Java Code Examples for org.apache.hadoop.security.UserGroupInformation.getRealUser()

The following are Jave code examples for showing how to use getRealUser() of the org.apache.hadoop.security.UserGroupInformation class. You can vote up the examples you like. Your votes will be used in our system to get more good examples.
+ Save this method
Example 1
Project: hadoop   File: HttpFSFileSystem.java   View Source Code Vote up 6 votes
/**
 * Called after a new FileSystem instance is constructed.
 *
 * @param name a uri whose authority section names the host, port, etc. for this FileSystem
 * @param conf the configuration
 */
@Override
public void initialize(URI name, Configuration conf) throws IOException {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();

  //the real use is the one that has the Kerberos credentials needed for
  //SPNEGO to work
  realUser = ugi.getRealUser();
  if (realUser == null) {
    realUser = UserGroupInformation.getLoginUser();
  }
  super.initialize(name, conf);
  try {
    uri = new URI(name.getScheme() + "://" + name.getAuthority());
  } catch (URISyntaxException ex) {
    throw new IOException(ex);
  }

  Class<? extends DelegationTokenAuthenticator> klass =
      getConf().getClass("httpfs.authenticator.class",
          KerberosDelegationTokenAuthenticator.class,
          DelegationTokenAuthenticator.class);
  DelegationTokenAuthenticator authenticator =
      ReflectionUtils.newInstance(klass, getConf());
  authURL = new DelegationTokenAuthenticatedURL(authenticator);
}
 
Example 2
Project: hadoop   File: WebHdfsFileSystem.java   View Source Code Vote up 6 votes
Param<?,?>[] getAuthParameters(final HttpOpParam.Op op) throws IOException {
  List<Param<?,?>> authParams = Lists.newArrayList();    
  // Skip adding delegation token for token operations because these
  // operations require authentication.
  Token<?> token = null;
  if (!op.getRequireAuth()) {
    token = getDelegationToken();
  }
  if (token != null) {
    authParams.add(new DelegationParam(token.encodeToUrlString()));
  } else {
    UserGroupInformation userUgi = ugi;
    UserGroupInformation realUgi = userUgi.getRealUser();
    if (realUgi != null) { // proxy user
      authParams.add(new DoAsParam(userUgi.getShortUserName()));
      userUgi = realUgi;
    }
    authParams.add(new UserParam(userUgi.getShortUserName()));
  }
  return authParams.toArray(new Param<?,?>[0]);
}
 
Example 3
Project: hadoop   File: DefaultImpersonationProvider.java   View Source Code Vote up 6 votes
@Override
public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException {
  
  UserGroupInformation realUser = user.getRealUser();
  if (realUser == null) {
    return;
  }
  
  AccessControlList acl = proxyUserAcl.get(configPrefix +
      realUser.getShortUserName());
  if (acl == null || !acl.isUserAllowed(user)) {
    throw new AuthorizationException("User: " + realUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }

  MachineList MachineList = proxyHosts.get(
      getProxySuperuserIpConfKey(realUser.getShortUserName()));

  if(MachineList == null || !MachineList.includes(remoteAddress)) {
    throw new AuthorizationException("Unauthorized connection for super-user: "
        + realUser.getUserName() + " from IP " + remoteAddress);
  }
}
 
Example 4
Project: ditb   File: RpcClientImpl.java   View Source Code Vote up 6 votes
private synchronized UserInformation getUserInfo(UserGroupInformation ugi) {
  if (ugi == null || authMethod == AuthMethod.DIGEST) {
    // Don't send user for token auth
    return null;
  }
  UserInformation.Builder userInfoPB = UserInformation.newBuilder();
  if (authMethod == AuthMethod.KERBEROS) {
    // Send effective user for Kerberos auth
    userInfoPB.setEffectiveUser(ugi.getUserName());
  } else if (authMethod == AuthMethod.SIMPLE) {
    //Send both effective user and real user for simple auth
    userInfoPB.setEffectiveUser(ugi.getUserName());
    if (ugi.getRealUser() != null) {
      userInfoPB.setRealUser(ugi.getRealUser().getUserName());
    }
  }
  return userInfoPB.build();
}
 
Example 5
Project: ditb   File: AsyncRpcChannel.java   View Source Code Vote up 6 votes
/**
 * Build the user information
 *
 * @param ugi        User Group Information
 * @param authMethod Authorization method
 * @return UserInformation protobuf
 */
private RPCProtos.UserInformation buildUserInfo(UserGroupInformation ugi, AuthMethod authMethod) {
  if (ugi == null || authMethod == AuthMethod.DIGEST) {
    // Don't send user for token auth
    return null;
  }
  RPCProtos.UserInformation.Builder userInfoPB = RPCProtos.UserInformation.newBuilder();
  if (authMethod == AuthMethod.KERBEROS) {
    // Send effective user for Kerberos auth
    userInfoPB.setEffectiveUser(ugi.getUserName());
  } else if (authMethod == AuthMethod.SIMPLE) {
    //Send both effective user and real user for simple auth
    userInfoPB.setEffectiveUser(ugi.getUserName());
    if (ugi.getRealUser() != null) {
      userInfoPB.setRealUser(ugi.getRealUser().getUserName());
    }
  }
  return userInfoPB.build();
}
 
