Java Code Examples for org.apache.hadoop.classification.InterfaceStability#Evolving

/**
 * Create a proxy user using username of the effective user and the ugi of the
 * real user.
 * @param user
 * @param realUser
 * @return proxyUser ugi
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation createProxyUser(String user,
    UserGroupInformation realUser) {
  if (user == null || user.isEmpty()) {
    throw new IllegalArgumentException("Null user");
  }
  if (realUser == null) {
    throw new IllegalArgumentException("Null real user");
  }
  Subject subject = new Subject();
  Set<Principal> principals = subject.getPrincipals();
  principals.add(new User(user));
  principals.add(new RealUser(realUser));
  UserGroupInformation result =new UserGroupInformation(subject);
  result.setAuthenticationMethod(AuthenticationMethod.PROXY);
  return result;
}
 

/**
 * Create a proxy user using username of the effective user and the ugi of the
 * real user.
 * @param user
 * @param realUser
 * @return proxyUser ugi
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation createProxyUser(String user,
    UserGroupInformation realUser) {
  if (user == null || user.isEmpty()) {
    throw new IllegalArgumentException("Null user");
  }
  if (realUser == null) {
    throw new IllegalArgumentException("Null real user");
  }
  Subject subject = new Subject();
  Set<Principal> principals = subject.getPrincipals();
  principals.add(new User(user));
  principals.add(new RealUser(realUser));
  UserGroupInformation result =new UserGroupInformation(subject);
  result.setAuthenticationMethod(AuthenticationMethod.PROXY);
  return result;
}
 

/**
 * Create a UGI for testing HDFS and MapReduce
 * @param user the full user principal name
 * @param userGroups the names of the groups that the user belongs to
 * @return a fake user for running unit tests
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation createUserForTesting(String user, 
                                                        String[] userGroups) {
  ensureInitialized();
  UserGroupInformation ugi = createRemoteUser(user);
  // make sure that the testing object is setup
  if (!(groups instanceof TestingGroups)) {
    groups = new TestingGroups(groups);
  }
  // add the user groups
  ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
  return ugi;
}
 

/**
 * Run the given action as the user.
 * @param <T> the return type of the run method
 * @param action the method to execute
 * @return the value from the run method
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public <T> T doAs(PrivilegedAction<T> action) {
  logPrivilegedAction(subject, action);
  return Subject.doAs(subject, action);
}
 

/**
 * Return the current user, including any doAs in the current stack.
 * @return the current user
 * @throws IOException if login fails
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public synchronized
static UserGroupInformation getCurrentUser() throws IOException {
  AccessControlContext context = AccessController.getContext();
  Subject subject = Subject.getSubject(context);
  if (subject == null || subject.getPrincipals(User.class).isEmpty()) {
    return getLoginUser();
  } else {
    return new UserGroupInformation(subject);
  }
}
 

/**
 * Return the current user, including any doAs in the current stack.
 * @return the current user
 * @throws IOException if login fails
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public synchronized
static UserGroupInformation getCurrentUser() throws IOException {
  AccessControlContext context = AccessController.getContext();
  Subject subject = Subject.getSubject(context);
  if (subject == null || subject.getPrincipals(User.class).isEmpty()) {
    return getLoginUser();
  } else {
    return new UserGroupInformation(subject);
  }
}
 

/**
 * get RealUser (vs. EffectiveUser)
 * @return realUser running over proxy user
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public UserGroupInformation getRealUser() {
  for (RealUser p: subject.getPrincipals(RealUser.class)) {
    return p.getRealUser();
  }
  return null;
}
 

/**
 * Create a user from a login name. It is intended to be used for remote
 * users in RPC, since it won't have any credentials.
 * @param user the full user principal name, must not be empty or null
 * @return the UserGroupInformation for the remote user.
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation createRemoteUser(String user, AuthMethod authMethod) {
  if (user == null || user.isEmpty()) {
    throw new IllegalArgumentException("Null user");
  }
  Subject subject = new Subject();
  subject.getPrincipals().add(new User(user));
  UserGroupInformation result = new UserGroupInformation(subject);
  result.setAuthenticationMethod(authMethod);
  return result;
}
 

