Java Code Examples for org.apache.hadoop.security.SecurityUtil#getAuthenticationMethod()

The following examples show how to use org.apache.hadoop.security.SecurityUtil#getAuthenticationMethod() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ReconServer.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up 
/**
 * Login Recon service user if security is enabled.
 *
 * @param  conf OzoneConfiguration
 * @throws IOException, AuthenticationException
 */
private static void loginReconUser(OzoneConfiguration conf)
    throws IOException, AuthenticationException {

  if (SecurityUtil.getAuthenticationMethod(conf).equals(
      UserGroupInformation.AuthenticationMethod.KERBEROS)) {
    ReconConfig reconConfig = conf.getObject(ReconConfig.class);
    LOG.info("Ozone security is enabled. Attempting login for Recon service. "
            + "Principal: {}, keytab: {}",
        reconConfig.getKerberosPrincipal(),
        reconConfig.getKerberosKeytab());
    UserGroupInformation.setConfiguration(conf);
    InetSocketAddress socAddr = HddsUtils.getReconAddresses(conf);
    SecurityUtil.login(conf,
        OZONE_RECON_KERBEROS_KEYTAB_FILE_KEY,
        OZONE_RECON_KERBEROS_PRINCIPAL_KEY,
        socAddr.getHostName());
  } else {
    throw new AuthenticationException(SecurityUtil.getAuthenticationMethod(
        conf) + " authentication method not supported. "
        + "Recon service login failed.");
  }
  LOG.info("Recon login successful.");
}
Example 2
Source File: OzoneManager.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up 
/**
 * Login OM service user if security and Kerberos are enabled.
 *
 * @param conf
 * @throws IOException, AuthenticationException
 */
private static void loginOMUser(OzoneConfiguration conf)
    throws IOException, AuthenticationException {

  if (SecurityUtil.getAuthenticationMethod(conf).equals(
      AuthenticationMethod.KERBEROS)) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Ozone security is enabled. Attempting login for OM user. "
              + "Principal: {}, keytab: {}", conf.get(
          OZONE_OM_KERBEROS_PRINCIPAL_KEY),
          conf.get(OZONE_OM_KERBEROS_KEYTAB_FILE_KEY));
    }

    UserGroupInformation.setConfiguration(conf);

    InetSocketAddress socAddr = OmUtils.getOmAddress(conf);
    SecurityUtil.login(conf, OZONE_OM_KERBEROS_KEYTAB_FILE_KEY,
        OZONE_OM_KERBEROS_PRINCIPAL_KEY, socAddr.getHostName());
  } else {
    throw new AuthenticationException(SecurityUtil.getAuthenticationMethod(
        conf) + " authentication method not supported. OM user login "
        + "failed.");
  }
  LOG.info("Ozone Manager login successful.");
}
Example 3
Source File: LoginProcessor.java    From atlas with Apache License 2.0 6 votes vote down vote up 
protected void doServiceLogin(Configuration hadoopConfig,
        org.apache.commons.configuration.Configuration configuration) {
    UserGroupInformation.setConfiguration(hadoopConfig);

    UserGroupInformation ugi = null;
    UserGroupInformation.AuthenticationMethod authenticationMethod =
            SecurityUtil.getAuthenticationMethod(hadoopConfig);
    try {
        if (authenticationMethod == UserGroupInformation.AuthenticationMethod.SIMPLE) {
            UserGroupInformation.loginUserFromSubject(null);
        } else if (authenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS) {
            String bindAddress = getHostname(configuration);
            UserGroupInformation.loginUserFromKeytab(
                    getServerPrincipal(configuration.getString(AUTHENTICATION_PRINCIPAL), bindAddress),
                    configuration.getString(AUTHENTICATION_KEYTAB));
        }
        LOG.info("Logged in user {}", UserGroupInformation.getLoginUser());
    } catch (IOException e) {
        throw new IllegalStateException(String.format("Unable to perform %s login.", authenticationMethod), e);
    }
}
Example 4
Source File: Server.java    From hadoop with Apache License 2.0 6 votes vote down vote up 
private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
                                           Configuration conf) {
  AuthenticationMethod confAuthenticationMethod =
      SecurityUtil.getAuthenticationMethod(conf);        
  List<AuthMethod> authMethods = new ArrayList<AuthMethod>();
  if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
    if (secretManager == null) {
      throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
          " authentication requires a secret manager");
    } 
  } else if (secretManager != null) {
    LOG.debug(AuthenticationMethod.TOKEN +
        " authentication enabled for secret manager");
    // most preferred, go to the front of the line!
    authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
  }
  authMethods.add(confAuthenticationMethod.getAuthMethod());        
  
  LOG.debug("Server accepts auth methods:" + authMethods);
  return authMethods;
}
Example 5
Source File: Server.java    From big-c with Apache License 2.0 6 votes vote down vote up 
private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
                                           Configuration conf) {
  AuthenticationMethod confAuthenticationMethod =
      SecurityUtil.getAuthenticationMethod(conf);        
  List<AuthMethod> authMethods = new ArrayList<AuthMethod>();
  if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
    if (secretManager == null) {
      throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
          " authentication requires a secret manager");
    } 
  } else if (secretManager != null) {
    LOG.debug(AuthenticationMethod.TOKEN +
        " authentication enabled for secret manager");
    // most preferred, go to the front of the line!
    authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
  }
  authMethods.add(confAuthenticationMethod.getAuthMethod());        
  
