Java Code Examples for org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: dk-fitting   File: HDFSUtils.java    License: Apache License 2.0 6 votes vote down vote up
public static FileSystem getFs(String hdfs_xml, String core_xml, String krb5_conf, String principal, String keytab) throws Exception {
	Configuration conf = new Configuration();
	FileSystem fs = null;
	conf.addResource(new Path(hdfs_xml));
	conf.addResource(new Path(core_xml));
	conf.set("dfs.client.block.write.replace-datanode-on-failure.policy", "NEVER");
	conf.set("dfs.client.block.write.replace-datanode-on-failure.enable", "true");
	conf.setBoolean("fs.hdfs.impl.disable.cache", true);
	if (principal != null && !"".equals(principal) && keytab != null && !"".equals(keytab) && krb5_conf != null && !"".equals(krb5_conf)) {
		System.setProperty("java.security.krb5.conf", krb5_conf);
		UserGroupInformation.setConfiguration(conf);
		UserGroupInformation.loginUserFromKeytab(principal, keytab);
		UserGroupInformation.getLoginUser();
	}
	fs = FileSystem.get(conf);
	return fs;
}
 
Example 2
@Bean
public HdfsFactory hdfsFactory() {
    org.apache.hadoop.conf.Configuration configuration = new org.apache.hadoop.conf.Configuration();
    configuration.addResource(new Path(properties.getCoreSiteXmlPath()));
    configuration.addResource(new Path(properties.getHdfsSiteXmlPath()));

    if (properties.getAuth().isEnabled()) {
        System.setProperty("java.security.krb5.conf", properties.getAuth().getKrb5Conf());
        System.setProperty("java.security.auth.login.config", properties.getAuth().getAuthLoginConfig());
        UserGroupInformation.setConfiguration(configuration);
        try {
            UserGroupInformation.loginUserFromKeytab(properties.getAuth().getPrincipal(),
                properties.getAuth().getAuthKeyTabPath());
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    return new HdfsFactory(configuration);
}
 
Example 3
private FileSystem createSecureFS() {
  Configuration conf = conf();
  conf.set("hadoop.security.authentication", "kerberos");

  UserGroupInformation.setConfiguration(conf);

  try {
    if (StringUtils.isNotBlank(krbKeyTab)) {
      UserGroupInformation.loginUserFromKeytab(hdfsUsername, krbKeyTab);
    }

    return FileSystem.get(new URI(hdfsNameservice), conf);
  } catch (Exception e) {
    throw new ApplicationException("Cannot create secure HDFS filesystem", e);
  }
}
 
Example 4
Source Project: Transwarp-Sample-Code   File: Connector.java    License: MIT License 5 votes vote down vote up
public Connector() {
        Configuration HBASE_CONFIG = new Configuration();
        Constant constant = new Constant();
        HBASE_CONFIG.addResource("hbase-site.xml");
        HBASE_CONFIG.addResource("core-site.xml");
        HBASE_CONFIG.addResource("hdfs-site.xml");
        configuration = HBaseConfiguration.create(HBASE_CONFIG);

        try {
            if (constant.MODE.equals("kerberos")) {
                UserGroupInformation.setConfiguration(configuration);
//                UserGroupInformation.loginUserFromPassword(constant.KERBEROS_USER,constant.KERBEROS_PASSWD);
                UserGroupInformation.loginUserFromKeytab(constant.KERBEROS_WITH_KEYTAB_USER,constant.KERBEROS_KEYTAB);
            }
            hBaseAdmin = new HBaseAdmin(configuration);
            hyperbaseAdmin = new HyperbaseAdmin(configuration);

            Configuration hdfsConf = getHDFSConf();
            String rootPath = "hdfs://nameservice1";
            Path p = new Path(rootPath + constant.HDFS_LARGE_FILE_DIR);
            FileSystem fs = p.getFileSystem(hdfsConf);
            boolean b = fs.mkdirs(p);
            System.out.println(b);
            fs.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
 
