Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getUGIFromSubject()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#getUGIFromSubject() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop   File: TestKMS.java    License: Apache License 2.0 6 votes vote down vote up
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
    throws Exception {
  Set<Principal> principals = new HashSet<Principal>();
  principals.add(new KerberosPrincipal(user));

  //client login
  Subject subject = new Subject(false, principals,
      new HashSet<Object>(), new HashSet<Object>());
  LoginContext loginContext = new LoginContext("", subject, null,
      KerberosConfiguration.createClientConfig(user, keytab));
  try {
    loginContext.login();
    subject = loginContext.getSubject();
    UserGroupInformation ugi =
        UserGroupInformation.getUGIFromSubject(subject);
    return ugi.doAs(action);
  } finally {
    loginContext.logout();
  }
}
 
Example 2
Source Project: big-c   File: TestKMS.java    License: Apache License 2.0 6 votes vote down vote up
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
    throws Exception {
  Set<Principal> principals = new HashSet<Principal>();
  principals.add(new KerberosPrincipal(user));

  //client login
  Subject subject = new Subject(false, principals,
      new HashSet<Object>(), new HashSet<Object>());
  LoginContext loginContext = new LoginContext("", subject, null,
      KerberosConfiguration.createClientConfig(user, keytab));
  try {
    loginContext.login();
    subject = loginContext.getSubject();
    UserGroupInformation ugi =
        UserGroupInformation.getUGIFromSubject(subject);
    return ugi.doAs(action);
  } finally {
    loginContext.logout();
  }
}
 
Example 3
Source Project: streamline   File: HBaseMetadataService.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Creates secure {@link HBaseMetadataService} which delegates to {@link Admin}
 * instantiated with with the {@link Configuration} provided using the first parameter
 */
public static HBaseMetadataService newInstance(Configuration hbaseConfig,
        SecurityContext securityContext, Subject subject, Component hbaseMaster,
                                               Collection<ComponentProcess> hbaseMasterProcesses)
            throws IOException, EntityNotFoundException {

    if (SecurityUtil.isKerberosAuthenticated(securityContext)) {
        UserGroupInformation.setConfiguration(hbaseConfig);                                             // Sets Kerberos rules
        final UserGroupInformation ugiFromSubject = UserGroupInformation.getUGIFromSubject(subject);    // Adds User principal to the subject
        final UserGroupInformation proxyUserForImpersonation = UserGroupInformation
                .createProxyUser(securityContext.getUserPrincipal().getName(), ugiFromSubject);
        final User user = User.create(proxyUserForImpersonation);

        return new HBaseMetadataService(ConnectionFactory.createConnection(hbaseConfig, user)
                .getAdmin(), securityContext, subject, user, hbaseMaster, hbaseMasterProcesses);
    } else {
        return new HBaseMetadataService(ConnectionFactory.createConnection(hbaseConfig).getAdmin(),
                securityContext, subject, null, hbaseMaster, hbaseMasterProcesses);
    }
}
 
Example 4
Source Project: streamline   File: HiveMetadataService.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Creates secure {@link HiveMetadataService}, which delegates to {@link HiveMetaStoreClient}
 * instantiated with the {@link HiveConf} provided using the first parameter
 */
public static HiveMetadataService newInstance(HiveConf hiveConf, SecurityContext securityContext,
                                              Subject subject, Component hiveMetastore,
                                              Collection<ComponentProcess> hiveMetastoreProcesses)
            throws MetaException, IOException, EntityNotFoundException, PrivilegedActionException {

    if (SecurityUtil.isKerberosAuthenticated(securityContext)) {
        UserGroupInformation.setConfiguration(hiveConf);    // Sets Kerberos rules
        UserGroupInformation.getUGIFromSubject(subject);    // Adds User principal to this subject

        return new HiveMetadataService(
                SecurityUtil.execute(() -> new HiveMetaStoreClient(hiveConf), securityContext, subject),
                    hiveConf, securityContext, subject, hiveMetastore, hiveMetastoreProcesses);
    } else {
        return new HiveMetadataService(new HiveMetaStoreClient(hiveConf), hiveConf, securityContext, subject,
                hiveMetastore, hiveMetastoreProcesses);
    }
}
 
Example 5
@Override
public UserGroupInformation getLoginUgi(Configuration hdfsConfiguration) throws IOException {
  AccessControlContext accessContext = AccessController.getContext();
  Subject subject = Subject.getSubject(accessContext);
  UserGroupInformation loginUgi;
  //HADOOP-13805
  HadoopConfigurationUtils.configureHadoopTreatSubjectExternal(hdfsConfiguration);
  UserGroupInformation.setConfiguration(hdfsConfiguration);
  if (UserGroupInformation.isSecurityEnabled()) {
    loginUgi = UserGroupInformation.getUGIFromSubject(subject);
  } else {
    UserGroupInformation.loginUserFromSubject(subject);
    loginUgi = UserGroupInformation.getLoginUser();
  }
  if (LOG.isDebugEnabled()) {
    LOG.debug(
        "Subject = {}, Principals = {}, Login UGI = {}",
        subject,
        subject == null ? "null" : subject.getPrincipals(),
        loginUgi
    );
  }
  return loginUgi;
}
 