/**
 * Re-Login a user in from the ticket cache.  This
 * method assumes that login had happened already.
 * The Subject field of this UserGroupInformation object is updated to have
 * the new credentials.
 * @throws IOException on a failure
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public synchronized void reloginFromTicketCache()
throws IOException {
  if (!isSecurityEnabled() || 
      user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
      !isKrbTkt)
    return;
  LoginContext login = getLogin();
  if (login == null) {
    throw new IOException("login must be done first");
  }
  long now = Time.now();
  if (!hasSufficientTimeElapsed(now)) {
    return;
  }
  // register most recent relogin attempt
  user.setLastLogin(now);
  try {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Initiating logout for " + getUserName());
    }
    //clear up the kerberos state. But the tokens are not cleared! As per 
    //the Java kerberos login module code, only the kerberos credentials
    //are cleared
    login.logout();
    //login and also update the subject field of this instance to 
    //have the new credentials (pass it to the LoginContext constructor)
    login = 
      newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, 
          getSubject(), new HadoopConfiguration());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Initiating re-login for " + getUserName());
    }
    login.login();
    setLogin(login);
  } catch (LoginException le) {
    throw new IOException("Login failure for " + getUserName(), le);
  } 
}
 

@InterfaceAudience.Private
@InterfaceStability.Evolving
private static boolean isAuthenticationMethodEnabled(AuthenticationMethod method) {
  ensureInitialized();
  return (authenticationMethod == method);
}
 

/**
 * Get the user's full principal name.
 * @return the user's full principal name.
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public String getUserName() {
  return user.getName();
}
 

/**
 * Did the login happen via keytab
 * @return true or false
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public synchronized static boolean isLoginKeytabBased() throws IOException {
  return getLoginUser().isKeytab;
}
 

/**
 * Did the login happen via keytab
 * @return true or false
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public synchronized static boolean isLoginKeytabBased() throws IOException {
  return getLoginUser().isKeytab;
}
 

/**
 * Re-Login a user in from a keytab file. Loads a user identity from a keytab
 * file and logs them in. They become the currently logged-in user. This
 * method assumes that {@link #loginUserFromKeytab(String, String)} had 
 * happened already.
 * The Subject field of this UserGroupInformation object is updated to have
 * the new credentials.
 * @throws IOException on a failure
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public synchronized void reloginFromKeytab()
throws IOException {
  if (!isSecurityEnabled() ||
       user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
       !isKeytab)
    return;
  
  long now = Time.now();
  if (!shouldRenewImmediatelyForTests && !hasSufficientTimeElapsed(now)) {
    return;
  }

  KerberosTicket tgt = getTGT();
  //Return if TGT is valid and is not going to expire soon.
  if (tgt != null && !shouldRenewImmediatelyForTests &&
      now < getRefreshTime(tgt)) {
    return;
  }
  
  LoginContext login = getLogin();
  if (login == null || keytabFile == null) {
    throw new IOException("loginUserFromKeyTab must be done first");
  }
  
  long start = 0;
  // register most recent relogin attempt
  user.setLastLogin(now);
  try {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Initiating logout for " + getUserName());
    }
    synchronized (UserGroupInformation.class) {
      // clear up the kerberos state. But the tokens are not cleared! As per
      // the Java kerberos login module code, only the kerberos credentials
      // are cleared
      login.logout();
      // login and also update the subject field of this instance to
      // have the new credentials (pass it to the LoginContext constructor)
      login = newLoginContext(
          HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject(),
          new HadoopConfiguration());
      if (LOG.isDebugEnabled()) {
        LOG.debug("Initiating re-login for " + keytabPrincipal);
      }
      start = Time.now();
      login.login();
      metrics.loginSuccess.add(Time.now() - start);
      setLogin(login);
    }
  } catch (LoginException le) {
    if (start > 0) {
      metrics.loginFailure.add(Time.now() - start);
    }
    throw new IOException("Login failure for " + keytabPrincipal + 
        " from keytab " + keytabFile, le);
  } 
}
 