Example 5
@Before
public void before() throws Exception {
  conf.set("hadoop.security.authentication", "kerberos");
  UserGroupInformation.setConfiguration(conf);
  UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL,
      clientKeytab.getPath());

  connectToHdfsSyncService();
}
 
Example 6
Source Project: Transwarp-Sample-Code   File: CreateFile.java    License: MIT License 5 votes vote down vote up
public static void main(String[] args) throws IOException {
    // 通过Java API创建文件
    String rootPath = "hdfs://nameservice1";
    Path p = new Path(rootPath + "/tmp/file.txt");
    Configuration conf = new Configuration();
    conf.addResource("core-site.xml");
    conf.addResource("hdfs-site.xml");
    conf.addResource("yarn-site.xml");
    // 没开kerberos,注释下面两行
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromKeytab("[email protected]","E:\\星环\\hdfs.keytab");
    FileSystem fs = p.getFileSystem(conf);
    fs.create(p);
    fs.close();
}
 
Example 7
/**
 * Initialize kerberos via UserGroupInformation.  Will only attempt to login
 * during the first request, subsequent calls will have no effect.
 */
public void initKerberos(String keytabFile, String principal) {
  if (keytabFile == null || keytabFile.length() == 0) {
    throw new IllegalArgumentException("keytabFile required because kerberos is enabled");
  }
  if (principal == null || principal.length() == 0) {
    throw new IllegalArgumentException("principal required because kerberos is enabled");
  }
  synchronized (SolrAuthzBinding.class) {
    if (kerberosInit == null) {
      kerberosInit = Boolean.TRUE;
      final String authVal = authzConf.get(HADOOP_SECURITY_AUTHENTICATION);
      final String kerberos = "kerberos";
      if (authVal != null && !authVal.equals(kerberos)) {
        throw new IllegalArgumentException(HADOOP_SECURITY_AUTHENTICATION
            + " set to: " + authVal + ", not kerberos, but attempting to "
            + " connect to HDFS via kerberos");
      }
      // let's avoid modifying the supplied configuration, just to be conservative
      final Configuration ugiConf = new Configuration(authzConf);
      ugiConf.set(HADOOP_SECURITY_AUTHENTICATION, kerberos);
      UserGroupInformation.setConfiguration(ugiConf);
      LOG.info(
          "Attempting to acquire kerberos ticket with keytab: {}, principal: {} ",
          keytabFile, principal);
      try {
        UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
      } catch (IOException ioe) {
        throw new RuntimeException(ioe);
      }
      LOG.info("Got Kerberos ticket");
    }
  }
}
 
Example 8
Source Project: nifi   File: Kerberos.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public AtlasClientV2 createClient(String[] baseUrls) {
    final Configuration hadoopConf = new Configuration();
    hadoopConf.set("hadoop.security.authentication", "kerberos");
    UserGroupInformation.setConfiguration(hadoopConf);
    final UserGroupInformation ugi;
    try {
        UserGroupInformation.loginUserFromKeytab(principal, keytab);
        ugi = UserGroupInformation.getCurrentUser();
    } catch (IOException e) {
        throw new RuntimeException("Failed to login with Kerberos due to: " + e, e);
    }
    return new AtlasClientV2(ugi, null, baseUrls);
}
 
Example 9
private void verifySimpleExecution() throws Exception {
    verifyStatic(UserGroupInformation.class, never());
    UserGroupInformation.loginUserFromKeytab(anyString(), anyString());

    verify(userGroupInformation, never()).doAs(any(PrivilegedAction.class));
    verify(userGroupInformation, never()).doAs(any(PrivilegedExceptionAction.class));
}
 
Example 10
Source Project: hbase   File: TestSecureIPC.java    License: Apache License 2.0 5 votes vote down vote up
private UserGroupInformation loginKerberosPrincipal(String krbKeytab, String krbPrincipal)
    throws Exception {
  Configuration cnf = new Configuration();
  cnf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
  UserGroupInformation.setConfiguration(cnf);
  UserGroupInformation.loginUserFromKeytab(krbPrincipal, krbKeytab);
  return UserGroupInformation.getLoginUser();
}
 
