Java Code Examples for org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: HDFSUtils.java    From dk-fitting with Apache License 2.0 6 votes vote down vote up
public static FileSystem getFs(String hdfs_xml, String core_xml, String krb5_conf, String principal, String keytab) throws Exception {
	Configuration conf = new Configuration();
	FileSystem fs = null;
	conf.addResource(new Path(hdfs_xml));
	conf.addResource(new Path(core_xml));
	conf.set("dfs.client.block.write.replace-datanode-on-failure.policy", "NEVER");
	conf.set("dfs.client.block.write.replace-datanode-on-failure.enable", "true");
	conf.setBoolean("fs.hdfs.impl.disable.cache", true);
	if (principal != null && !"".equals(principal) && keytab != null && !"".equals(keytab) && krb5_conf != null && !"".equals(krb5_conf)) {
		System.setProperty("java.security.krb5.conf", krb5_conf);
		UserGroupInformation.setConfiguration(conf);
		UserGroupInformation.loginUserFromKeytab(principal, keytab);
		UserGroupInformation.getLoginUser();
	}
	fs = FileSystem.get(conf);
	return fs;
}
 
Example 2
Source File: HdfsConfiguration.java    From spring-boot-tutorial with Creative Commons Attribution Share Alike 4.0 International 6 votes vote down vote up
@Bean
public HdfsFactory hdfsFactory() {
    org.apache.hadoop.conf.Configuration configuration = new org.apache.hadoop.conf.Configuration();
    configuration.addResource(new Path(properties.getCoreSiteXmlPath()));
    configuration.addResource(new Path(properties.getHdfsSiteXmlPath()));

    if (properties.getAuth().isEnabled()) {
        System.setProperty("java.security.krb5.conf", properties.getAuth().getKrb5Conf());
        System.setProperty("java.security.auth.login.config", properties.getAuth().getAuthLoginConfig());
        UserGroupInformation.setConfiguration(configuration);
        try {
            UserGroupInformation.loginUserFromKeytab(properties.getAuth().getPrincipal(),
                properties.getAuth().getAuthKeyTabPath());
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    return new HdfsFactory(configuration);
}
 
Example 3
Source File: HDFSFileManagerImpl.java    From entrada with GNU General Public License v3.0 6 votes vote down vote up
private FileSystem createSecureFS() {
  Configuration conf = conf();
  conf.set("hadoop.security.authentication", "kerberos");

  UserGroupInformation.setConfiguration(conf);

  try {
    if (StringUtils.isNotBlank(krbKeyTab)) {
      UserGroupInformation.loginUserFromKeytab(hdfsUsername, krbKeyTab);
    }

    return FileSystem.get(new URI(hdfsNameservice), conf);
  } catch (Exception e) {
    throw new ApplicationException("Cannot create secure HDFS filesystem", e);
  }
}
 
Example 4
Source File: HfsFileStorageKerberosTest.java    From registry with Apache License 2.0 5 votes vote down vote up
private void verifySimpleExecution() throws Exception {
    verifyStatic(UserGroupInformation.class, never());
    UserGroupInformation.loginUserFromKeytab(anyString(), anyString());

    verify(userGroupInformation, never()).doAs(any(PrivilegedAction.class));
    verify(userGroupInformation, never()).doAs(any(PrivilegedExceptionAction.class));
}
 
Example 5
Source File: DACDaemon.java    From dremio-oss with Apache License 2.0 5 votes vote down vote up
/**
 * Set up the current user in {@link UserGroupInformation} using the kerberos principal and keytab file path if
 * present in config. If not present, this method call is a no-op. When communicating with the kerberos enabled
 * Hadoop based filesystem credentials in {@link UserGroupInformation} will be used..
 * @param config
 * @throws IOException
 */
private void setupHadoopUserUsingKerberosKeytab(final DremioConfig config) throws IOException {
  final String kerberosPrincipal = config.getString(DremioConfig.KERBEROS_PRINCIPAL);
  final String kerberosKeytab = config.getString(DremioConfig.KERBEROS_KEYTAB_PATH);

  if (Strings.isNullOrEmpty(kerberosPrincipal) || Strings.isNullOrEmpty(kerberosKeytab)) {
    return;
  }

