Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getUserName()

private void checkTokenCancellation(ClientRMService rmService,
    UserGroupInformation owner, UserGroupInformation renewer)
    throws IOException, YarnException {
  RMDelegationTokenIdentifier tokenIdentifier =
      new RMDelegationTokenIdentifier(new Text(owner.getUserName()),
        new Text(renewer.getUserName()), null);
  Token<?> token =
      new Token<RMDelegationTokenIdentifier>(tokenIdentifier, dtsm);
  org.apache.hadoop.yarn.api.records.Token dToken =
      BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind()
        .toString(), token.getPassword(), token.getService().toString());
  CancelDelegationTokenRequest request =
      Records.newRecord(CancelDelegationTokenRequest.class);
  request.setDelegationToken(dToken);
  rmService.cancelDelegationToken(request);
}
 

@Override
protected Job createJob(Configuration conf, JobStateInternal forcedState, 
    String diagnostic) {
  UserGroupInformation currentUser = null;
  try {
    currentUser = UserGroupInformation.getCurrentUser();
  } catch (IOException e) {
    throw new YarnRuntimeException(e);
  }
  Job newJob = new TestJob(getJobId(), getAttemptID(), conf,
      getDispatcher().getEventHandler(),
      getTaskAttemptListener(), getContext().getClock(),
      getCommitter(), isNewApiCommitter(),
      currentUser.getUserName(), getContext(),
      forcedState, diagnostic);
  ((AppContext) getContext()).getAllJobs().put(newJob.getID(), newJob);

  getDispatcher().register(JobFinishEvent.Type.class,
      createJobFinishEventHandler());

  return newJob;
}
 

private void checkTokenCancellation(ClientRMService rmService,
    UserGroupInformation owner, UserGroupInformation renewer)
    throws IOException, YarnException {
  RMDelegationTokenIdentifier tokenIdentifier =
      new RMDelegationTokenIdentifier(new Text(owner.getUserName()),
        new Text(renewer.getUserName()), null);
  Token<?> token =
      new Token<RMDelegationTokenIdentifier>(tokenIdentifier, dtsm);
  org.apache.hadoop.yarn.api.records.Token dToken =
      BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind()
        .toString(), token.getPassword(), token.getService().toString());
  CancelDelegationTokenRequest request =
      Records.newRecord(CancelDelegationTokenRequest.class);
  request.setDelegationToken(dToken);
  rmService.cancelDelegationToken(request);
}
 

@Override
protected Job createJob(Configuration conf, JobStateInternal forcedState,
    String diagnostic) {
  UserGroupInformation currentUser = null;
  try {
    currentUser = UserGroupInformation.getCurrentUser();
  } catch (IOException e) {
    throw new YarnRuntimeException(e);
  }
  Job newJob =
      new TestJob(getJobId(), getAttemptID(), conf, getDispatcher()
        .getEventHandler(), getTaskAttemptListener(), getContext()
        .getClock(), getCommitter(), isNewApiCommitter(),
        currentUser.getUserName(), getContext(), forcedState, diagnostic);
  ((AppContext) getContext()).getAllJobs().put(newJob.getID(), newJob);

  getDispatcher().register(JobFinishEvent.Type.class,
    createJobFinishEventHandler());

  return newJob;
}
 

private WebHdfsFileSystem getWebHdfsFileSystem(UserGroupInformation ugi,
    Configuration conf) throws IOException {
  if (UserGroupInformation.isSecurityEnabled()) {
    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(
        ugi.getUserName()), null, null);
    FSNamesystem namesystem = mock(FSNamesystem.class);
    DelegationTokenSecretManager dtSecretManager = new DelegationTokenSecretManager(
        86400000, 86400000, 86400000, 86400000, namesystem);
    dtSecretManager.startThreads();
    Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
        dtId, dtSecretManager);
    SecurityUtil.setTokenService(
        token, NetUtils.createSocketAddr(uri.getAuthority()));
    token.setKind(WebHdfsFileSystem.TOKEN_KIND);
    ugi.addToken(token);
  }
  return (WebHdfsFileSystem) FileSystem.get(uri, conf);
}
 

