Java Code Examples for org.apache.hadoop.hbase.security.UserProvider#login()

public static UserProvider login(Map conf, Configuration hbaseConfig) throws IOException {
    UserProvider provider = UserProvider.instantiate(hbaseConfig);
    if (UserGroupInformation.isSecurityEnabled()) {
        String keytab = (String) conf.get(STORM_KEYTAB_FILE_KEY);
        if (keytab != null) {
            hbaseConfig.set(STORM_KEYTAB_FILE_KEY, keytab);
        }
        String userName = (String) conf.get(STORM_USER_NAME_KEY);
        if (userName != null) {
            hbaseConfig.set(STORM_USER_NAME_KEY, userName);
        }
        provider.login(STORM_KEYTAB_FILE_KEY, STORM_USER_NAME_KEY, 
            InetAddress.getLocalHost().getCanonicalHostName());
    }
    return provider;
}
 

/**
 * For compatibility, if failed with regionserver credentials, try the master one
 */
@Override
protected void login(UserProvider user, String host) throws IOException {
  try {
    super.login(user, host);
  } catch (IOException ie) {
    user.login(SecurityConstants.MASTER_KRB_KEYTAB_FILE,
            SecurityConstants.MASTER_KRB_PRINCIPAL, host);
  }
}
 

private static Pair<FilterHolder, Class<? extends ServletContainer>> loginServerPrincipal(
  UserProvider userProvider, Configuration conf) throws Exception {
  Class<? extends ServletContainer> containerClass = ServletContainer.class;
  if (userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled()) {
    String machineName = Strings.domainNamePointerToHostName(
      DNS.getDefaultHost(conf.get(REST_DNS_INTERFACE, "default"),
        conf.get(REST_DNS_NAMESERVER, "default")));
    String keytabFilename = conf.get(REST_KEYTAB_FILE);
    Preconditions.checkArgument(keytabFilename != null && !keytabFilename.isEmpty(),
      REST_KEYTAB_FILE + " should be set if security is enabled");
    String principalConfig = conf.get(REST_KERBEROS_PRINCIPAL);
    Preconditions.checkArgument(principalConfig != null && !principalConfig.isEmpty(),
      REST_KERBEROS_PRINCIPAL + " should be set if security is enabled");
    // Hook for unit tests, this will log out any other user and mess up tests.
    if (!conf.getBoolean(SKIP_LOGIN_KEY, false)) {
      userProvider.login(REST_KEYTAB_FILE, REST_KERBEROS_PRINCIPAL, machineName);
    }
    if (conf.get(REST_AUTHENTICATION_TYPE) != null) {
      containerClass = RESTServletContainer.class;
      FilterHolder authFilter = new FilterHolder();
      authFilter.setClassName(AuthFilter.class.getName());
      authFilter.setName("AuthenticationFilter");
      return new Pair<>(authFilter,containerClass);
    }
  }
  return new Pair<>(null, containerClass);
}
 

private static User loginFromKeytabAndReturnUser(UserProvider provider) throws IOException {
  try {
    provider.login(HBASE_CLIENT_KEYTAB_FILE, HBASE_CLIENT_KERBEROS_PRINCIPAL);
  } catch (IOException ioe) {
    LOG.error("Error while trying to login as user {} through {}, with message: {}.",
      HBASE_CLIENT_KERBEROS_PRINCIPAL, HBASE_CLIENT_KEYTAB_FILE,
      ioe.getMessage());
    throw ioe;
  }
  return provider.getCurrent();
}
 

protected void setupParamters() throws IOException {
  // login the server principal (if using secure Hadoop)
  UserProvider userProvider = UserProvider.instantiate(conf);
  securityEnabled = userProvider.isHadoopSecurityEnabled()
      && userProvider.isHBaseSecurityEnabled();
  if (securityEnabled) {
    host = Strings.domainNamePointerToHostName(DNS.getDefaultHost(
        conf.get(THRIFT_DNS_INTERFACE_KEY, "default"),
        conf.get(THRIFT_DNS_NAMESERVER_KEY, "default")));
    userProvider.login(THRIFT_KEYTAB_FILE_KEY, THRIFT_KERBEROS_PRINCIPAL_KEY, host);

    // Setup the SPNEGO user for HTTP if configured
    String spnegoPrincipal = getSpengoPrincipal(conf, host);
    String spnegoKeytab = getSpnegoKeytab(conf);
    UserGroupInformation.setConfiguration(conf);
    // login the SPNEGO principal using UGI to avoid polluting the login user
    this.httpUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(spnegoPrincipal,
      spnegoKeytab);
  }
  this.serviceUGI = userProvider.getCurrent().getUGI();
  if (httpUGI == null) {
    this.httpUGI = serviceUGI;
  }

  this.listenPort = conf.getInt(PORT_CONF_KEY, DEFAULT_LISTEN_PORT);
  this.metrics = createThriftMetrics(conf);
  this.pauseMonitor = new JvmPauseMonitor(conf, this.metrics.getSource());
  this.hbaseServiceHandler = createHandler(conf, userProvider);
  this.hbaseServiceHandler.initMetrics(metrics);
  this.processor = createProcessor();

  httpEnabled = conf.getBoolean(USE_HTTP_CONF_KEY, false);
  doAsEnabled = conf.getBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, false);
  if (doAsEnabled && !httpEnabled) {
    LOG.warn("Fail to enable the doAs feature. " + USE_HTTP_CONF_KEY + " is not configured");
  }

  String strQop = conf.get(THRIFT_QOP_KEY);
  if (strQop != null) {
    this.qop = SaslUtil.getQop(strQop);
  }
  if (qop != null) {
    if (qop != SaslUtil.QualityOfProtection.AUTHENTICATION &&
        qop != SaslUtil.QualityOfProtection.INTEGRITY &&
        qop != SaslUtil.QualityOfProtection.PRIVACY) {
      throw new IOException(String.format("Invalid %s: It must be one of %s, %s, or %s.",
          THRIFT_QOP_KEY,
          SaslUtil.QualityOfProtection.AUTHENTICATION.name(),
          SaslUtil.QualityOfProtection.INTEGRITY.name(),
          SaslUtil.QualityOfProtection.PRIVACY.name()));
    }
    checkHttpSecurity(qop, conf);
    if (!securityEnabled) {
      throw new IOException("Thrift server must run in secure mode to support authentication");
    }
  }
  registerFilters(conf);
  pauseMonitor.start();
}
 

protected void login(UserProvider user, String host) throws IOException {
  user.login(SecurityConstants.REGIONSERVER_KRB_KEYTAB_FILE,
    SecurityConstants.REGIONSERVER_KRB_PRINCIPAL, host);
}