Example 11
public void secureLogin() {
  MapContext mapContext = SqoopConfiguration.getInstance().getContext();
  String keytab = mapContext.getString(
          SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim();
  if (keytab.length() == 0) {
    throw new SqoopException(SecurityError.AUTH_0001,
            SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB);
  }
  keytabFile = keytab;

  String principal = mapContext.getString(
          SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim();
  if (principal.length() == 0) {
    throw new SqoopException(SecurityError.AUTH_0002,
            SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL);
  }
  keytabPrincipal = principal;

  Configuration conf = new Configuration();
  conf.set(get_hadoop_security_authentication(),
          SecurityConstants.TYPE.KERBEROS.name());
  UserGroupInformation.setConfiguration(conf);
  try {
    String hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
    UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytab);
  } catch (IOException ex) {
    throw new SqoopException(SecurityError.AUTH_0003, ex);
  }
  LOG.info("Using Kerberos authentication, principal ["
          + principal + "] keytab [" + keytab + "]");
}
 
Example 12
Source Project: hbase-tools   File: HBaseClient.java    License: Apache License 2.0 5 votes vote down vote up
private static synchronized void login(Args args, Configuration conf) throws Exception {
    if (args.has(Args.OPTION_DEBUG)) {
        System.setProperty("sun.security.krb5.debug", "true");
        System.setProperty("sun.security.spnego.debug", "true");
    }

    System.setProperty("java.security.auth.login.config", createJaasConfigFile(args));
    System.setProperty("java.security.krb5.conf", kerberosConfigFile(args));

    Config krbConfig = Config.getInstance();
    final String realm;
    if (args.has(Args.OPTION_REALM)) {
        realm = (String) args.valueOf(Args.OPTION_REALM);
        System.setProperty("java.security.krb5.realm", realm);
        System.setProperty("java.security.krb5.kdc", krbConfig.getKDCList(realm));
        Config.refresh();
    } else {
        realm = krbConfig.getDefaultRealm();
    }

    updateConf(conf, realm);

    if (args.has(Args.OPTION_KEY_TAB, Args.OPTION_KEY_TAB_SHORT)) {
        UserGroupInformation.setConfiguration(conf);
        UserGroupInformation.loginUserFromKeytab(principal(args), (String) args.valueOf(Args.OPTION_KEY_TAB, Args.OPTION_KEY_TAB_SHORT));
    } else {
        loginWithPassword(args, conf);
    }

    UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
    System.out.println(currentUser + "\n");
}
 
Example 13
Source Project: hgraphdb   File: HBaseGraphUtils.java    License: Apache License 2.0 5 votes vote down vote up
public static Connection getConnection(HBaseGraphConfiguration config) {
    Connection conn = connections.get(config.getGraphNamespace());
    if (conn != null && !conn.isClosed()) return conn;
    Configuration hbaseConfig = config.toHBaseConfiguration();
    switch (config.getInstanceType()) {
        case MOCK:
            conn = MockConnectionFactory.createConnection(hbaseConfig);
            break;
        case BIGTABLE:
        case DISTRIBUTED:
            try {
                UserGroupInformation ugi = null;
                if ("kerberos".equals(hbaseConfig.get(HBASE_SECURITY_AUTHENTICATION))) {
                    String principal = hbaseConfig.get(HBASE_CLIENT_KERBEROS_PRINCIPAL);
                    String keytab = hbaseConfig.get(HBASE_CLIENT_KEYTAB_FILE);
                    if (principal != null && keytab != null) {
                        UserGroupInformation.setConfiguration(hbaseConfig);
                        UserGroupInformation.loginUserFromKeytab(principal, keytab);
                        ugi = UserGroupInformation.getLoginUser();
                    }
                }
                if (ugi != null) {
                    conn = ugi.doAs(new PrivilegedExceptionAction<Connection>() {
                        @Override
                        public Connection run() throws Exception {
                            return ConnectionFactory.createConnection(hbaseConfig);
                        }
                    });
                } else {
                    conn = ConnectionFactory.createConnection(hbaseConfig);
                }
                break;
            } catch (Exception e) {
                throw new HBaseGraphException(e);
            }
    }
    connections.put(config.getGraphNamespace(), conn);
    return conn;
}
 
