Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getRealUser()

@Override
public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException {
  
  UserGroupInformation realUser = user.getRealUser();
  if (realUser == null) {
    return;
  }
  
  AccessControlList acl = proxyUserAcl.get(configPrefix +
      realUser.getShortUserName());
  if (acl == null || !acl.isUserAllowed(user)) {
    throw new AuthorizationException("User: " + realUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }

  MachineList MachineList = proxyHosts.get(
      getProxySuperuserIpConfKey(realUser.getShortUserName()));

  if(MachineList == null || !MachineList.includes(remoteAddress)) {
    throw new AuthorizationException("Unauthorized connection for super-user: "
        + realUser.getUserName() + " from IP " + remoteAddress);
  }
}
 

public static void cancelTokens(State state)
    throws IOException, InterruptedException, TException {
  Preconditions.checkArgument(state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION),
      "Missing required property " + ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION);
  Preconditions.checkArgument(state.contains(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER),
      "Missing required property " + ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER);
  Preconditions.checkArgument(state.contains(ConfigurationKeys.KERBEROS_REALM),
      "Missing required property " + ConfigurationKeys.KERBEROS_REALM);

  String superUser = state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER);
  String keytabLocation = state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION);
  String realm = state.getProp(ConfigurationKeys.KERBEROS_REALM);

  UserGroupInformation.loginUserFromKeytab(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation);
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  Credentials credentials = realUser.getCredentials();
  for (Token<?> token : credentials.getAllTokens()) {
    if (token.getKind().equals(DelegationTokenIdentifier.HIVE_DELEGATION_KIND)) {
      log.info("Cancelling hive token");
      HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(new HiveConf());
      hiveClient.cancelDelegationToken(token.encodeToUrlString());
    }
  }
}
 

@Override
public void doFilter(ServletRequest request, ServletResponse response,
    FilterChain filterChain) throws IOException, ServletException {
  // include Impersonator User Name in case someone (e.g. logger) wants it
  FilterChain filterChainWrapper = new FilterChain() {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse)
        throws IOException, ServletException {
      Locale.setDefault(defaultLocale);
      HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;

      UserGroupInformation ugi = HttpUserGroupInformation.get();
      if (ugi != null && ugi.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) {
        UserGroupInformation realUserUgi = ugi.getRealUser();
        if (realUserUgi != null) {
          httpRequest.setAttribute(KerberosPlugin.IMPERSONATOR_USER_NAME, realUserUgi.getShortUserName());
        }
      }
      filterChain.doFilter(servletRequest, servletResponse);
    }
  };

  // A hack until HADOOP-15681 get committed
  Locale.setDefault(Locale.US);
  super.doFilter(request, response, filterChainWrapper);
}
 

Param<?,?>[] getAuthParameters(final HttpOpParam.Op op) throws IOException {
  List<Param<?,?>> authParams = Lists.newArrayList();    
  // Skip adding delegation token for token operations because these
  // operations require authentication.
  Token<?> token = null;
  if (!op.getRequireAuth()) {
    token = getDelegationToken();
  }
  if (token != null) {
    authParams.add(new DelegationParam(token.encodeToUrlString()));
  } else {
    UserGroupInformation userUgi = ugi;
    UserGroupInformation realUgi = userUgi.getRealUser();
    if (realUgi != null) { // proxy user
      authParams.add(new DoAsParam(userUgi.getShortUserName()));
      userUgi = realUgi;
    }
    authParams.add(new UserParam(userUgi.getShortUserName()));
  }
  return authParams.toArray(new Param<?,?>[0]);
}
 

/**
 * Called after a new FileSystem instance is constructed.
 *
 * @param name a uri whose authority section names the host, port, etc. for this FileSystem
 * @param conf the configuration
 */
@Override
public void initialize(URI name, Configuration conf) throws IOException {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();

  //the real use is the one that has the Kerberos credentials needed for
  //SPNEGO to work
  realUser = ugi.getRealUser();
  if (realUser == null) {
    realUser = UserGroupInformation.getLoginUser();
  }
  super.initialize(name, conf);
  try {
    uri = new URI(name.getScheme() + "://" + name.getAuthority());
  } catch (URISyntaxException ex) {
    throw new IOException(ex);
  }

  Class<? extends DelegationTokenAuthenticator> klass =
      getConf().getClass("httpfs.authenticator.class",
          KerberosDelegationTokenAuthenticator.class,
          DelegationTokenAuthenticator.class);
  DelegationTokenAuthenticator authenticator =
      ReflectionUtils.newInstance(klass, getConf());
  authURL = new DelegationTokenAuthenticatedURL(authenticator);
}
 

@Override
public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException {
  
  UserGroupInformation realUser = user.getRealUser();
  if (realUser == null) {
    return;
  }
  
  AccessControlList acl = proxyUserAcl.get(configPrefix +
      realUser.getShortUserName());
  if (acl == null || !acl.isUserAllowed(user)) {
    throw new AuthorizationException("User: " + realUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }

  MachineList MachineList = proxyHosts.get(
      getProxySuperuserIpConfKey(realUser.getShortUserName()));

  if(MachineList == null || !MachineList.includes(remoteAddress)) {
    throw new AuthorizationException("Unauthorized connection for super-user: "
        + realUser.getUserName() + " from IP " + remoteAddress);
  }
}
 

@Override
public void doFilter(ServletRequest request, ServletResponse response,
    FilterChain filterChain) throws IOException, ServletException {
  // include Impersonator User Name in case someone (e.g. logger) wants it
  FilterChain filterChainWrapper = new FilterChain() {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse)
        throws IOException, ServletException {
      Locale.setDefault(defaultLocale);
      HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;

