Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getRealUser()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#getRealUser() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: lucene-solr   File: HadoopAuthFilter.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void doFilter(ServletRequest request, ServletResponse response,
    FilterChain filterChain) throws IOException, ServletException {
  // include Impersonator User Name in case someone (e.g. logger) wants it
  FilterChain filterChainWrapper = new FilterChain() {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse)
        throws IOException, ServletException {
      Locale.setDefault(defaultLocale);
      HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;

      UserGroupInformation ugi = HttpUserGroupInformation.get();
      if (ugi != null && ugi.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) {
        UserGroupInformation realUserUgi = ugi.getRealUser();
        if (realUserUgi != null) {
          httpRequest.setAttribute(KerberosPlugin.IMPERSONATOR_USER_NAME, realUserUgi.getShortUserName());
        }
      }
      filterChain.doFilter(servletRequest, servletResponse);
    }
  };

  // A hack until HADOOP-15681 get committed
  Locale.setDefault(Locale.US);
  super.doFilter(request, response, filterChainWrapper);
}
 
Example 2
Source Project: incubator-gobblin   File: ProxyUtils.java    License: Apache License 2.0 6 votes vote down vote up
public static void cancelTokens(State state)
    throws IOException, InterruptedException, TException {
  Preconditions.checkArgument(state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION),
      "Missing required property " + ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION);
  Preconditions.checkArgument(state.contains(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER),
      "Missing required property " + ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER);
  Preconditions.checkArgument(state.contains(ConfigurationKeys.KERBEROS_REALM),
      "Missing required property " + ConfigurationKeys.KERBEROS_REALM);

  String superUser = state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER);
  String keytabLocation = state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION);
  String realm = state.getProp(ConfigurationKeys.KERBEROS_REALM);

  UserGroupInformation.loginUserFromKeytab(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation);
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  Credentials credentials = realUser.getCredentials();
  for (Token<?> token : credentials.getAllTokens()) {
    if (token.getKind().equals(DelegationTokenIdentifier.HIVE_DELEGATION_KIND)) {
      log.info("Cancelling hive token");
      HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(new HiveConf());
      hiveClient.cancelDelegationToken(token.encodeToUrlString());
    }
  }
}
 
Example 3
@Override
public void doFilter(ServletRequest request, ServletResponse response,
    FilterChain filterChain) throws IOException, ServletException {
  // include Impersonator User Name in case someone (e.g. logger) wants it
  FilterChain filterChainWrapper = new FilterChain() {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse)
        throws IOException, ServletException {
      Locale.setDefault(defaultLocale);
      HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;

      UserGroupInformation ugi = HttpUserGroupInformation.get();
      if (ugi != null && ugi.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) {
        UserGroupInformation realUserUgi = ugi.getRealUser();
        if (realUserUgi != null) {
          httpRequest.setAttribute(KerberosPlugin.IMPERSONATOR_USER_NAME, realUserUgi.getShortUserName());
        }
      }
      filterChain.doFilter(servletRequest, servletResponse);
    }
  };

  // A hack until HADOOP-15681 get committed
  Locale.setDefault(Locale.US);
  super.doFilter(request, response, filterChainWrapper);
}
 
Example 4
@Override
public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException {
  
  UserGroupInformation realUser = user.getRealUser();
  if (realUser == null) {
    return;
  }
  
  AccessControlList acl = proxyUserAcl.get(configPrefix +
      realUser.getShortUserName());
  if (acl == null || !acl.isUserAllowed(user)) {
    throw new AuthorizationException("User: " + realUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }

  MachineList MachineList = proxyHosts.get(
      getProxySuperuserIpConfKey(realUser.getShortUserName()));

  if(MachineList == null || !MachineList.includes(remoteAddress)) {
    throw new AuthorizationException("Unauthorized connection for super-user: "
        + realUser.getUserName() + " from IP " + remoteAddress);
  }
}
 
Example 5
Source Project: big-c   File: HttpFSFileSystem.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Called after a new FileSystem instance is constructed.
 *
 * @param name a uri whose authority section names the host, port, etc. for this FileSystem
 * @param conf the configuration
 */
@Override
public void initialize(URI name, Configuration conf) throws IOException {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();

  //the real use is the one that has the Kerberos credentials needed for
  //SPNEGO to work
  realUser = ugi.getRealUser();
  if (realUser == null) {
    realUser = UserGroupInformation.getLoginUser();
  }
  super.initialize(name, conf);
  try {
    uri = new URI(name.getScheme() + "://" + name.getAuthority());
  } catch (URISyntaxException ex) {
    throw new IOException(ex);
  }

  Class<? extends DelegationTokenAuthenticator> klass =
      getConf().getClass("httpfs.authenticator.class",
          KerberosDelegationTokenAuthenticator.class,
          DelegationTokenAuthenticator.class);
  DelegationTokenAuthenticator authenticator =
      ReflectionUtils.newInstance(klass, getConf());
  authURL = new DelegationTokenAuthenticatedURL(authenticator);
}
 
