAME, realUserUgi.getShortUserName());
        }
      }
      filterChain.doFilter(servletRequest, servletResponse);
    }
  };

  // A hack until HADOOP-15681 get committed
  Locale.setDefault(Locale.US);
  super.doFilter(request, response, filterChainWrapper);
}
 
Example 6
Source File: KMSAuditLogger.java    From ranger with Apache License 2.0 6 votes vote down vote up
/**
 * @param op
 *          The operation being audited (either {@link KMS.KMSOp} or
 *          {@link Type} N.B this is passed as an {@link Object} to allow
 *          either enum to be passed in.
 * @param ugi
 *          The user's security context
 * @param keyName
 *          The String name of the key if applicable
 * @param remoteHost
 *          The hostname of the requesting service
 * @param msg
 *          Any extra details for auditing
 */
AuditEvent(Object op, UserGroupInformation ugi, String keyName,
    String remoteHost, String msg) {
  this.keyName = keyName;
  if (ugi == null) {
    this.user = null;
    this.impersonator = null;
  } else {
    this.user = ugi.getShortUserName();
    if (ugi.getAuthenticationMethod()
        == UserGroupInformation.AuthenticationMethod.PROXY) {
      this.impersonator = ugi.getRealUser().getUserName();
    } else {
      this.impersonator = null;
    }
  }
  this.remoteHost = remoteHost;
  this.op = op;
  this.extraMsg = msg;
}
 
Example 7
Source File: OzoneManager.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up
/**
 * Returns authentication method used to establish the connection.
 *
 * @return AuthenticationMethod used to establish connection
 * @throws IOException
 */
private AuthenticationMethod getConnectionAuthenticationMethod()
    throws IOException {
  UserGroupInformation ugi = getRemoteUser();
  AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
  if (authMethod == AuthenticationMethod.PROXY) {
    authMethod = ugi.getRealUser().getAuthenticationMethod();
  }
  return authMethod;
}
 
Example 8
Source File: TokenProvider.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * @param ugi A user group information.
 * @return true if delegation token operation is allowed
 */
private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException {
  AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
  if (authMethod == AuthenticationMethod.PROXY) {
    authMethod = ugi.getRealUser().getAuthenticationMethod();
  }
  if (authMethod != AuthenticationMethod.KERBEROS
      && authMethod != AuthenticationMethod.KERBEROS_SSL
      && authMethod != AuthenticationMethod.CERTIFICATE) {
    return false;
  }
  return true;
}
 
Example 9
Source File: ClusterHdfsSource.java    From datacollector with Apache License 2.0 4 votes vote down vote up
@VisibleForTesting
void validateHadoopFS(List<ConfigIssue> issues) {
  boolean validHadoopFsUri;
  String hdfsUriInConf;
  if (!Strings.isNullOrEmpty(conf.hdfsUri)) {
    hadoopConf.set(CommonConfigurationKeys.FS_DEFAULT_NAME_KEY, conf.hdfsUri);
  } else {
    hdfsUriInConf = hadoopConf.get(CommonConfigurationKeys.FS_DEFAULT_NAME_KEY);
    if (hdfsUriInConf == null) {
      issues.add(
          getContext().createConfigIssue(
              Groups.HADOOP_FS.name(),
              CLUSTER_HDFS_CONFIG_BEAN_PREFIX + HDFS_URI,
              Errors.HADOOPFS_19
          )
      );
      return;
    } else {
      conf.hdfsUri = hdfsUriInConf;
    }
  }
  validHadoopFsUri = validateHadoopFsURI(issues);
  StringBuilder logMessage = new StringBuilder();
  try {
    UserGroupInformation loginUgi = HadoopSecurityUtil.getLoginUser(hadoopConf);
    userUgi = HadoopSecurityUtil.getProxyUser(
        conf.hdfsUser,
        getContext(),
        loginUgi,
        issues,
        Groups.HADOOP_FS.name(),
        CLUSTER_HDFS_CONFIG_BEAN_PREFIX + "hdfsUser"
    );
    if (userUgi != loginUgi) {
      proxyUser = userUgi.getUserName();
      LOG.debug("Proxy user submitting cluster batch job is {}", proxyUser);
    }
    if (conf.hdfsKerberos) {
      logMessage.append("Using Kerberos");
      if (loginUgi.getAuthenticationMethod() != UserGroupInformation.AuthenticationMethod.KERBEROS) {
        issues.add(
            getContext().createConfigIssue(
                Groups.HADOOP_FS.name(),
                CLUSTER_HDFS_CONFIG_BEAN_PREFIX + "hdfsKerberos",
                Errors.HADOOPFS_00,
                loginUgi.getAuthenticationMethod(),
                UserGroupInformation.AuthenticationMethod.KERBEROS
            )
        );
      }
    } else {
      logMessage.append("Using Simple");
      hadoopConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
          UserGroupInformation.AuthenticationMethod.SIMPLE.name());
    }
    if (validHadoopFsUri) {
      getUGI().doAs((PrivilegedExceptionAction<Void>) () -> {
        try (FileSystem fs = getFileSystemForInitDestroy(null)) { // NOSONAR
          // to trigger fs close
        }
        return null;
      });
    }
  } catch (Exception ex) {
    LOG.info("Error connecting to FileSystem: " + ex, ex);
    issues.add(
        getContext().createConfigIssue(
            Groups.HADOOP_FS.name(),
            null,
            Errors.HADOOPFS_11,
            conf.hdfsUri,
            String.valueOf(ex),
            ex
        )
    );
  }
  LOG.info("Authentication Config: {}", logMessage);
}
 
Example 10
Source File: HadoopUtils.java    From flink with Apache License 2.0 4 votes vote down vote up
public static boolean isKerberosSecurityEnabled(UserGroupInformation ugi) {
	return UserGroupInformation.isSecurityEnabled() && ugi.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS;
}