PermissionChecker(String fsOwner, String supergroup
    ) throws AccessControlException{
  UserGroupInformation ugi = UserGroupInformation.getCurrentUGI();
  if (LOG.isDebugEnabled()) {
    LOG.debug("ugi=" + ugi);
  }

  if (ugi != null) {
    user = ugi.getUserName();
    groups.addAll(Arrays.asList(ugi.getGroupNames()));
    isSuper = user.equals(fsOwner) || groups.contains(supergroup);
  }
  else {
    throw new AccessControlException("ugi = null");
  }
}
 

private static String checkGetSessionToken(Configuration config) {
    try {
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        Text username = new Text(loginUser.getUserName());
        BrokerTokenIdentifier identifier = new BrokerTokenIdentifier(config, username, username, username, SERVICE);
        String sessionToken = identifier.getSessionToken();
        assert (sessionToken.length() > 0);
        System.out.println(CHECK_SUCCESS);
        return sessionToken;
    } catch (Exception e) {
        System.out.println(CHECK_FAIL);
        e.printStackTrace(System.out);
        System.out.println();
        return null;
    }
}
 

@GET
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppState getAppState(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppState ret = new AppState();
  ret.setState(app.getState().toString());

  return ret;
}
 

@GET
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppState getAppState(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppState ret = new AppState();
  ret.setState(app.getState().toString());

  return ret;
}
 

@Override
public AttemptingUserProvidingSaslServer createServer(
    SecretManager<TokenIdentifier> secretManager,
    Map<String, String> saslProps) throws IOException {
  UserGroupInformation current = UserGroupInformation.getCurrentUser();
  String fullName = current.getUserName();
  LOG.debug("Server's Kerberos principal name is {}", fullName);
  String[] names = SaslUtil.splitKerberosName(fullName);
  if (names.length != 3) {
    throw new AccessDeniedException(
        "Kerberos principal does NOT contain an instance (hostname): " + fullName);
  }
  try {
    return current.doAs(new PrivilegedExceptionAction<AttemptingUserProvidingSaslServer>() {
      @Override
      public AttemptingUserProvidingSaslServer run() throws SaslException {
        return new AttemptingUserProvidingSaslServer(Sasl.createSaslServer(
            getSaslAuthMethod().getSaslMechanism(), names[0], names[1], saslProps,
            new SaslGssCallbackHandler()), () -> null);
      }
    });
  } catch (InterruptedException e) {
    Thread.currentThread().interrupt();
    throw new RuntimeException("Failed to construct GSS SASL server");
  }
}
 

@GET
@Path("/apps/{appid}/queue")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppQueue getAppQueue(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "UNKNOWN-USER";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppQueue ret = new AppQueue();
  ret.setQueue(app.getQueue());

  return ret;
}
 

static Path createHomeDirectory(FileSystem fs, UserGroupInformation ugi
    ) throws IOException {
  final Path home = new Path("/user/" + ugi.getUserName());
  fs.mkdirs(home);
  fs.setOwner(home, ugi.getUserName(), ugi.getGroupNames()[0]);
  fs.setPermission(home, new FsPermission((short)0700));
  return home;
}
 

private static BrokerTokenIdentifier getBTI(String sessionToken) throws IOException {
    UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    Text username = new Text(loginUser.getUserName());
    BrokerTokenIdentifier identifier = new BrokerTokenIdentifier();
    identifier.setOwner(username);
    identifier.setRenewer(username);
    identifier.setRealUser(username);
    identifier.setSessionToken(sessionToken);
    return identifier;
}
 

@Test
public void
    testRefreshUserToGroupsMappingsWithFileSystemBasedConfigurationProvider()
        throws IOException, YarnException {
  configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
      "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");

  String[] defaultTestUserGroups = {"dummy_group1", "dummy_group2"};
  UserGroupInformation ugi = UserGroupInformation.createUserForTesting
      ("dummyUser", defaultTestUserGroups);

  String user = ugi.getUserName();
  List<String> groupWithInit = new ArrayList<String>(2);
   for(int i = 0; i < ugi.getGroupNames().length; i++ ) {
     groupWithInit.add(ugi.getGroupNames()[i]);
   }

  // upload default configurations
  uploadDefaultConfiguration();
  Configuration conf = new Configuration();
  conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  uploadConfiguration(conf, "core-site.xml");

  try {
    rm = new MockRM(configuration);
    rm.init(configuration);
    rm.start();
  } catch (Exception ex) {
    fail("Should not get any exceptions");
  }

  // Make sure RM will use the updated GroupMappingServiceProvider
  List<String> groupBefore =
      new ArrayList<String>(Groups.getUserToGroupsMappingService(
          configuration).getGroups(user));
  Assert.assertTrue(groupBefore.contains("test_group_A")
      && groupBefore.contains("test_group_B")
      && groupBefore.contains("test_group_C") && groupBefore.size() == 3);
  Assert.assertTrue(groupWithInit.size() != groupBefore.size());
  Assert.assertFalse(groupWithInit.contains("test_group_A")
      || groupWithInit.contains("test_group_B")
      || groupWithInit.contains("test_group_C"));