@InterfaceAudience.Private
@InterfaceStability.Evolving
private static boolean isAuthenticationMethodEnabled(AuthenticationMethod method) {
  ensureInitialized();
  return (authenticationMethod == method);
}
 

/**
 * Convert Kerberos principal name pattern to valid Kerberos principal
 * names. It replaces hostname pattern with hostname, which should be
 * fully-qualified domain name. If hostname is null or "0.0.0.0", it uses
 * dynamically looked-up fqdn of the current host instead.
 * 
 * @param principalConfig
 *          the Kerberos principal name conf value to convert
 * @param hostname
 *          the fully-qualified domain name used for substitution
 * @return converted Kerberos principal name
 * @throws IOException if the client address cannot be determined
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static String getServerPrincipal(String principalConfig,
    String hostname) throws IOException {
  String[] components = getComponents(principalConfig);
  if (components == null || components.length != 3
      || !components[1].equals(HOSTNAME_PATTERN)) {
    return principalConfig;
  } else {
    return replacePattern(components, hostname);
  }
}
 

/**
 * Login as a principal specified in config. Substitute $host in
 * user's Kerberos principal name with a dynamically looked-up fully-qualified
 * domain name of the current host.
 * 
 * @param conf
 *          conf to use
 * @param keytabFileKey
 *          the key to look for keytab file in conf
 * @param userNameKey
 *          the key to look for user's Kerberos principal name in conf
 * @throws IOException if login fails
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static void login(final Configuration conf,
    final String keytabFileKey, final String userNameKey) throws IOException {
  login(conf, keytabFileKey, userNameKey, getLocalHostName());
}
 

/**
 * Return blockLocation of the given file for the given offset and len.
 *  For a nonexistent file or regions, null will be returned.
 *
 * This call is most helpful with DFS, where it returns 
 * hostnames of machines that contain the given file.
 * 
 * @param f - get blocklocations of this file
 * @param start position (byte offset)
 * @param len (in bytes)
 *
 * @return block locations for given file at specified offset of len
 *
 * @throws AccessControlException If access is denied
 * @throws FileNotFoundException If <code>f</code> does not exist
 * @throws UnsupportedFileSystemException If file system for <code>f</code> is
 *           not supported
 * @throws IOException If an I/O error occurred
 * 
 * Exceptions applicable to file systems accessed over RPC:
 * @throws RpcClientException If an exception occurred in the RPC client
 * @throws RpcServerException If an exception occurred in the RPC server
 * @throws UnexpectedServerException If server implementation throws 
 *           undeclared exception to RPC server
 * 
 * RuntimeExceptions:
 * @throws InvalidPathException If path <code>f</code> is invalid
 */
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
public BlockLocation[] getFileBlockLocations(final Path f, final long start,
    final long len) throws AccessControlException, FileNotFoundException,
    UnsupportedFileSystemException, IOException {
  final Path absF = fixRelativePart(f);
  return new FSLinkResolver<BlockLocation[]>() {
    @Override
    public BlockLocation[] next(final AbstractFileSystem fs, final Path p) 
      throws IOException, UnresolvedLinkException {
      return fs.getFileBlockLocations(p, start, len);
    }
  }.resolve(this, absF);
}
 

/**
 * Create a user from a login name. It is intended to be used for remote
 * users in RPC, since it won't have any credentials.
 * @param user the full user principal name, must not be empty or null
 * @return the UserGroupInformation for the remote user.
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation createRemoteUser(String user) {
  return createRemoteUser(user, AuthMethod.SIMPLE);
}
 

/**
 * Create a user from a login name. It is intended to be used for remote
 * users in RPC, since it won't have any credentials.
 * @param user the full user principal name, must not be empty or null
 * @return the UserGroupInformation for the remote user.
 */
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static UserGroupInformation createRemoteUser(String user) {
  return createRemoteUser(user, AuthMethod.SIMPLE);
}