Example 14
Source Project: hbase   File: User.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Login through configured keytab and pricipal.
 * @param keytabLocation location of keytab
 * @param principalName principal in keytab
 * @throws IOException exception from UserGroupInformation.loginUserFromKeytab
 */
public static void login(String keytabLocation, String principalName)
    throws IOException {
  if (isSecurityEnabled()) {
    UserGroupInformation.loginUserFromKeytab(principalName, keytabLocation);
  }
}
 
Example 15
Source Project: dew   File: HBaseAutoConfiguration.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Init HBase connection.
 *
 * @param hbaseProperties hbase settings properties
 * @return HBase connection
 * @throws IOException IOException
 */
@Bean
public Connection connection(HBaseProperties hbaseProperties, org.apache.hadoop.conf.Configuration conf) throws IOException {
    if ("kerberos".equalsIgnoreCase(hbaseProperties.getAuth().getType())) {
        System.setProperty("java.security.krb5.conf", hbaseProperties.getAuth().getKrb5());
        UserGroupInformation.setConfiguration(conf);
        UserGroupInformation.loginUserFromKeytab(hbaseProperties.getAuth().getPrincipal(), hbaseProperties.getAuth().getKeytab());
    }
    ThreadPoolExecutor poolExecutor = new ThreadPoolExecutor(200, Integer.MAX_VALUE, 60L, TimeUnit.SECONDS, new SynchronousQueue<>());
    poolExecutor.prestartCoreThread();
    return ConnectionFactory.createConnection(conf, poolExecutor);
}
 
Example 16
Source Project: dremio-oss   File: DACDaemon.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Set up the current user in {@link UserGroupInformation} using the kerberos principal and keytab file path if
 * present in config. If not present, this method call is a no-op. When communicating with the kerberos enabled
 * Hadoop based filesystem credentials in {@link UserGroupInformation} will be used..
 * @param config
 * @throws IOException
 */
private void setupHadoopUserUsingKerberosKeytab(final DremioConfig config) throws IOException {
  final String kerberosPrincipal = config.getString(DremioConfig.KERBEROS_PRINCIPAL);
  final String kerberosKeytab = config.getString(DremioConfig.KERBEROS_KEYTAB_PATH);

  if (Strings.isNullOrEmpty(kerberosPrincipal) || Strings.isNullOrEmpty(kerberosKeytab)) {
    return;
  }

  UserGroupInformation.loginUserFromKeytab(kerberosPrincipal, kerberosKeytab);

  logger.info("Setup Hadoop user info using kerberos principal {} and keytab file {} successful.",
      kerberosPrincipal, kerberosKeytab);
}
 
Example 17
Source Project: Bats   File: BootStrapContext.java    License: Apache License 2.0 4 votes vote down vote up
private void login(final DrillConfig config) throws DrillbitStartupException {
  try {
    if (config.hasPath(ExecConstants.SERVICE_PRINCIPAL)) {
      // providing a service principal => Kerberos mechanism
      final Configuration loginConf = new Configuration();
      loginConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
          UserGroupInformation.AuthenticationMethod.KERBEROS.toString());

      // set optional user name mapping
      if (config.hasPath(ExecConstants.KERBEROS_NAME_MAPPING)) {
        loginConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTH_TO_LOCAL,
            config.getString(ExecConstants.KERBEROS_NAME_MAPPING));
      }

      UserGroupInformation.setConfiguration(loginConf);