  UserGroupInformation.loginUserFromKeytab(kerberosPrincipal, kerberosKeytab);

  logger.info("Setup Hadoop user info using kerberos principal {} and keytab file {} successful.",
      kerberosPrincipal, kerberosKeytab);
}
 
Example 6
Source File: HBaseAutoConfiguration.java    From dew with Apache License 2.0 5 votes vote down vote up
/**
 * Init HBase connection.
 *
 * @param hbaseProperties hbase settings properties
 * @return HBase connection
 * @throws IOException IOException
 */
@Bean
public Connection connection(HBaseProperties hbaseProperties, org.apache.hadoop.conf.Configuration conf) throws IOException {
    if ("kerberos".equalsIgnoreCase(hbaseProperties.getAuth().getType())) {
        System.setProperty("java.security.krb5.conf", hbaseProperties.getAuth().getKrb5());
        UserGroupInformation.setConfiguration(conf);
        UserGroupInformation.loginUserFromKeytab(hbaseProperties.getAuth().getPrincipal(), hbaseProperties.getAuth().getKeytab());
    }
    ThreadPoolExecutor poolExecutor = new ThreadPoolExecutor(200, Integer.MAX_VALUE, 60L, TimeUnit.SECONDS, new SynchronousQueue<>());
    poolExecutor.prestartCoreThread();
    return ConnectionFactory.createConnection(conf, poolExecutor);
}
 
Example 7
Source File: User.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * Login through configured keytab and pricipal.
 * @param keytabLocation location of keytab
 * @param principalName principal in keytab
 * @throws IOException exception from UserGroupInformation.loginUserFromKeytab
 */
public static void login(String keytabLocation, String principalName)
    throws IOException {
  if (isSecurityEnabled()) {
    UserGroupInformation.loginUserFromKeytab(principalName, keytabLocation);
  }
}
 
Example 8
Source File: HBaseGraphUtils.java    From hgraphdb with Apache License 2.0 5 votes vote down vote up
public static Connection getConnection(HBaseGraphConfiguration config) {
    Connection conn = connections.get(config.getGraphNamespace());
    if (conn != null && !conn.isClosed()) return conn;
    Configuration hbaseConfig = config.toHBaseConfiguration();
    switch (config.getInstanceType()) {
        case MOCK:
            conn = MockConnectionFactory.createConnection(hbaseConfig);
            break;
        case BIGTABLE:
        case DISTRIBUTED:
            try {
                UserGroupInformation ugi = null;
                if ("kerberos".equals(hbaseConfig.get(HBASE_SECURITY_AUTHENTICATION))) {
                    String principal = hbaseConfig.get(HBASE_CLIENT_KERBEROS_PRINCIPAL);
                    String keytab = hbaseConfig.get(HBASE_CLIENT_KEYTAB_FILE);
                    if (principal != null && keytab != null) {
                        UserGroupInformation.setConfiguration(hbaseConfig);
                        UserGroupInformation.loginUserFromKeytab(principal, keytab);
                        ugi = UserGroupInformation.getLoginUser();
                    }
                }
                if (ugi != null) {
                    conn = ugi.doAs(new PrivilegedExceptionAction<Connection>() {
                        @Override
                        public Connection run() throws Exception {
                            return ConnectionFactory.createConnection(hbaseConfig);
                        }
                    });
                } else {
                    conn = ConnectionFactory.createConnection(hbaseConfig);
                }
                break;
            } catch (Exception e) {
                throw new HBaseGraphException(e);
            }
    }
    connections.put(config.getGraphNamespace(), conn);
    return conn;
}
 
Example 9
Source File: HBaseClient.java    From hbase-tools with Apache License 2.0 5 votes vote down vote up
private static synchronized void login(Args args, Configuration conf) throws Exception {
    if (args.has(Args.OPTION_DEBUG)) {
        System.setProperty("sun.security.krb5.debug", "true");
        System.setProperty("sun.security.spnego.debug", "true");
    }

    System.setProperty("java.security.auth.login.config", createJaasConfigFile(args));
    System.setProperty("java.security.krb5.conf", kerberosConfigFile(args));

