Java Code Examples for org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab()
The following examples show how to use
org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab() .
These examples are extracted from open source projects.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source Project: dk-fitting File: HDFSUtils.java License: Apache License 2.0 | 6 votes |
|
public static FileSystem getFs(String hdfs_xml, String core_xml, String krb5_conf, String principal, String keytab) throws Exception {
Configuration conf = new Configuration();
FileSystem fs = null;
conf.addResource(new Path(hdfs_xml));
conf.addResource(new Path(core_xml));
conf.set("dfs.client.block.write.replace-datanode-on-failure.policy", "NEVER");
conf.set("dfs.client.block.write.replace-datanode-on-failure.enable", "true");
conf.setBoolean("fs.hdfs.impl.disable.cache", true);
if (principal != null && !"".equals(principal) && keytab != null && !"".equals(keytab) && krb5_conf != null && !"".equals(krb5_conf)) {
System.setProperty("java.security.krb5.conf", krb5_conf);
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(principal, keytab);
UserGroupInformation.getLoginUser();
}
fs = FileSystem.get(conf);
return fs;
}
Example 2
| Source Project: spring-boot-tutorial File: HdfsConfiguration.java License: Creative Commons Attribution Share Alike 4.0 International | 6 votes |
|
@Bean
public HdfsFactory hdfsFactory() {
org.apache.hadoop.conf.Configuration configuration = new org.apache.hadoop.conf.Configuration();
configuration.addResource(new Path(properties.getCoreSiteXmlPath()));
configuration.addResource(new Path(properties.getHdfsSiteXmlPath()));
if (properties.getAuth().isEnabled()) {
System.setProperty("java.security.krb5.conf", properties.getAuth().getKrb5Conf());
System.setProperty("java.security.auth.login.config", properties.getAuth().getAuthLoginConfig());
UserGroupInformation.setConfiguration(configuration);
try {
UserGroupInformation.loginUserFromKeytab(properties.getAuth().getPrincipal(),
properties.getAuth().getAuthKeyTabPath());
} catch (IOException e) {
e.printStackTrace();
}
}
return new HdfsFactory(configuration);
}
Example 3
| Source Project: entrada File: HDFSFileManagerImpl.java License: GNU General Public License v3.0 | 6 votes |
|
private FileSystem createSecureFS() {
Configuration conf = conf();
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
try {
if (StringUtils.isNotBlank(krbKeyTab)) {
UserGroupInformation.loginUserFromKeytab(hdfsUsername, krbKeyTab);
}
return FileSystem.get(new URI(hdfsNameservice), conf);
} catch (Exception e) {
throw new ApplicationException("Cannot create secure HDFS filesystem", e);
}
}
Example 4
| Source Project: Transwarp-Sample-Code File: Connector.java License: MIT License | 5 votes |
|
public Connector() {
Configuration HBASE_CONFIG = new Configuration();
Constant constant = new Constant();
HBASE_CONFIG.addResource("hbase-site.xml");
HBASE_CONFIG.addResource("core-site.xml");
HBASE_CONFIG.addResource("hdfs-site.xml");
configuration = HBaseConfiguration.create(HBASE_CONFIG);
try {
if (constant.MODE.equals("kerberos")) {
UserGroupInformation.setConfiguration(configuration);
// UserGroupInformation.loginUserFromPassword(constant.KERBEROS_USER,constant.KERBEROS_PASSWD);
UserGroupInformation.loginUserFromKeytab(constant.KERBEROS_WITH_KEYTAB_USER,constant.KERBEROS_KEYTAB);
}
hBaseAdmin = new HBaseAdmin(configuration);
hyperbaseAdmin = new HyperbaseAdmin(configuration);
Configuration hdfsConf = getHDFSConf();
String rootPath = "hdfs://nameservice1";
Path p = new Path(rootPath + constant.HDFS_LARGE_FILE_DIR);
FileSystem fs = p.getFileSystem(hdfsConf);
boolean b = fs.mkdirs(p);
System.out.println(b);
fs.close();
} catch (Exception e) {
e.printStackTrace();
}
}
Example 5
| Source Project: incubator-sentry File: SentryHdfsServiceIntegrationBase.java License: Apache License 2.0 | 5 votes |
|
@Before
public void before() throws Exception {
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL,
clientKeytab.getPath());
connectToHdfsSyncService();
}
Example 6
| Source Project: Transwarp-Sample-Code File: CreateFile.java License: MIT License | 5 votes |
|
public static void main(String[] args) throws IOException {
// 通过Java API创建文件
String rootPath = "hdfs://nameservice1";
Path p = new Path(rootPath + "/tmp/file.txt");
Configuration conf = new Configuration();
conf.addResource("core-site.xml");
conf.addResource("hdfs-site.xml");
conf.addResource("yarn-site.xml");
// 没开kerberos,注释下面两行
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("[email protected]","E:\\星环\\hdfs.keytab");
FileSystem fs = p.getFileSystem(conf);
fs.create(p);
fs.close();
}
Example 7
| Source Project: incubator-sentry File: SolrAuthzBinding.java License: Apache License 2.0 | 5 votes |
|
/**
* Initialize kerberos via UserGroupInformation. Will only attempt to login
* during the first request, subsequent calls will have no effect.