Example 6
Project: hadoop-oss   File: DefaultImpersonationProvider.java   View Source Code Vote up 5 votes
@Override
public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException {
  
  if (user == null) {
    throw new IllegalArgumentException("user is null.");
  }

  UserGroupInformation realUser = user.getRealUser();
  if (realUser == null) {
    return;
  }
  
  AccessControlList acl = proxyUserAcl.get(configPrefix +
      realUser.getShortUserName());
  if (acl == null || !acl.isUserAllowed(user)) {
    throw new AuthorizationException("User: " + realUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }

  MachineList MachineList = proxyHosts.get(
      getProxySuperuserIpConfKey(realUser.getShortUserName()));

  if(MachineList == null || !MachineList.includes(remoteAddress)) {
    throw new AuthorizationException("Unauthorized connection for super-user: "
        + realUser.getUserName() + " from IP " + remoteAddress);
  }
}
 
Example 7
Project: hadoop-oss   File: ProtoUtil.java   View Source Code Vote up 5 votes
/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 
Example 8
Project: hadoop-oss   File: Client.java   View Source Code Vote up 5 votes
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 
Example 9
Project: hadoop-oss   File: TestProxyUsers.java   View Source Code Vote up 5 votes
/**
 * Authorize a user (superuser) to impersonate another user (user1) if the 
 * superuser belongs to the group "sudo_user1" .
 */

public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException{
  UserGroupInformation superUser = user.getRealUser();

  String sudoGroupName = "sudo_" + user.getShortUserName();
  if (!Arrays.asList(superUser.getGroupNames()).contains(sudoGroupName)){
    throw new AuthorizationException("User: " + superUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }
}
 
Example 10
Project: hadoop   File: RegistrySecurity.java   View Source Code Vote up 5 votes
/**
 * Log details about the current Hadoop user at INFO.
 * Robust against IOEs when trying to get the current user
 */
public void logCurrentHadoopUser() {
  try {
    UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
    LOG.info("Current user = {}",currentUser);
    UserGroupInformation realUser = currentUser.getRealUser();
    LOG.info("Real User = {}" , realUser);
  } catch (IOException e) {
    LOG.warn("Failed to get current user {}, {}", e);
  }
}
 
Example 11
Project: hadoop   File: TestJspHelper.java   View Source Code Vote up 5 votes
private void checkUgiFromAuth(UserGroupInformation ugi) {
  if (ugi.getRealUser() != null) {
    Assert.assertEquals(AuthenticationMethod.PROXY,
                        ugi.getAuthenticationMethod());
    Assert.assertEquals(AuthenticationMethod.KERBEROS_SSL,
                        ugi.getRealUser().getAuthenticationMethod());
  } else {
    Assert.assertEquals(AuthenticationMethod.KERBEROS_SSL,
                        ugi.getAuthenticationMethod()); 
  }
}
 
Example 12
Project: hadoop   File: TestJspHelper.java   View Source Code Vote up 5 votes
private void checkUgiFromToken(UserGroupInformation ugi) {
  if (ugi.getRealUser() != null) {
    Assert.assertEquals(AuthenticationMethod.PROXY,
                        ugi.getAuthenticationMethod());
    Assert.assertEquals(AuthenticationMethod.TOKEN,
                        ugi.getRealUser().getAuthenticationMethod());
  } else {
    Assert.assertEquals(AuthenticationMethod.TOKEN,
                        ugi.getAuthenticationMethod());
  }
}
 
Example 13
Project: hadoop   File: ProtoUtil.java   View Source Code Vote up 5 votes
/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 
Example 14
Project: hadoop   File: Client.java   View Source Code Vote up 5 votes
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 
Example 15
Project: hadoop   File: TestProxyUsers.java   View Source Code Vote up 5 votes
/**
 * Authorize a user (superuser) to impersonate another user (user1) if the 
 * superuser belongs to the group "sudo_user1" .
 */

public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException{
  UserGroupInformation superUser = user.getRealUser();

  String sudoGroupName = "sudo_" + user.getShortUserName();
  if (!Arrays.asList(superUser.getGroupNames()).contains(sudoGroupName)){
    throw new AuthorizationException("User: " + superUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }
}
 
Example 16
Project: ditb   File: MasterProcedureUtil.java   View Source Code Vote up 5 votes
public static UserInformation toProtoUserInfo(UserGroupInformation ugi) {
  UserInformation.Builder userInfoPB = UserInformation.newBuilder();
  userInfoPB.setEffectiveUser(ugi.getUserName());
  if (ugi.getRealUser() != null) {
    userInfoPB.setRealUser(ugi.getRealUser().getUserName());
  }
  return userInfoPB.build();
}
 
Example 17
Project: ditb   File: RpcClientImpl.java   View Source Code Vote up 5 votes
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser =
    UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  return authMethod == AuthMethod.KERBEROS &&
      loginUser != null &&
      //Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser));
}
 
Example 18
Project: ditb   File: AsyncRpcChannel.java   View Source Code Vote up 5 votes
/**
 * Check if user should authenticate over Kerberos
 *
 * @return true if should be authenticated over Kerberos
 * @throws java.io.IOException on failure of check
 */
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  return authMethod == AuthMethod.KERBEROS &&
      loginUser != null &&
      //Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser));
}