    Config krbConfig = Config.getInstance();
    final String realm;
    if (args.has(Args.OPTION_REALM)) {
        realm = (String) args.valueOf(Args.OPTION_REALM);
        System.setProperty("java.security.krb5.realm", realm);
        System.setProperty("java.security.krb5.kdc", krbConfig.getKDCList(realm));
        Config.refresh();
    } else {
        realm = krbConfig.getDefaultRealm();
    }

    updateConf(conf, realm);

    if (args.has(Args.OPTION_KEY_TAB, Args.OPTION_KEY_TAB_SHORT)) {
        UserGroupInformation.setConfiguration(conf);
        UserGroupInformation.loginUserFromKeytab(principal(args), (String) args.valueOf(Args.OPTION_KEY_TAB, Args.OPTION_KEY_TAB_SHORT));
    } else {
        loginWithPassword(args, conf);
    }

    UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
    System.out.println(currentUser + "\n");
}
 
Example 10
Source File: KerberosAuthenticationHandler.java    From sqoop-on-spark with Apache License 2.0 5 votes vote down vote up
public void secureLogin() {
  MapContext mapContext = SqoopConfiguration.getInstance().getContext();
  String keytab = mapContext.getString(
          SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim();
  if (keytab.length() == 0) {
    throw new SqoopException(SecurityError.AUTH_0001,
            SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB);
  }
  keytabFile = keytab;

  String principal = mapContext.getString(
          SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim();
  if (principal.length() == 0) {
    throw new SqoopException(SecurityError.AUTH_0002,
            SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL);
  }
  keytabPrincipal = principal;

  Configuration conf = new Configuration();
  conf.set(get_hadoop_security_authentication(),
          SecurityConstants.TYPE.KERBEROS.name());
  UserGroupInformation.setConfiguration(conf);
  try {
    String hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
    UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytab);
  } catch (IOException ex) {
    throw new SqoopException(SecurityError.AUTH_0003, ex);
  }
  LOG.info("Using Kerberos authentication, principal ["
          + principal + "] keytab [" + keytab + "]");
}
 
Example 11
Source File: TestSecureIPC.java    From hbase with Apache License 2.0 5 votes vote down vote up
private UserGroupInformation loginKerberosPrincipal(String krbKeytab, String krbPrincipal)
    throws Exception {
  Configuration cnf = new Configuration();
  cnf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
  UserGroupInformation.setConfiguration(cnf);
  UserGroupInformation.loginUserFromKeytab(krbPrincipal, krbKeytab);
  return UserGroupInformation.getLoginUser();
}
 
Example 12
Source File: Kerberos.java    From nifi with Apache License 2.0 5 votes vote down vote up
@Override
public AtlasClientV2 createClient(String[] baseUrls) {
    final Configuration hadoopConf = new Configuration();
    hadoopConf.set("hadoop.security.authentication", "kerberos");
    UserGroupInformation.setConfiguration(hadoopConf);
    final UserGroupInformation ugi;
    try {
        UserGroupInformation.loginUserFromKeytab(principal, keytab);
        ugi = UserGroupInformation.getCurrentUser();
    } catch (IOException e) {
        throw new RuntimeException("Failed to login with Kerberos due to: " + e, e);
    }
    return new AtlasClientV2(ugi, null, baseUrls);
}
 