*/
public void initKerberos(String keytabFile, String principal) {
if (keytabFile == null || keytabFile.length() == 0) {
throw new IllegalArgumentException("keytabFile required because kerberos is enabled");
}
if (principal == null || principal.length() == 0) {
throw new IllegalArgumentException("principal required because kerberos is enabled");
}
synchronized (SolrAuthzBinding.class) {
if (kerberosInit == null) {
kerberosInit = Boolean.TRUE;
final String authVal = authzConf.get(HADOOP_SECURITY_AUTHENTICATION);
final String kerberos = "kerberos";
if (authVal != null && !authVal.equals(kerberos)) {
throw new IllegalArgumentException(HADOOP_SECURITY_AUTHENTICATION
+ " set to: " + authVal + ", not kerberos, but attempting to "
+ " connect to HDFS via kerberos");
}
// let's avoid modifying the supplied configuration, just to be conservative
final Configuration ugiConf = new Configuration(authzConf);
ugiConf.set(HADOOP_SECURITY_AUTHENTICATION, kerberos);
UserGroupInformation.setConfiguration(ugiConf);
LOG.info(
"Attempting to acquire kerberos ticket with keytab: {}, principal: {} ",
keytabFile, principal);
try {
UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
LOG.info("Got Kerberos ticket");
}
}
}
Example 8
| Source Project: nifi File: Kerberos.java License: Apache License 2.0 | 5 votes |
|
@Override
public AtlasClientV2 createClient(String[] baseUrls) {
final Configuration hadoopConf = new Configuration();
hadoopConf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(hadoopConf);
final UserGroupInformation ugi;
try {
UserGroupInformation.loginUserFromKeytab(principal, keytab);
ugi = UserGroupInformation.getCurrentUser();
} catch (IOException e) {
throw new RuntimeException("Failed to login with Kerberos due to: " + e, e);
}
return new AtlasClientV2(ugi, null, baseUrls);
}
Example 9
| Source Project: registry File: HfsFileStorageKerberosTest.java License: Apache License 2.0 | 5 votes |
|
private void verifySimpleExecution() throws Exception {
verifyStatic(UserGroupInformation.class, never());
UserGroupInformation.loginUserFromKeytab(anyString(), anyString());
verify(userGroupInformation, never()).doAs(any(PrivilegedAction.class));
verify(userGroupInformation, never()).doAs(any(PrivilegedExceptionAction.class));
}
Example 10
| Source Project: hbase File: TestSecureIPC.java License: Apache License 2.0 | 5 votes |
|
private UserGroupInformation loginKerberosPrincipal(String krbKeytab, String krbPrincipal)
throws Exception {
Configuration cnf = new Configuration();
cnf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(cnf);
UserGroupInformation.loginUserFromKeytab(krbPrincipal, krbKeytab);
return UserGroupInformation.getLoginUser();
}
Example 11
| Source Project: sqoop-on-spark File: KerberosAuthenticationHandler.java License: Apache License 2.0 | 5 votes |
|
public void secureLogin() {
MapContext mapContext = SqoopConfiguration.getInstance().getContext();
String keytab = mapContext.getString(
SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim();
if (keytab.length() == 0) {
throw new SqoopException(SecurityError.AUTH_0001,
SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB);
}
keytabFile = keytab;
String principal = mapContext.getString(
SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim();
if (principal.length() == 0) {
throw new SqoopException(SecurityError.AUTH_0002,
SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL);
}
keytabPrincipal = principal;
Configuration conf = new Configuration();
conf.set(get_hadoop_security_authentication(),
SecurityConstants.TYPE.KERBEROS.name());
UserGroupInformation.setConfiguration(conf);
try {
String hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytab);
} catch (IOException ex) {
throw new SqoopException(SecurityError.AUTH_0003, ex);
}
LOG.info("Using Kerberos authentication, principal ["
+ principal + "] keytab [" + keytab + "]");
}
Example 12
| Source Project: hbase-tools File: HBaseClient.java License: Apache License 2.0 | 5 votes |
|
private static synchronized void login(Args args, Configuration conf) throws Exception {
if (args.has(Args.OPTION_DEBUG)) {