      // service principal canonicalization
      final String principal = config.getString(ExecConstants.SERVICE_PRINCIPAL);
      final String parts[] = KerberosUtil.splitPrincipalIntoParts(principal);
      if (parts.length != 3) {
        throw new DrillbitStartupException(
            String.format("Invalid %s, Drill service principal must be of format: primary/[email protected]",
              ExecConstants.SERVICE_PRINCIPAL));
      }
      parts[1] = KerberosUtil.canonicalizeInstanceName(parts[1], hostName);

      final String canonicalizedPrincipal = KerberosUtil.getPrincipalFromParts(parts[0], parts[1], parts[2]);
      final String keytab = config.getString(ExecConstants.SERVICE_KEYTAB_LOCATION);

      // login to KDC (AS)
      // Note that this call must happen before any call to UserGroupInformation#getLoginUser,
      // but there is no way to enforce the order (this static init. call and parameters from
      // DrillConfig are both required).
      UserGroupInformation.loginUserFromKeytab(canonicalizedPrincipal, keytab);

      logger.info("Process user name: '{}' and logged in successfully as '{}'", processUserName,
          canonicalizedPrincipal);
    } else {
      UserGroupInformation.getLoginUser(); // init
    }

    // ugi does not support logout
  } catch (final IOException e) {
    throw new DrillbitStartupException("Failed to login.", e);
  }

}
 
Example 18
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
    try {
        if (nifiPlugin == null) {
            logger.info("RangerNiFiAuthorizer(): initializing base plugin");

            final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
            addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);

            final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
            addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);

            final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
            rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;

            if (rangerKerberosEnabled) {
                // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
                final Configuration securityConf = new Configuration();
                securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
                UserGroupInformation.setConfiguration(securityConf);

                // login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
                // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
                final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
                final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation();

                if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
                    throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
                }

                UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
            }

            final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
            final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);

            nifiPlugin = createRangerBasePlugin(serviceType, appId);
            nifiPlugin.init();

            defaultAuditHandler = new RangerDefaultAuditHandler();
            rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);

        } else {
            logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
        }
    } catch (Throwable t) {
        throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
    }
}
 
Example 19
Source Project: pulsar   File: SecurityUtil.java    License: Apache License 2.0 3 votes vote down vote up
/**
 *  Initializes UserGroupInformation with the given Configuration and performs the login for the
 *  given principal and keytab. All logins should happen through this class to ensure other threads
 *  are not concurrently modifying UserGroupInformation.
 * <p/>
 * @param config the configuration instance
 * @param principal the principal to authenticate as
 * @param keyTab the keytab to authenticate with
 *
 * @return the UGI for the given principal
 *
 * @throws IOException if login failed
 */
public static synchronized UserGroupInformation loginKerberos(final Configuration config,
        final String principal, final String keyTab) throws IOException {
    Validate.notNull(config);
    Validate.notNull(principal);
    Validate.notNull(keyTab);

    UserGroupInformation.setConfiguration(config);
    UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim());
    return UserGroupInformation.getCurrentUser();
}
 
Example 20
Source Project: pulsar   File: SecurityUtil.java    License: Apache License 2.0 3 votes vote down vote up
/**
 *  Initializes UserGroupInformation with the given Configuration and performs the login for the
 *  given principal and keytab. All logins should happen through this class to ensure other threads
 *  are not concurrently modifying UserGroupInformation.
 * <p/>
 * @param config the configuration instance
 * @param principal the principal to authenticate as
 * @param keyTab the keytab to authenticate with
 *
 * @return the UGI for the given principal
 *
 * @throws IOException if login failed
 */
public static synchronized UserGroupInformation loginKerberos(final Configuration config,
        final String principal, final String keyTab) throws IOException {
    Validate.notNull(config);
    Validate.notNull(principal);
    Validate.notNull(keyTab);

    UserGroupInformation.setConfiguration(config);
    UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim());
    return UserGroupInformation.getCurrentUser();
}