Example 13
Source File: SolrAuthzBinding.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
/**
 * Initialize kerberos via UserGroupInformation.  Will only attempt to login
 * during the first request, subsequent calls will have no effect.
 */
public void initKerberos(String keytabFile, String principal) {
  if (keytabFile == null || keytabFile.length() == 0) {
    throw new IllegalArgumentException("keytabFile required because kerberos is enabled");
  }
  if (principal == null || principal.length() == 0) {
    throw new IllegalArgumentException("principal required because kerberos is enabled");
  }
  synchronized (SolrAuthzBinding.class) {
    if (kerberosInit == null) {
      kerberosInit = Boolean.TRUE;
      final String authVal = authzConf.get(HADOOP_SECURITY_AUTHENTICATION);
      final String kerberos = "kerberos";
      if (authVal != null && !authVal.equals(kerberos)) {
        throw new IllegalArgumentException(HADOOP_SECURITY_AUTHENTICATION
            + " set to: " + authVal + ", not kerberos, but attempting to "
            + " connect to HDFS via kerberos");
      }
      // let's avoid modifying the supplied configuration, just to be conservative
      final Configuration ugiConf = new Configuration(authzConf);
      ugiConf.set(HADOOP_SECURITY_AUTHENTICATION, kerberos);
      UserGroupInformation.setConfiguration(ugiConf);
      LOG.info(
          "Attempting to acquire kerberos ticket with keytab: {}, principal: {} ",
          keytabFile, principal);
      try {
        UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
      } catch (IOException ioe) {
        throw new RuntimeException(ioe);
      }
      LOG.info("Got Kerberos ticket");
    }
  }
}
 
Example 14
Source File: CreateFile.java    From Transwarp-Sample-Code with MIT License 5 votes vote down vote up
public static void main(String[] args) throws IOException {
    // 通过Java API创建文件
    String rootPath = "hdfs://nameservice1";
    Path p = new Path(rootPath + "/tmp/file.txt");
    Configuration conf = new Configuration();
    conf.addResource("core-site.xml");
    conf.addResource("hdfs-site.xml");
    conf.addResource("yarn-site.xml");
    // 没开kerberos,注释下面两行
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromKeytab("hdfs@TDH","E:\\星环\\hdfs.keytab");
    FileSystem fs = p.getFileSystem(conf);
    fs.create(p);
    fs.close();
}
 
Example 15
Source File: SentryHdfsServiceIntegrationBase.java    From incubator-sentry with Apache License 2.0 5 votes vote down vote up
@Before
public void before() throws Exception {
  conf.set("hadoop.security.authentication", "kerberos");
  UserGroupInformation.setConfiguration(conf);
  UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL,
      clientKeytab.getPath());

  connectToHdfsSyncService();
}
 
Example 16
Source File: Connector.java    From Transwarp-Sample-Code with MIT License 5 votes vote down vote up
public Connector() {
        Configuration HBASE_CONFIG = new Configuration();
        Constant constant = new Constant();
        HBASE_CONFIG.addResource("hbase-site.xml");
        HBASE_CONFIG.addResource("core-site.xml");
        HBASE_CONFIG.addResource("hdfs-site.xml");
        configuration = HBaseConfiguration.create(HBASE_CONFIG);

        try {
            if (constant.MODE.equals("kerberos")) {
                UserGroupInformation.setConfiguration(configuration);
//                UserGroupInformation.loginUserFromPassword(constant.KERBEROS_USER,constant.KERBEROS_PASSWD);
                UserGroupInformation.loginUserFromKeytab(constant.KERBEROS_WITH_KEYTAB_USER,constant.KERBEROS_KEYTAB);
            }
            hBaseAdmin = new HBaseAdmin(configuration);
            hyperbaseAdmin = new HyperbaseAdmin(configuration);

            Configuration hdfsConf = getHDFSConf();
            String rootPath = "hdfs://nameservice1";
            Path p = new Path(rootPath + constant.HDFS_LARGE_FILE_DIR);
            FileSystem fs = p.getFileSystem(hdfsConf);
            boolean b = fs.mkdirs(p);
            System.out.println(b);
            fs.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
 
Example 17
Source File: RangerNiFiAuthorizer.java    From localization_nifi with Apache License 2.0 4 votes vote down vote up
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
    try {
        if (nifiPlugin == null) {
            logger.info("RangerNiFiAuthorizer(): initializing base plugin");

            final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
            addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);

            final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
            addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);

            final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
            rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;

            if (rangerKerberosEnabled) {
                // configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
                final Configuration securityConf = new Configuration();
                securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
                UserGroupInformation.setConfiguration(securityConf);

                // login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
                // will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
                final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
                final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation();

                if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
                    throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
                }

                UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
            }

            final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
            final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);

            nifiPlugin = createRangerBasePlugin(serviceType, appId);
            nifiPlugin.init();

            defaultAuditHandler = new RangerDefaultAuditHandler();
            rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);