      UserGroupInformation ugi = HttpUserGroupInformation.get();
      if (ugi != null && ugi.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) {
        UserGroupInformation realUserUgi = ugi.getRealUser();
        if (realUserUgi != null) {
          httpRequest.setAttribute(KerberosPlugin.IMPERSONATOR_USER_NAME, realUserUgi.getShortUserName());
        }
      }
      filterChain.doFilter(servletRequest, servletResponse);
    }
  };

  // A hack until HADOOP-15681 get committed
  Locale.setDefault(Locale.US);
  super.doFilter(request, response, filterChainWrapper);
}
 

/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 

private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 

/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 

/**
 * Log details about the current Hadoop user at INFO.
 * Robust against IOEs when trying to get the current user
 */
public void logCurrentHadoopUser() {
  try {
    UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
    LOG.info("Current user = {}",currentUser);
    UserGroupInformation realUser = currentUser.getRealUser();
    LOG.info("Real User = {}" , realUser);
  } catch (IOException e) {
    LOG.warn("Failed to get current user {}, {}", e);
  }
}
 

/**
 * Authorize a user (superuser) to impersonate another user (user1) if the 
 * superuser belongs to the group "sudo_user1" .
 */

public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException{
  UserGroupInformation superUser = user.getRealUser();

  String sudoGroupName = "sudo_" + user.getShortUserName();
  if (!Arrays.asList(superUser.getGroupNames()).contains(sudoGroupName)){
    throw new AuthorizationException("User: " + superUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }
}
 

private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 

private void checkUgiFromToken(UserGroupInformation ugi) {
  if (ugi.getRealUser() != null) {
    Assert.assertEquals(AuthenticationMethod.PROXY,
                        ugi.getAuthenticationMethod());
    Assert.assertEquals(AuthenticationMethod.TOKEN,
                        ugi.getRealUser().getAuthenticationMethod());
  } else {
    Assert.assertEquals(AuthenticationMethod.TOKEN,
                        ugi.getAuthenticationMethod());
  }
}
 

private void checkUgiFromAuth(UserGroupInformation ugi) {
  if (ugi.getRealUser() != null) {
    Assert.assertEquals(AuthenticationMethod.PROXY,
                        ugi.getAuthenticationMethod());
    Assert.assertEquals(AuthenticationMethod.KERBEROS_SSL,
                        ugi.getRealUser().getAuthenticationMethod());
  } else {
    Assert.assertEquals(AuthenticationMethod.KERBEROS_SSL,
                        ugi.getAuthenticationMethod()); 
  }
}
 

/**
 * Authorize a user (superuser) to impersonate another user (user1) if the 
 * superuser belongs to the group "sudo_user1" .
 */

public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException{
  UserGroupInformation superUser = user.getRealUser();

  String sudoGroupName = "sudo_" + user.getShortUserName();
  if (!Arrays.asList(superUser.getGroupNames()).contains(sudoGroupName)){
    throw new AuthorizationException("User: " + superUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }
}
 

@Override
public UserInformation getUserInfo(User user) {
  final UserGroupInformation ugi = user.getUGI();
  UserInformation.Builder userInfoPB = UserInformation.newBuilder();
  // Send both effective user and real user for simple auth
  userInfoPB.setEffectiveUser(ugi.getUserName());
  if (ugi.getRealUser() != null) {
    userInfoPB.setRealUser(ugi.getRealUser().getUserName());
  }
  return userInfoPB.build();
}
 

private void sendNotification(HBaseOperationContext hbaseOperationContext) {
    UserGroupInformation ugi = hbaseOperationContext.getUgi();

    if (ugi != null && ugi.getRealUser() != null) {
        ugi = ugi.getRealUser();
    }

    notifyEntities(hbaseOperationContext.getMessages(), ugi);
}
 

private static boolean getRestrictParserDefault(Object resource) {
	if (resource instanceof String) {
		return false;
	}
	UserGroupInformation user;
	try {
		user = UserGroupInformation.getCurrentUser();
	} catch (IOException e) {
		throw new RuntimeException("Unable to determine current user", e);
	}
	return user.getRealUser() != null;
}
 

protected void serviceInit(Configuration conf) throws Exception {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUgi = ugi.getRealUser();
  if (realUgi != null) {
    authUgi = realUgi;
    doAsUser = ugi.getShortUserName();
  } else {
    authUgi = ugi;
    doAsUser = null;
  }
  ClientConfig cc = new DefaultClientConfig();
  cc.getClasses().add(YarnJacksonJaxbJsonProvider.class);
  connConfigurator = newConnConfigurator(conf);
  if (UserGroupInformation.isSecurityEnabled()) {
    authenticator = new KerberosDelegationTokenAuthenticator();
  } else {
    authenticator = new PseudoDelegationTokenAuthenticator();
  }
  authenticator.setConnectionConfigurator(connConfigurator);
  token = new DelegationTokenAuthenticatedURL.Token();

  connectionRetry = new TimelineClientConnectionRetry(conf);
  client = new Client(new URLConnectionClientHandler(
      new TimelineURLConnectionFactory()), cc);
  TimelineJerseyRetryFilter retryFilter = new TimelineJerseyRetryFilter();
  client.addFilter(retryFilter);

  if (YarnConfiguration.useHttps(conf)) {
    resURI = URI
        .create(JOINER.join("https://", conf.get(
            YarnConfiguration.TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS,
            YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS),
            RESOURCE_URI_STR));
  } else {
    resURI = URI.create(JOINER.join("http://", conf.get(
        YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
        YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS),
        RESOURCE_URI_STR));
  }
  LOG.info("Timeline service address: " + resURI);
  super.serviceInit(conf);
}