Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getUGIFromSubject()
The following examples show how to use
org.apache.hadoop.security.UserGroupInformation#getUGIFromSubject() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: TestKMS.java From hadoop with Apache License 2.0 | 6 votes |
|
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
throws Exception {
Set<Principal> principals = new HashSet<Principal>();
principals.add(new KerberosPrincipal(user));
//client login
Subject subject = new Subject(false, principals,
new HashSet<Object>(), new HashSet<Object>());
LoginContext loginContext = new LoginContext("", subject, null,
KerberosConfiguration.createClientConfig(user, keytab));
try {
loginContext.login();
subject = loginContext.getSubject();
UserGroupInformation ugi =
UserGroupInformation.getUGIFromSubject(subject);
return ugi.doAs(action);
} finally {
loginContext.logout();
}
}
Example 2
| Source File: TestKMS.java From big-c with Apache License 2.0 | 6 votes |
|
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action)
throws Exception {
Set<Principal> principals = new HashSet<Principal>();
principals.add(new KerberosPrincipal(user));
//client login
Subject subject = new Subject(false, principals,
new HashSet<Object>(), new HashSet<Object>());
LoginContext loginContext = new LoginContext("", subject, null,
KerberosConfiguration.createClientConfig(user, keytab));
try {
loginContext.login();
subject = loginContext.getSubject();
UserGroupInformation ugi =
UserGroupInformation.getUGIFromSubject(subject);
return ugi.doAs(action);
} finally {
loginContext.logout();
}
}
Example 3
| Source File: HBaseMetadataService.java From streamline with Apache License 2.0 | 6 votes |
|
/**
* Creates secure {@link HBaseMetadataService} which delegates to {@link Admin}
* instantiated with with the {@link Configuration} provided using the first parameter
*/
public static HBaseMetadataService newInstance(Configuration hbaseConfig,
SecurityContext securityContext, Subject subject, Component hbaseMaster,
Collection<ComponentProcess> hbaseMasterProcesses)
throws IOException, EntityNotFoundException {
if (SecurityUtil.isKerberosAuthenticated(securityContext)) {
UserGroupInformation.setConfiguration(hbaseConfig); // Sets Kerberos rules
final UserGroupInformation ugiFromSubject = UserGroupInformation.getUGIFromSubject(subject); // Adds User principal to the subject
final UserGroupInformation proxyUserForImpersonation = UserGroupInformation
.createProxyUser(securityContext.getUserPrincipal().getName(), ugiFromSubject);
final User user = User.create(proxyUserForImpersonation);
return new HBaseMetadataService(ConnectionFactory.createConnection(hbaseConfig, user)
.getAdmin(), securityContext, subject, user, hbaseMaster, hbaseMasterProcesses);
} else {
return new HBaseMetadataService(ConnectionFactory.createConnection(hbaseConfig).getAdmin(),
securityContext, subject, null, hbaseMaster, hbaseMasterProcesses);
}
}
Example 4
| Source File: HiveMetadataService.java From streamline with Apache License 2.0 | 6 votes |
|
/**
* Creates secure {@link HiveMetadataService}, which delegates to {@link HiveMetaStoreClient}
* instantiated with the {@link HiveConf} provided using the first parameter
*/
public static HiveMetadataService newInstance(HiveConf hiveConf, SecurityContext securityContext,
Subject subject, Component hiveMetastore,
Collection<ComponentProcess> hiveMetastoreProcesses)
throws MetaException, IOException, EntityNotFoundException, PrivilegedActionException {
if (SecurityUtil.isKerberosAuthenticated(securityContext)) {
UserGroupInformation.setConfiguration(hiveConf); // Sets Kerberos rules
UserGroupInformation.getUGIFromSubject(subject); // Adds User principal to this subject
return new HiveMetadataService(
SecurityUtil.execute(() -> new HiveMetaStoreClient(hiveConf), securityContext, subject),
hiveConf, securityContext, subject, hiveMetastore, hiveMetastoreProcesses);
} else {
return new HiveMetadataService(new HiveMetaStoreClient(hiveConf), hiveConf, securityContext, subject,
hiveMetastore, hiveMetastoreProcesses);
}
}
Example 5
| Source File: DefaultLoginUgiProvider.java From datacollector with Apache License 2.0 | 6 votes |
|
@Override
public UserGroupInformation getLoginUgi(Configuration hdfsConfiguration) throws IOException {
AccessControlContext accessContext = AccessController.getContext();
Subject subject = Subject.getSubject(accessContext);
UserGroupInformation loginUgi;
//HADOOP-13805
HadoopConfigurationUtils.configureHadoopTreatSubjectExternal(hdfsConfiguration);
UserGroupInformation.setConfiguration(hdfsConfiguration);
if (UserGroupInformation.isSecurityEnabled()) {
loginUgi = UserGroupInformation.getUGIFromSubject(subject);
} else {
UserGroupInformation.loginUserFromSubject(subject);
loginUgi = UserGroupInformation.getLoginUser();
}
if (LOG.isDebugEnabled()) {
LOG.debug(
"Subject = {}, Principals = {}, Login UGI = {}",
subject,