  // update the groups
  MockUnixGroupsMapping.updateGroups();

  rm.adminService
      .refreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest
          .newInstance());
  List<String> groupAfter =
      Groups.getUserToGroupsMappingService(configuration).getGroups(user);

  // should get the updated groups
  Assert.assertTrue(groupAfter.contains("test_group_D")
      && groupAfter.contains("test_group_E")
      && groupAfter.contains("test_group_F") && groupAfter.size() == 3);

}
 

public static String getRemoteUserName() {
  UserGroupInformation remoteUser = Server.getRemoteUser();
  return remoteUser != null ? remoteUser.getUserName() : null;
}
 

protected Response moveApp(RMApp app, UserGroupInformation callerUGI,
    String targetQueue) throws IOException, InterruptedException {

  if (app == null) {
    throw new IllegalArgumentException("app cannot be null");
  }
  String userName = callerUGI.getUserName();
  final ApplicationId appid = app.getApplicationId();
  final String reqTargetQueue = targetQueue;
  try {
    callerUGI
      .doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws IOException,
            YarnException {
          MoveApplicationAcrossQueuesRequest req =
              MoveApplicationAcrossQueuesRequest.newInstance(appid,
                reqTargetQueue);
          rm.getClientRMService().moveApplicationAcrossQueues(req);
          return null;
        }
      });
  } catch (UndeclaredThrowableException ue) {
    // if the root cause is a permissions issue
    // bubble that up to the user
    if (ue.getCause() instanceof YarnException) {
      YarnException ye = (YarnException) ue.getCause();
      if (ye.getCause() instanceof AccessControlException) {
        String appId = app.getApplicationId().toString();
        String msg =
            "Unauthorized attempt to move appid " + appId
                + " by remote user " + userName;
        return Response.status(Status.FORBIDDEN).entity(msg).build();
      } else if (ye.getMessage().startsWith("App in")
          && ye.getMessage().endsWith("state cannot be moved.")) {
        return Response.status(Status.BAD_REQUEST).entity(ye.getMessage())
          .build();
      } else {
        throw ue;
      }
    } else {
      throw ue;
    }
  }

  AppQueue ret = new AppQueue();
  ret.setQueue(app.getQueue());
  return Response.status(Status.OK).entity(ret).build();
}
 

/**
 * If user impersonation is configured, examines the request for the presence of the expected security headers
 * and create a proxy user to execute further request chain. If security is enabled for the configuration server
 * used for the requests, makes sure that a login UGI for the the Kerberos principal is created and cached for
 * future use.
 * Responds with an HTTP error if the header is missing or the chain processing throws an exception.
 *
 * @param request  http request
 * @param response http response
 * @param chain    filter chain
 */
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
        throws IOException, ServletException {

    // retrieve user header and make sure header is present and is not empty
    final String gpdbUser = getHeaderValue(request, USER_HEADER, true);
    final String transactionId = getHeaderValue(request, TRANSACTION_ID_HEADER, true);
    final Integer segmentId = getHeaderValueInt(request, SEGMENT_ID_HEADER, true);
    final boolean lastCallForSegment = getHeaderValueBoolean(request, LAST_FRAGMENT_HEADER, false);

    final String serverName = StringUtils.defaultIfBlank(getHeaderValue(request, SERVER_HEADER, false), "default");
    final String configDirectory = StringUtils.defaultIfBlank(getHeaderValue(request, CONFIG_HEADER, false), serverName);

    Configuration configuration = configurationFactory.initConfiguration(configDirectory, serverName, gpdbUser, null);

    boolean isUserImpersonation = secureLogin.isUserImpersonationEnabled(configuration);

    // Establish the UGI for the login user or the Kerberos principal for the given server, if applicable
    UserGroupInformation loginUser = secureLogin.getLoginUser(serverName, configDirectory, configuration);

    String serviceUser = loginUser.getUserName();

    if (!isUserImpersonation && Utilities.isSecurityEnabled(configuration)) {
        // When impersonation is disabled and security is enabled
        // we check whether the pxf.service.user.name property was provided
        // and if provided we use the value as the remote user instead of
        // the principal defined in pxf.service.kerberos.principal. However,
        // the principal will need to have proxy privileges on hadoop.
        String pxfServiceUserName = configuration.get(SecureLogin.CONFIG_KEY_SERVICE_USER_NAME);
        if (StringUtils.isNotBlank(pxfServiceUserName)) {
            serviceUser = pxfServiceUserName;
        }
    }

    String remoteUser = (isUserImpersonation ? gpdbUser : serviceUser);