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.spnego.debug", "true");
}
System.setProperty("java.security.auth.login.config", createJaasConfigFile(args));
System.setProperty("java.security.krb5.conf", kerberosConfigFile(args));
Config krbConfig = Config.getInstance();
final String realm;
if (args.has(Args.OPTION_REALM)) {
realm = (String) args.valueOf(Args.OPTION_REALM);
System.setProperty("java.security.krb5.realm", realm);
System.setProperty("java.security.krb5.kdc", krbConfig.getKDCList(realm));
Config.refresh();
} else {
realm = krbConfig.getDefaultRealm();
}
updateConf(conf, realm);
if (args.has(Args.OPTION_KEY_TAB, Args.OPTION_KEY_TAB_SHORT)) {
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(principal(args), (String) args.valueOf(Args.OPTION_KEY_TAB, Args.OPTION_KEY_TAB_SHORT));
} else {
loginWithPassword(args, conf);
}
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
System.out.println(currentUser + "\n");
}
Example 13
| Source Project: hgraphdb File: HBaseGraphUtils.java License: Apache License 2.0 | 5 votes |
|
public static Connection getConnection(HBaseGraphConfiguration config) {
Connection conn = connections.get(config.getGraphNamespace());
if (conn != null && !conn.isClosed()) return conn;
Configuration hbaseConfig = config.toHBaseConfiguration();
switch (config.getInstanceType()) {
case MOCK:
conn = MockConnectionFactory.createConnection(hbaseConfig);
break;
case BIGTABLE:
case DISTRIBUTED:
try {
UserGroupInformation ugi = null;
if ("kerberos".equals(hbaseConfig.get(HBASE_SECURITY_AUTHENTICATION))) {
String principal = hbaseConfig.get(HBASE_CLIENT_KERBEROS_PRINCIPAL);
String keytab = hbaseConfig.get(HBASE_CLIENT_KEYTAB_FILE);
if (principal != null && keytab != null) {
UserGroupInformation.setConfiguration(hbaseConfig);
UserGroupInformation.loginUserFromKeytab(principal, keytab);
ugi = UserGroupInformation.getLoginUser();
}
}
if (ugi != null) {
conn = ugi.doAs(new PrivilegedExceptionAction<Connection>() {
@Override
public Connection run() throws Exception {
return ConnectionFactory.createConnection(hbaseConfig);
}
});
} else {
conn = ConnectionFactory.createConnection(hbaseConfig);
}
break;
} catch (Exception e) {
throw new HBaseGraphException(e);
}
}
connections.put(config.getGraphNamespace(), conn);
return conn;
}
Example 14
| Source Project: hbase File: User.java License: Apache License 2.0 | 5 votes |
|
/**
* Login through configured keytab and pricipal.
* @param keytabLocation location of keytab
* @param principalName principal in keytab
* @throws IOException exception from UserGroupInformation.loginUserFromKeytab
*/
public static void login(String keytabLocation, String principalName)
throws IOException {
if (isSecurityEnabled()) {
UserGroupInformation.loginUserFromKeytab(principalName, keytabLocation);
}
}
Example 15
| Source Project: dew File: HBaseAutoConfiguration.java License: Apache License 2.0 | 5 votes |
|
/**
* Init HBase connection.
*
* @param hbaseProperties hbase settings properties
* @return HBase connection
* @throws IOException IOException
*/
@Bean
public Connection connection(HBaseProperties hbaseProperties, org.apache.hadoop.conf.Configuration conf) throws IOException {
if ("kerberos".equalsIgnoreCase(hbaseProperties.getAuth().getType())) {
System.setProperty("java.security.krb5.conf", hbaseProperties.getAuth().getKrb5());
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(hbaseProperties.getAuth().getPrincipal(), hbaseProperties.getAuth().getKeytab());
}
ThreadPoolExecutor poolExecutor = new ThreadPoolExecutor(200, Integer.MAX_VALUE, 60L, TimeUnit.SECONDS, new SynchronousQueue<>());
poolExecutor.prestartCoreThread();
return ConnectionFactory.createConnection(conf, poolExecutor);
}
Example 16
| Source Project: dremio-oss File: DACDaemon.java License: Apache License 2.0 | 5 votes |
|
/**
* Set up the current user in {@link UserGroupInformation} using the kerberos principal and keytab file path if
* present in config. If not present, this method call is a no-op. When communicating with the kerberos enabled
* Hadoop based filesystem credentials in {@link UserGroupInformation} will be used..