Example 6
Source Project: big-c   File: WebHdfsFileSystem.java    License: Apache License 2.0 6 votes vote down vote up
Param<?,?>[] getAuthParameters(final HttpOpParam.Op op) throws IOException {
  List<Param<?,?>> authParams = Lists.newArrayList();    
  // Skip adding delegation token for token operations because these
  // operations require authentication.
  Token<?> token = null;
  if (!op.getRequireAuth()) {
    token = getDelegationToken();
  }
  if (token != null) {
    authParams.add(new DelegationParam(token.encodeToUrlString()));
  } else {
    UserGroupInformation userUgi = ugi;
    UserGroupInformation realUgi = userUgi.getRealUser();
    if (realUgi != null) { // proxy user
      authParams.add(new DoAsParam(userUgi.getShortUserName()));
      userUgi = realUgi;
    }
    authParams.add(new UserParam(userUgi.getShortUserName()));
  }
  return authParams.toArray(new Param<?,?>[0]);
}
 
Example 7
@Override
public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException {
  
  UserGroupInformation realUser = user.getRealUser();
  if (realUser == null) {
    return;
  }
  
  AccessControlList acl = proxyUserAcl.get(configPrefix +
      realUser.getShortUserName());
  if (acl == null || !acl.isUserAllowed(user)) {
    throw new AuthorizationException("User: " + realUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }

  MachineList MachineList = proxyHosts.get(
      getProxySuperuserIpConfKey(realUser.getShortUserName()));

  if(MachineList == null || !MachineList.includes(remoteAddress)) {
    throw new AuthorizationException("Unauthorized connection for super-user: "
        + realUser.getUserName() + " from IP " + remoteAddress);
  }
}
 
Example 8
Source Project: flink   File: Configuration.java    License: Apache License 2.0 5 votes vote down vote up
private static boolean getRestrictParserDefault(Object resource) {
	if (resource instanceof String) {
		return false;
	}
	UserGroupInformation user;
	try {
		user = UserGroupInformation.getCurrentUser();
	} catch (IOException e) {
		throw new RuntimeException("Unable to determine current user", e);
	}
	return user.getRealUser() != null;
}
 
Example 9
Source Project: atlas   File: HBaseAtlasHook.java    License: Apache License 2.0 5 votes vote down vote up
private void sendNotification(HBaseOperationContext hbaseOperationContext) {
    UserGroupInformation ugi = hbaseOperationContext.getUgi();

    if (ugi != null && ugi.getRealUser() != null) {
        ugi = ugi.getRealUser();
    }

    notifyEntities(hbaseOperationContext.getMessages(), ugi);
}
 
Example 10
@Override
public UserInformation getUserInfo(User user) {
  final UserGroupInformation ugi = user.getUGI();
  UserInformation.Builder userInfoPB = UserInformation.newBuilder();
  // Send both effective user and real user for simple auth
  userInfoPB.setEffectiveUser(ugi.getUserName());
  if (ugi.getRealUser() != null) {
    userInfoPB.setRealUser(ugi.getRealUser().getUserName());
  }
  return userInfoPB.build();
}
 
Example 11
Source Project: big-c   File: TestProxyUsers.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Authorize a user (superuser) to impersonate another user (user1) if the 
 * superuser belongs to the group "sudo_user1" .
 */

public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException{
  UserGroupInformation superUser = user.getRealUser();

  String sudoGroupName = "sudo_" + user.getShortUserName();
  if (!Arrays.asList(superUser.getGroupNames()).contains(sudoGroupName)){
    throw new AuthorizationException("User: " + superUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }
}
 
Example 12
Source Project: hadoop   File: TestJspHelper.java    License: Apache License 2.0 5 votes vote down vote up
private void checkUgiFromAuth(UserGroupInformation ugi) {
  if (ugi.getRealUser() != null) {
    Assert.assertEquals(AuthenticationMethod.PROXY,
                        ugi.getAuthenticationMethod());
    Assert.assertEquals(AuthenticationMethod.KERBEROS_SSL,
                        ugi.getRealUser().getAuthenticationMethod());
  } else {
    Assert.assertEquals(AuthenticationMethod.KERBEROS_SSL,
                        ugi.getAuthenticationMethod()); 
  }
}
 
Example 13
Source Project: hadoop   File: TestJspHelper.java    License: Apache License 2.0 5 votes vote down vote up
private void checkUgiFromToken(UserGroupInformation ugi) {
  if (ugi.getRealUser() != null) {
    Assert.assertEquals(AuthenticationMethod.PROXY,
                        ugi.getAuthenticationMethod());
    Assert.assertEquals(AuthenticationMethod.TOKEN,
                        ugi.getRealUser().getAuthenticationMethod());
  } else {
    Assert.assertEquals(AuthenticationMethod.TOKEN,
                        ugi.getAuthenticationMethod());
  }
}
 