        } else {
            logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
        }
    } catch (Throwable t) {
        throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
    }
}
 
Example 18
Source File: BootStrapContext.java    From Bats with Apache License 2.0 4 votes vote down vote up
private void login(final DrillConfig config) throws DrillbitStartupException {
  try {
    if (config.hasPath(ExecConstants.SERVICE_PRINCIPAL)) {
      // providing a service principal => Kerberos mechanism
      final Configuration loginConf = new Configuration();
      loginConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
          UserGroupInformation.AuthenticationMethod.KERBEROS.toString());

      // set optional user name mapping
      if (config.hasPath(ExecConstants.KERBEROS_NAME_MAPPING)) {
        loginConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTH_TO_LOCAL,
            config.getString(ExecConstants.KERBEROS_NAME_MAPPING));
      }

      UserGroupInformation.setConfiguration(loginConf);

      // service principal canonicalization
      final String principal = config.getString(ExecConstants.SERVICE_PRINCIPAL);
      final String parts[] = KerberosUtil.splitPrincipalIntoParts(principal);
      if (parts.length != 3) {
        throw new DrillbitStartupException(
            String.format("Invalid %s, Drill service principal must be of format: primary/instance@REALM",
              ExecConstants.SERVICE_PRINCIPAL));
      }
      parts[1] = KerberosUtil.canonicalizeInstanceName(parts[1], hostName);

      final String canonicalizedPrincipal = KerberosUtil.getPrincipalFromParts(parts[0], parts[1], parts[2]);
      final String keytab = config.getString(ExecConstants.SERVICE_KEYTAB_LOCATION);

      // login to KDC (AS)
      // Note that this call must happen before any call to UserGroupInformation#getLoginUser,
      // but there is no way to enforce the order (this static init. call and parameters from
      // DrillConfig are both required).
      UserGroupInformation.loginUserFromKeytab(canonicalizedPrincipal, keytab);

      logger.info("Process user name: '{}' and logged in successfully as '{}'", processUserName,
          canonicalizedPrincipal);
    } else {
      UserGroupInformation.getLoginUser(); // init
    }

    // ugi does not support logout
  } catch (final IOException e) {
    throw new DrillbitStartupException("Failed to login.", e);
  }

}
 
Example 19
Source File: SecurityUtil.java    From pulsar with Apache License 2.0 3 votes vote down vote up
/**
 *  Initializes UserGroupInformation with the given Configuration and performs the login for the
 *  given principal and keytab. All logins should happen through this class to ensure other threads
 *  are not concurrently modifying UserGroupInformation.
 * <p/>
 * @param config the configuration instance
 * @param principal the principal to authenticate as
 * @param keyTab the keytab to authenticate with
 *
 * @return the UGI for the given principal
 *
 * @throws IOException if login failed
 */
public static synchronized UserGroupInformation loginKerberos(final Configuration config,
        final String principal, final String keyTab) throws IOException {
    Validate.notNull(config);
    Validate.notNull(principal);
    Validate.notNull(keyTab);

    UserGroupInformation.setConfiguration(config);
    UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim());
    return UserGroupInformation.getCurrentUser();
}
 
Example 20
Source File: SecurityUtil.java    From pulsar with Apache License 2.0 3 votes vote down vote up
/**
 *  Initializes UserGroupInformation with the given Configuration and performs the login for the
 *  given principal and keytab. All logins should happen through this class to ensure other threads
 *  are not concurrently modifying UserGroupInformation.
 * <p/>
 * @param config the configuration instance
 * @param principal the principal to authenticate as
 * @param keyTab the keytab to authenticate with
 *
 * @return the UGI for the given principal
 *
 * @throws IOException if login failed
 */
public static synchronized UserGroupInformation loginKerberos(final Configuration config,
        final String principal, final String keyTab) throws IOException {
    Validate.notNull(config);
    Validate.notNull(principal);
    Validate.notNull(keyTab);

    UserGroupInformation.setConfiguration(config);
    UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim());
    return UserGroupInformation.getCurrentUser();
}