subject == null ? "null" : subject.getPrincipals(),
loginUgi
);
}
return loginUgi;
}
Example 6
| Source File: KerberosFactory.java From Bats with Apache License 2.0 | 5 votes |
|
@Override
public UserGroupInformation createAndLoginUser(final Map<String, ?> properties) throws IOException {
final Configuration conf = new SecurityConfiguration();
conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
UserGroupInformation.setConfiguration(conf);
final String keytab = (String) properties.get(DrillProperties.KEYTAB);
final boolean assumeSubject = properties.containsKey(DrillProperties.KERBEROS_FROM_SUBJECT) &&
Boolean.parseBoolean((String) properties.get(DrillProperties.KERBEROS_FROM_SUBJECT));
try {
final UserGroupInformation ugi;
if (assumeSubject) {
ugi = UserGroupInformation.getUGIFromSubject(Subject.getSubject(AccessController.getContext()));
logger.debug("Assuming subject for {}.", ugi.getShortUserName());
} else {
if (keytab != null) {
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
(String) properties.get(DrillProperties.USER), keytab);
logger.debug("Logged in {} using keytab.", ugi.getShortUserName());
} else {
// includes Kerberos ticket login
ugi = UserGroupInformation.getCurrentUser();
logger.debug("Logged in {} using ticket.", ugi.getShortUserName());
}
}
return ugi;
} catch (final IOException e) {
logger.debug("Login failed.", e);
final Throwable cause = e.getCause();
if (cause instanceof LoginException) {
throw new SaslException("Failed to login.", cause);
}
throw new SaslException("Unexpected failure trying to login.", cause);
}
}
Example 7
| Source File: MapRLoginUgiProvider.java From datacollector with Apache License 2.0 | 5 votes |
|
@Override
public UserGroupInformation getLoginUgi(Configuration hdfsConfiguration) throws IOException {
// check system property to see if MapR U/P security is enabled
String maprLoginEnabled = System.getProperty(
MAPR_USERNAME_PASSWORD_SECURITY_ENABLED_KEY,
MAPR_USERNAME_PASSWORD_SECURITY_ENABLED_DEFAULT
);
boolean isMapRLogin = Boolean.parseBoolean(maprLoginEnabled);
AccessControlContext accessControlContext = AccessController.getContext();
Subject subject = Subject.getSubject(accessControlContext);
//HADOOP-13805
HadoopConfigurationUtils.configureHadoopTreatSubjectExternal(hdfsConfiguration);
// SDC-4015 As privateclassloader is false for MapR, UGI is shared and it also needs to be under jvm lock
UserGroupInformation.setConfiguration(hdfsConfiguration);
UserGroupInformation loginUgi;
if (UserGroupInformation.isSecurityEnabled() && !isMapRLogin) {
// The code in this block must only be executed in case Kerberos is enabled.
// MapR implementation of UserGroupInformation.isSecurityEnabled() returns true even if Kerberos is not enabled.
// System property helps to avoid this code path in such a case
loginUgi = UserGroupInformation.getUGIFromSubject(subject);
} else {
UserGroupInformation.loginUserFromSubject(subject);
loginUgi = UserGroupInformation.getLoginUser();
}
if (LOG.isDebugEnabled()) {
LOG.debug(
"Subject = {}, Principals = {}, Login UGI = {}",
subject,
subject == null ? "null" : subject.getPrincipals(),
loginUgi
);
}
return loginUgi;
}
Example 8
| Source File: MiscUtil.java From ranger with Apache License 2.0 | 5 votes |
|
public static UserGroupInformation createUGIFromSubject(Subject subject)
throws IOException {
logger.info("SUBJECT " + (subject == null ? "not found" : "found"));
UserGroupInformation ugi = null;
if (subject != null) {
logger.info("SUBJECT.PRINCIPALS.size()="
+ subject.getPrincipals().size());
Set<Principal> principals = subject.getPrincipals();
for (Principal principal : principals) {
logger.info("SUBJECT.PRINCIPAL.NAME=" + principal.getName());
}
try {
// Do not remove the below statement. The default
// getLoginUser does some initialization which is needed
// for getUGIFromSubject() to work.
UserGroupInformation.getLoginUser();
logger.info("Default UGI before using new Subject:"
+ UserGroupInformation.getLoginUser());
} catch (Throwable t) {
logger.error(t);
}
ugi = UserGroupInformation.getUGIFromSubject(subject);
logger.info("SUBJECT.UGI.NAME=" + ugi.getUserName() + ", ugi="
+ ugi);
} else {
logger.info("Server username is not available");
}
return ugi;
}
Example 9
| Source File: ImpalaLineageHook.java From atlas with Apache License 2.0 | 4 votes |
|
private UserGroupInformation getUgiFromUserName(String userName) throws IOException {
String userPrincipal = userName.contains(REALM_SEPARATOR)? userName : userName + "@" + getRealm();
Subject userSubject = new Subject(false, Sets.newHashSet(
new KerberosPrincipal(userPrincipal)), new HashSet<Object>(),new HashSet<Object>());
return UserGroupInformation.getUGIFromSubject(userSubject);
}
Example 10
| Source File: UGIUserManager.java From spliceengine with GNU Affero General Public License v3.0 | 4 votes |
|
@Override
public User getUserFromSubject(Subject subject) throws IOException {
return new UGIUser(UserGroupInformation.getUGIFromSubject(subject));
}