Example 14
Source Project: hadoop   File: ProtoUtil.java    License: Apache License 2.0 5 votes vote down vote up
/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 
Example 15
Source Project: hadoop   File: Client.java    License: Apache License 2.0 5 votes vote down vote up
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 
Example 16
Source Project: hadoop   File: TestProxyUsers.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Authorize a user (superuser) to impersonate another user (user1) if the 
 * superuser belongs to the group "sudo_user1" .
 */

public void authorize(UserGroupInformation user, 
    String remoteAddress) throws AuthorizationException{
  UserGroupInformation superUser = user.getRealUser();

  String sudoGroupName = "sudo_" + user.getShortUserName();
  if (!Arrays.asList(superUser.getGroupNames()).contains(sudoGroupName)){
    throw new AuthorizationException("User: " + superUser.getUserName()
        + " is not allowed to impersonate " + user.getUserName());
  }
}
 
Example 17
Source Project: big-c   File: RegistrySecurity.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Log details about the current Hadoop user at INFO.
 * Robust against IOEs when trying to get the current user
 */
public void logCurrentHadoopUser() {
  try {
    UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
    LOG.info("Current user = {}",currentUser);
    UserGroupInformation realUser = currentUser.getRealUser();
    LOG.info("Real User = {}" , realUser);
  } catch (IOException e) {
    LOG.warn("Failed to get current user {}, {}", e);
  }
}
 
Example 18
Source Project: big-c   File: ProtoUtil.java    License: Apache License 2.0 5 votes vote down vote up
/** 
 * This method creates the connection context  using exactly the same logic
 * as the old connection context as was done for writable where
 * the effective and real users are set based on the auth method.
 *
 */
public static IpcConnectionContextProto makeIpcConnectionContext(
    final String protocol,
    final UserGroupInformation ugi, final AuthMethod authMethod) {
  IpcConnectionContextProto.Builder result = IpcConnectionContextProto.newBuilder();
  if (protocol != null) {
    result.setProtocol(protocol);
  }
  UserInformationProto.Builder ugiProto =  UserInformationProto.newBuilder();
  if (ugi != null) {
    /*
     * In the connection context we send only additional user info that
     * is not derived from the authentication done during connection setup.
     */
    if (authMethod == AuthMethod.KERBEROS) {
      // Real user was established as part of the connection.
      // Send effective user only.
      ugiProto.setEffectiveUser(ugi.getUserName());
    } else if (authMethod == AuthMethod.TOKEN) {
      // With token, the connection itself establishes 
      // both real and effective user. Hence send none in header.
    } else {  // Simple authentication
      // No user info is established as part of the connection.
      // Send both effective user and real user
      ugiProto.setEffectiveUser(ugi.getUserName());
      if (ugi.getRealUser() != null) {
        ugiProto.setRealUser(ugi.getRealUser().getUserName());
      }
    }
  }   
  result.setUserInfo(ugiProto);
  return result.build();
}
 
Example 19
Source Project: big-c   File: Client.java    License: Apache License 2.0 5 votes vote down vote up
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
 
Example 20
Source Project: big-c   File: TimelineClientImpl.java    License: Apache License 2.0 4 votes vote down vote up
protected void serviceInit(Configuration conf) throws Exception {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUgi = ugi.getRealUser();
  if (realUgi != null) {
    authUgi = realUgi;
    doAsUser = ugi.getShortUserName();
  } else {
    authUgi = ugi;
    doAsUser = null;
  }
  ClientConfig cc = new DefaultClientConfig();
  cc.getClasses().add(YarnJacksonJaxbJsonProvider.class);
  connConfigurator = newConnConfigurator(conf);
  if (UserGroupInformation.isSecurityEnabled()) {
    authenticator = new KerberosDelegationTokenAuthenticator();
  } else {
    authenticator = new PseudoDelegationTokenAuthenticator();
  }
  authenticator.setConnectionConfigurator(connConfigurator);
  token = new DelegationTokenAuthenticatedURL.Token();

  connectionRetry = new TimelineClientConnectionRetry(conf);
  client = new Client(new URLConnectionClientHandler(
      new TimelineURLConnectionFactory()), cc);
  TimelineJerseyRetryFilter retryFilter = new TimelineJerseyRetryFilter();
  client.addFilter(retryFilter);

  if (YarnConfiguration.useHttps(conf)) {
    resURI = URI
        .create(JOINER.join("https://", conf.get(
            YarnConfiguration.TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS,
            YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS),
            RESOURCE_URI_STR));
  } else {
    resURI = URI.create(JOINER.join("http://", conf.get(
        YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
        YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS),
        RESOURCE_URI_STR));
  }
  LOG.info("Timeline service address: " + resURI);
  super.serviceInit(conf);
}