Example 6
Source Project: Bats   File: KerberosFactory.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public UserGroupInformation createAndLoginUser(final Map<String, ?> properties) throws IOException {
  final Configuration conf = new SecurityConfiguration();
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
      UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
  UserGroupInformation.setConfiguration(conf);

  final String keytab = (String) properties.get(DrillProperties.KEYTAB);
  final boolean assumeSubject = properties.containsKey(DrillProperties.KERBEROS_FROM_SUBJECT) &&
      Boolean.parseBoolean((String) properties.get(DrillProperties.KERBEROS_FROM_SUBJECT));
  try {
    final UserGroupInformation ugi;
    if (assumeSubject) {
      ugi = UserGroupInformation.getUGIFromSubject(Subject.getSubject(AccessController.getContext()));
      logger.debug("Assuming subject for {}.", ugi.getShortUserName());
    } else {
      if (keytab != null) {
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
            (String) properties.get(DrillProperties.USER), keytab);
        logger.debug("Logged in {} using keytab.", ugi.getShortUserName());
      } else {
        // includes Kerberos ticket login
        ugi = UserGroupInformation.getCurrentUser();
        logger.debug("Logged in {} using ticket.", ugi.getShortUserName());
      }
    }
    return ugi;
  } catch (final IOException e) {
    logger.debug("Login failed.", e);
    final Throwable cause = e.getCause();
    if (cause instanceof LoginException) {
      throw new SaslException("Failed to login.", cause);
    }
    throw new SaslException("Unexpected failure trying to login.", cause);
  }
}
 
Example 7
@Override
public UserGroupInformation getLoginUgi(Configuration hdfsConfiguration) throws IOException {
  // check system property to see if MapR U/P security is enabled
  String maprLoginEnabled = System.getProperty(
      MAPR_USERNAME_PASSWORD_SECURITY_ENABLED_KEY,
      MAPR_USERNAME_PASSWORD_SECURITY_ENABLED_DEFAULT
  );
  boolean isMapRLogin = Boolean.parseBoolean(maprLoginEnabled);
  AccessControlContext accessControlContext = AccessController.getContext();
  Subject subject = Subject.getSubject(accessControlContext);
  //HADOOP-13805
  HadoopConfigurationUtils.configureHadoopTreatSubjectExternal(hdfsConfiguration);
  // SDC-4015 As privateclassloader is false for MapR, UGI is shared and it also needs to be under jvm lock
  UserGroupInformation.setConfiguration(hdfsConfiguration);
  UserGroupInformation loginUgi;

  if (UserGroupInformation.isSecurityEnabled() && !isMapRLogin) {
    // The code in this block must only be executed in case Kerberos is enabled.
    // MapR implementation of UserGroupInformation.isSecurityEnabled() returns true even if Kerberos is not enabled.
    // System property helps to avoid this code path in such a case
    loginUgi = UserGroupInformation.getUGIFromSubject(subject);
  } else {
    UserGroupInformation.loginUserFromSubject(subject);
    loginUgi = UserGroupInformation.getLoginUser();
  }
  if (LOG.isDebugEnabled()) {
    LOG.debug(
        "Subject = {}, Principals = {}, Login UGI = {}",
        subject,
        subject == null ? "null" : subject.getPrincipals(),
        loginUgi
    );
  }
  return loginUgi;

}
 
Example 8
Source Project: ranger   File: MiscUtil.java    License: Apache License 2.0 5 votes vote down vote up
public static UserGroupInformation createUGIFromSubject(Subject subject)
		throws IOException {
	logger.info("SUBJECT " + (subject == null ? "not found" : "found"));
	UserGroupInformation ugi = null;
	if (subject != null) {
		logger.info("SUBJECT.PRINCIPALS.size()="
				+ subject.getPrincipals().size());
		Set<Principal> principals = subject.getPrincipals();
		for (Principal principal : principals) {
			logger.info("SUBJECT.PRINCIPAL.NAME=" + principal.getName());
		}
		try {
			// Do not remove the below statement. The default
			// getLoginUser does some initialization which is needed
			// for getUGIFromSubject() to work.
			UserGroupInformation.getLoginUser();
			logger.info("Default UGI before using new Subject:"
					+ UserGroupInformation.getLoginUser());
		} catch (Throwable t) {
			logger.error(t);
		}
		ugi = UserGroupInformation.getUGIFromSubject(subject);
		logger.info("SUBJECT.UGI.NAME=" + ugi.getUserName() + ", ugi="
				+ ugi);
	} else {
		logger.info("Server username is not available");
	}
	return ugi;
}
 
Example 9
Source Project: atlas   File: ImpalaLineageHook.java    License: Apache License 2.0 4 votes vote down vote up
private UserGroupInformation getUgiFromUserName(String userName)  throws IOException {
    String userPrincipal = userName.contains(REALM_SEPARATOR)? userName : userName + "@" + getRealm();
    Subject userSubject = new Subject(false, Sets.newHashSet(
        new KerberosPrincipal(userPrincipal)), new HashSet<Object>(),new HashSet<Object>());
    return UserGroupInformation.getUGIFromSubject(userSubject);
}
 
Example 10
@Override
public User getUserFromSubject(Subject subject) throws IOException {
    return new UGIUser(UserGroupInformation.getUGIFromSubject(subject));
}