  LOG.debug("Server accepts auth methods:" + authMethods);
  return authMethods;
}
Example 6
Source File: LoginProcessor.java    From incubator-atlas with Apache License 2.0 6 votes vote down vote up 
protected void doServiceLogin(Configuration hadoopConfig,
        org.apache.commons.configuration.Configuration configuration) {
    UserGroupInformation.setConfiguration(hadoopConfig);

    UserGroupInformation ugi = null;
    UserGroupInformation.AuthenticationMethod authenticationMethod =
            SecurityUtil.getAuthenticationMethod(hadoopConfig);
    try {
        if (authenticationMethod == UserGroupInformation.AuthenticationMethod.SIMPLE) {
            UserGroupInformation.loginUserFromSubject(null);
        } else if (authenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS) {
            String bindAddress = getHostname(configuration);
            UserGroupInformation.loginUserFromKeytab(
                    getServerPrincipal(configuration.getString(AUTHENTICATION_PRINCIPAL), bindAddress),
                    configuration.getString(AUTHENTICATION_KEYTAB));
        }
        LOG.info("Logged in user {}", UserGroupInformation.getLoginUser());
    } catch (IOException e) {
        throw new IllegalStateException(String.format("Unable to perform %s login.", authenticationMethod), e);
    }
}
Example 7
Source File: StorageContainerManager.java    From hadoop-ozone with Apache License 2.0 5 votes vote down vote up 
/**
 * Login as the configured user for SCM.
 *
 * @param conf
 */
private void loginAsSCMUser(ConfigurationSource conf)
    throws IOException, AuthenticationException {
  if (LOG.isDebugEnabled()) {
    ScmConfig scmConfig = configuration.getObject(ScmConfig.class);
    LOG.debug("Ozone security is enabled. Attempting login for SCM user. "
            + "Principal: {}, keytab: {}",
        scmConfig.getKerberosPrincipal(),
        scmConfig.getKerberosKeytab());
  }

  Configuration hadoopConf =
      LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
  if (SecurityUtil.getAuthenticationMethod(hadoopConf).equals(
      AuthenticationMethod.KERBEROS)) {
    UserGroupInformation.setConfiguration(hadoopConf);
    InetSocketAddress socAddr = HddsServerUtil
        .getScmBlockClientBindAddress(conf);
    SecurityUtil.login(hadoopConf,
          ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY,
          ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY,
          socAddr.getHostName());
  } else {
    throw new AuthenticationException(SecurityUtil.getAuthenticationMethod(
        hadoopConf) + " authentication method not support. "
        + "SCM user login failed.");
  }
  LOG.info("SCM login successful.");
}
Example 8
Source File: HdfsRepository.java    From crate with Apache License 2.0 4 votes vote down vote up 
private UserGroupInformation login(Configuration hadoopConfiguration, Settings repositorySettings) {
    // Validate the authentication method:
    AuthenticationMethod authMethod = SecurityUtil.getAuthenticationMethod(hadoopConfiguration);
    if (authMethod.equals(AuthenticationMethod.SIMPLE) == false
        && authMethod.equals(AuthenticationMethod.KERBEROS) == false) {
        throw new RuntimeException("Unsupported authorization mode [" + authMethod + "]");
    }

    // Check if the user added a principal to use, and that there is a keytab file provided
    String kerberosPrincipal = repositorySettings.get(CONF_SECURITY_PRINCIPAL);

    // Check to see if the authentication method is compatible
    if (kerberosPrincipal != null && authMethod.equals(AuthenticationMethod.SIMPLE)) {
        LOGGER.warn("Hadoop authentication method is set to [SIMPLE], but a Kerberos principal is " +
            "specified. Continuing with [KERBEROS] authentication.");
        SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, hadoopConfiguration);
    } else if (kerberosPrincipal == null && authMethod.equals(AuthenticationMethod.KERBEROS)) {
        throw new RuntimeException("HDFS Repository does not support [KERBEROS] authentication without " +
            "a valid Kerberos principal and keytab. Please specify a principal in the repository settings with [" +
            CONF_SECURITY_PRINCIPAL + "].");
    }

    // Now we can initialize the UGI with the configuration.
    UserGroupInformation.setConfiguration(hadoopConfiguration);

    // Debugging
    LOGGER.debug("Hadoop security enabled: [{}]", UserGroupInformation.isSecurityEnabled());
    LOGGER.debug("Using Hadoop authentication method: [{}]", SecurityUtil.getAuthenticationMethod(hadoopConfiguration));

    // UserGroupInformation (UGI) instance is just a Hadoop specific wrapper around a Java Subject
    try {
        if (UserGroupInformation.isSecurityEnabled()) {
            String principal = preparePrincipal(kerberosPrincipal);
            String keytab = HdfsSecurityContext.locateKeytabFile(environment).toString();
            LOGGER.debug("Using kerberos principal [{}] and keytab located at [{}]", principal, keytab);
            return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
        }
        return UserGroupInformation.getCurrentUser();
    } catch (IOException e) {
        throw new UncheckedIOException("Could not retrieve the current user information", e);
    }
}
Example 9
Source File: Utilities.java    From pxf with Apache License 2.0 2 votes vote down vote up 
/**
 * Determine whether the configuration is using Kerberos to
 * establish user identities or is relying on simple authentication
 *
 * @param configuration the configuration for a given server
 * @return true if the given configuration is for a secure environment
 */
public static boolean isSecurityEnabled(Configuration configuration) {
    return SecurityUtil.getAuthenticationMethod(configuration) !=
            UserGroupInformation.AuthenticationMethod.SIMPLE;
}