Java Code Examples for org.apache.hadoop.security.UserGroupInformation#hasKerberosCredentials()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#hasKerberosCredentials() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: HadoopUtils.java    From flink with Apache License 2.0 6 votes vote down vote up 
public static boolean areKerberosCredentialsValid(UserGroupInformation ugi, boolean useTicketCache) {
	Preconditions.checkState(isKerberosSecurityEnabled(ugi));

	// note: UGI::hasKerberosCredentials inaccurately reports false
	// for logins based on a keytab (fixed in Hadoop 2.6.1, see HADOOP-10786),
	// so we check only in ticket cache scenario.
	if (useTicketCache && !ugi.hasKerberosCredentials()) {
		if (hasHDFSDelegationToken(ugi)) {
			LOG.warn("Hadoop security is enabled but current login user does not have Kerberos credentials, " +
				"use delegation token instead. Flink application will terminate after token expires.");
			return true;
		} else {
			LOG.error("Hadoop security is enabled, but current login user has neither Kerberos credentials " +
				"nor delegation tokens!");
			return false;
		}
	}

	return true;
}
Example 2
Source File: AuthUtil.java    From hbase with Apache License 2.0 6 votes vote down vote up 
/**
 * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
 * @return a ScheduledChore for renewals.
 */
@InterfaceAudience.Private
public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user) {
  if (!user.hasKerberosCredentials()) {
    return null;
  }

  Stoppable stoppable = createDummyStoppable();
  // if you're in debug mode this is useful to avoid getting spammed by the getTGT()
  // you can increase this, keeping in mind that the default refresh window is 0.8
  // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min
  final int CHECK_TGT_INTERVAL = 30 * 1000; // 30sec
  return new ScheduledChore("RefreshCredentials", stoppable, CHECK_TGT_INTERVAL) {
    @Override
    protected void chore() {
      try {
        user.checkTGTAndReloginFromKeytab();
      } catch (IOException e) {
        LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e);
      }
    }
  };
}
Example 3
Source File: AuthenticationUtil.java    From atlas with Apache License 2.0 5 votes vote down vote up 
public static boolean isKerberosAuthenticationEnabled(UserGroupInformation ugi) {
    boolean defaultValue = ugi != null && ugi.hasKerberosCredentials();

    try {
        return isKerberosAuthenticationEnabled(ApplicationProperties.get(), defaultValue);
    } catch (AtlasException e) {
        LOG.error("Error while isKerberosAuthenticationEnabled ", e);
    }

    return defaultValue;
}
Example 4
Source File: RegistrySecurity.java    From hadoop with Apache License 2.0 5 votes vote down vote up 
/**
 * Create a SASL ACL for the user
 * @param perms permissions
 * @return an ACL for the current user or null if they aren't a kerberos user
 * @throws IOException
 */
public ACL createSaslACLFromCurrentUser(int perms) throws IOException {
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  if (currentUser.hasKerberosCredentials()) {
    return createSaslACL(currentUser, perms);
  } else {
    return null;
  }
}
Example 5
Source File: Client.java    From hadoop with Apache License 2.0 5 votes vote down vote up 
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
Example 6
Source File: RegistrySecurity.java    From big-c with Apache License 2.0 5 votes vote down vote up 
/**
 * Create a SASL ACL for the user
 * @param perms permissions
 * @return an ACL for the current user or null if they aren't a kerberos user
 * @throws IOException
 */
public ACL createSaslACLFromCurrentUser(int perms) throws IOException {
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  if (currentUser.hasKerberosCredentials()) {
    return createSaslACL(currentUser, perms);
  } else {
    return null;
  }
}
Example 7
Source File: Client.java    From big-c with Apache License 2.0 5 votes vote down vote up 
private synchronized boolean shouldAuthenticateOverKrb() throws IOException {
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
  UserGroupInformation realUser = currentUser.getRealUser();
  if (authMethod == AuthMethod.KERBEROS && loginUser != null &&
  // Make sure user logged in using Kerberos either keytab or TGT
      loginUser.hasKerberosCredentials() &&
      // relogin only in case it is the login user (e.g. JT)
      // or superuser (like oozie).
      (loginUser.equals(currentUser) || loginUser.equals(realUser))) {
    return true;
  }
  return false;
}
Example 8
Source File: BuiltInProviderSelector.java    From hbase with Apache License 2.0 5 votes vote down vote up 
@Override
public Pair<SaslClientAuthenticationProvider, Token<? extends TokenIdentifier>> selectProvider(
    String clusterId, User user) {
  requireNonNull(clusterId, "Null clusterId was given");
  requireNonNull(user, "Null user was given");

  // Superfluous: we don't do SIMPLE auth over SASL, but we should to simplify.
  if (!User.isHBaseSecurityEnabled(conf)) {
    return new Pair<>(simpleAuth, null);
  }

  final Text clusterIdAsText = new Text(clusterId);