* @param config
* @throws IOException
*/
private void setupHadoopUserUsingKerberosKeytab(final DremioConfig config) throws IOException {
final String kerberosPrincipal = config.getString(DremioConfig.KERBEROS_PRINCIPAL);
final String kerberosKeytab = config.getString(DremioConfig.KERBEROS_KEYTAB_PATH);
if (Strings.isNullOrEmpty(kerberosPrincipal) || Strings.isNullOrEmpty(kerberosKeytab)) {
return;
}
UserGroupInformation.loginUserFromKeytab(kerberosPrincipal, kerberosKeytab);
logger.info("Setup Hadoop user info using kerberos principal {} and keytab file {} successful.",
kerberosPrincipal, kerberosKeytab);
}
Example 17
| Source Project: Bats File: BootStrapContext.java License: Apache License 2.0 | 4 votes |
|
private void login(final DrillConfig config) throws DrillbitStartupException {
try {
if (config.hasPath(ExecConstants.SERVICE_PRINCIPAL)) {
// providing a service principal => Kerberos mechanism
final Configuration loginConf = new Configuration();
loginConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
// set optional user name mapping
if (config.hasPath(ExecConstants.KERBEROS_NAME_MAPPING)) {
loginConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTH_TO_LOCAL,
config.getString(ExecConstants.KERBEROS_NAME_MAPPING));
}
UserGroupInformation.setConfiguration(loginConf);
// service principal canonicalization
final String principal = config.getString(ExecConstants.SERVICE_PRINCIPAL);
final String parts[] = KerberosUtil.splitPrincipalIntoParts(principal);
if (parts.length != 3) {
throw new DrillbitStartupException(
String.format("Invalid %s, Drill service principal must be of format: primary/[email protected]",
ExecConstants.SERVICE_PRINCIPAL));
}
parts[1] = KerberosUtil.canonicalizeInstanceName(parts[1], hostName);
final String canonicalizedPrincipal = KerberosUtil.getPrincipalFromParts(parts[0], parts[1], parts[2]);
final String keytab = config.getString(ExecConstants.SERVICE_KEYTAB_LOCATION);
// login to KDC (AS)
// Note that this call must happen before any call to UserGroupInformation#getLoginUser,
// but there is no way to enforce the order (this static init. call and parameters from
// DrillConfig are both required).
UserGroupInformation.loginUserFromKeytab(canonicalizedPrincipal, keytab);
logger.info("Process user name: '{}' and logged in successfully as '{}'", processUserName,
canonicalizedPrincipal);
} else {
UserGroupInformation.getLoginUser(); // init
}
// ugi does not support logout
} catch (final IOException e) {
throw new DrillbitStartupException("Failed to login.", e);
}
}
Example 18
| Source Project: localization_nifi File: RangerNiFiAuthorizer.java License: Apache License 2.0 | 4 votes |
|
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
try {
if (nifiPlugin == null) {
logger.info("RangerNiFiAuthorizer(): initializing base plugin");
final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);
final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);
final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;
if (rangerKerberosEnabled) {
// configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
final Configuration securityConf = new Configuration();
securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
UserGroupInformation.setConfiguration(securityConf);
// login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
// will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation();
if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
}
UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
}
final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
nifiPlugin = createRangerBasePlugin(serviceType, appId);
nifiPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
} else {
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
}
} catch (Throwable t) {
throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
}
}
Example 19
| Source Project: pulsar File: SecurityUtil.java License: Apache License 2.0 | 3 votes |
|
/**
* Initializes UserGroupInformation with the given Configuration and performs the login for the
* given principal and keytab. All logins should happen through this class to ensure other threads
* are not concurrently modifying UserGroupInformation.
* <p/>
* @param config the configuration instance
* @param principal the principal to authenticate as
* @param keyTab the keytab to authenticate with
*
* @return the UGI for the given principal
*
* @throws IOException if login failed
*/
public static synchronized UserGroupInformation loginKerberos(final Configuration config,
final String principal, final String keyTab) throws IOException {
Validate.notNull(config);
Validate.notNull(principal);
Validate.notNull(keyTab);
UserGroupInformation.setConfiguration(config);
UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim());
return UserGroupInformation.getCurrentUser();
}
Example 20
| Source Project: pulsar File: SecurityUtil.java License: Apache License 2.0 | 3 votes |
|
/**
* Initializes UserGroupInformation with the given Configuration and performs the login for the
* given principal and keytab. All logins should happen through this class to ensure other threads
* are not concurrently modifying UserGroupInformation.
* <p/>
* @param config the configuration instance
* @param principal the principal to authenticate as
* @param keyTab the keytab to authenticate with
*
* @return the UGI for the given principal
*
* @throws IOException if login failed
*/
public static synchronized UserGroupInformation loginKerberos(final Configuration config,
final String principal, final String keyTab) throws IOException {
Validate.notNull(config);
Validate.notNull(principal);
Validate.notNull(keyTab);
UserGroupInformation.setConfiguration(config);
UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim());
return UserGroupInformation.getCurrentUser();
}