  // Must be digest auth, look for a token.
  // TestGenerateDelegationToken is written expecting DT is used when DT and Krb are both present.
  // (for whatever that's worth).
  for (Token<? extends TokenIdentifier> token : user.getTokens()) {
    // We need to check for two things:
    //   1. This token is for the HBase cluster we want to talk to
    //   2. We have suppporting client implementation to handle the token (the "kind" of token)
    if (clusterIdAsText.equals(token.getService()) &&
        digestAuthTokenKind.equals(token.getKind())) {
      return new Pair<>(digestAuth, token);
    }
  }
  // Unwrap PROXY auth'n method if that's what we have coming in.
  final UserGroupInformation currentUser = user.getUGI();
  // May be null if Hadoop AuthenticationMethod is PROXY
  final UserGroupInformation realUser = currentUser.getRealUser();
  if (currentUser.hasKerberosCredentials() ||
      (realUser != null && realUser.hasKerberosCredentials())) {
    return new Pair<>(krbAuth, null);
  }
  // This indicates that a client is requesting some authentication mechanism which the servers
  // don't know how to process (e.g. there is no provider which can support it). This may be
  // a bug or simply a misconfiguration of client *or* server.
  LOG.warn("No matching SASL authentication provider and supporting token found from providers"
      + " for user: {}", user);
  return null;
}
Example 9
Source File: Client.java    From hadoop with Apache License 2.0 4 votes vote down vote up 
private synchronized void setupConnection() throws IOException {
  short ioFailures = 0;
  short timeoutFailures = 0;
  while (true) {
    try {
      this.socket = socketFactory.createSocket();
      this.socket.setTcpNoDelay(tcpNoDelay);
      this.socket.setKeepAlive(true);
      
      /*
       * Bind the socket to the host specified in the principal name of the
       * client, to ensure Server matching address of the client connection
       * to host name in principal passed.
       */
      UserGroupInformation ticket = remoteId.getTicket();
      if (ticket != null && ticket.hasKerberosCredentials()) {
        KerberosInfo krbInfo = 
          remoteId.getProtocol().getAnnotation(KerberosInfo.class);
        if (krbInfo != null && krbInfo.clientPrincipal() != null) {
          String host = 
            SecurityUtil.getHostFromPrincipal(remoteId.getTicket().getUserName());
          
          // If host name is a valid local address then bind socket to it
          InetAddress localAddr = NetUtils.getLocalInetAddress(host);
          if (localAddr != null) {
            this.socket.bind(new InetSocketAddress(localAddr, 0));
          }
        }
      }
      
      NetUtils.connect(this.socket, server, connectionTimeout);
      if (rpcTimeout > 0) {
        pingInterval = rpcTimeout;  // rpcTimeout overwrites pingInterval
      }
      this.socket.setSoTimeout(pingInterval);
      return;
    } catch (ConnectTimeoutException toe) {
      /* Check for an address change and update the local reference.
       * Reset the failure counter if the address was changed
       */
      if (updateAddress()) {
        timeoutFailures = ioFailures = 0;
      }
      handleConnectionTimeout(timeoutFailures++,
          maxRetriesOnSocketTimeouts, toe);
    } catch (IOException ie) {
      if (updateAddress()) {
        timeoutFailures = ioFailures = 0;
      }
      handleConnectionFailure(ioFailures++, ie);
    }
  }
}
Example 10
Source File: Client.java    From big-c with Apache License 2.0 4 votes vote down vote up 
private synchronized void setupConnection() throws IOException {
  short ioFailures = 0;
  short timeoutFailures = 0;
  while (true) {
    try {
      this.socket = socketFactory.createSocket();
      this.socket.setTcpNoDelay(tcpNoDelay);
      this.socket.setKeepAlive(true);
      
      /*
       * Bind the socket to the host specified in the principal name of the
       * client, to ensure Server matching address of the client connection
       * to host name in principal passed.
       */
      UserGroupInformation ticket = remoteId.getTicket();
      if (ticket != null && ticket.hasKerberosCredentials()) {
        KerberosInfo krbInfo = 
          remoteId.getProtocol().getAnnotation(KerberosInfo.class);
        if (krbInfo != null && krbInfo.clientPrincipal() != null) {
          String host = 
            SecurityUtil.getHostFromPrincipal(remoteId.getTicket().getUserName());
          
          // If host name is a valid local address then bind socket to it
          InetAddress localAddr = NetUtils.getLocalInetAddress(host);
          if (localAddr != null) {
            this.socket.bind(new InetSocketAddress(localAddr, 0));
          }
        }
      }
      
      NetUtils.connect(this.socket, server, connectionTimeout);
      if (rpcTimeout > 0) {
        pingInterval = rpcTimeout;  // rpcTimeout overwrites pingInterval
      }
      this.socket.setSoTimeout(pingInterval);
      return;
    } catch (ConnectTimeoutException toe) {
      /* Check for an address change and update the local reference.
       * Reset the failure counter if the address was changed
       */
      if (updateAddress()) {
        timeoutFailures = ioFailures = 0;
      }
      handleConnectionTimeout(timeoutFailures++,
          maxRetriesOnSocketTimeouts, toe);
    } catch (IOException ie) {
      if (updateAddress()) {
        timeoutFailures = ioFailures = 0;
      }
      handleConnectionFailure(ioFailures++, ie);
    }
  }
}