    SessionId session = new SessionId(
            segmentId,
            transactionId,
            remoteUser,
            serverName,
            configuration,
            loginUser);

    final String serviceUserName = serviceUser;

    // Prepare privileged action to run on behalf of proxy user
    PrivilegedExceptionAction<Boolean> action = () -> {
        LOG.debug("Performing request for gpdb_user = {} as [remote_user = {} service_user = {} login_user ={}] with{} impersonation",
                gpdbUser, remoteUser, serviceUserName, loginUser.getUserName(), isUserImpersonation ? "" : "out");
        chain.doFilter(request, response);
        return true;
    };

    try {
        // Retrieve proxy user UGI from the UGI of the logged in user
        UserGroupInformation userGroupInformation = ugiCache
                .getUserGroupInformation(session, isUserImpersonation);

        LOG.debug("Retrieved proxy user {} for server {} and session {}", userGroupInformation, serverName, session);

        // Execute the servlet chain as that user
        userGroupInformation.doAs(action);
    } catch (UndeclaredThrowableException ute) {
        // unwrap the real exception thrown by the action
        throw new ServletException(ute.getCause());
    } catch (InterruptedException ie) {
        throw new ServletException(ie);
    } finally {
        // Optimization to cleanup the cache if it is the last fragment
        LOG.debug("Releasing proxy user for session: {}. {}",
                session, lastCallForSegment ? " Last fragment call" : "");
        try {
            ugiCache.release(session, lastCallForSegment);
        } catch (Throwable t) {
            LOG.error("Error releasing UGICache for session: {}", session, t);
        }
        if (lastCallForSegment) {
            LOG.info("Finished processing {}", session);
        }
    }
}
 

@Test
public void testDelegationTokenRpc() throws Exception {
  ClientProtocol mockNN = mock(ClientProtocol.class);
  FSNamesystem mockNameSys = mock(FSNamesystem.class);

  DelegationTokenSecretManager sm = new DelegationTokenSecretManager(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT,
      3600000, mockNameSys);
  sm.startThreads();
  final Server server = new RPC.Builder(conf)
      .setProtocol(ClientProtocol.class).setInstance(mockNN)
      .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true)
      .setSecretManager(sm).build();
  
  server.start();

  final UserGroupInformation current = UserGroupInformation.getCurrentUser();
  final InetSocketAddress addr = NetUtils.getConnectAddress(server);
  String user = current.getUserName();
  Text owner = new Text(user);
  DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null);
  Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
      dtId, sm);
  SecurityUtil.setTokenService(token, addr);
  LOG.info("Service for token is " + token.getService());
  current.addToken(token);
  current.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws Exception {
      ClientProtocol proxy = null;
      try {
        proxy = RPC.getProxy(ClientProtocol.class,
            ClientProtocol.versionID, addr, conf);
        proxy.getServerDefaults();
      } finally {
        server.stop();
        if (proxy != null) {
          RPC.stopProxy(proxy);
        }
      }
      return null;
    }
  });
}
 

@Test
public void testDelegationTokenRpc() throws Exception {
  ClientProtocol mockNN = mock(ClientProtocol.class);
  FSNamesystem mockNameSys = mock(FSNamesystem.class);

  DelegationTokenSecretManager sm = new DelegationTokenSecretManager(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT,
      3600000, mockNameSys);
  sm.startThreads();
  final Server server = new RPC.Builder(conf)
      .setProtocol(ClientProtocol.class).setInstance(mockNN)
      .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true)
      .setSecretManager(sm).build();
  
  server.start();

  final UserGroupInformation current = UserGroupInformation.getCurrentUser();
  final InetSocketAddress addr = NetUtils.getConnectAddress(server);
  String user = current.getUserName();
  Text owner = new Text(user);
  DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null);
  Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
      dtId, sm);
  SecurityUtil.setTokenService(token, addr);
  LOG.info("Service for token is " + token.getService());
  current.addToken(token);
  current.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws Exception {
      ClientProtocol proxy = null;
      try {
        proxy = RPC.getProxy(ClientProtocol.class,
            ClientProtocol.versionID, addr, conf);
        proxy.getServerDefaults();
      } finally {
        server.stop();
        if (proxy != null) {
          RPC.stopProxy(proxy);
        }
      }
      return null;
    }
  });
}
 

@Test
public void testGetS3Secret() throws Exception {

  // Setup secure OM for start
  setupOm(conf);
  long omVersion =
      RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
  try {
    // Start OM
    om.setCertClient(new CertificateClientTestImpl(conf));
    om.start();
    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    String username = ugi.getUserName();

    // Get first OM client which will authenticate via Kerberos
    omClient = new OzoneManagerProtocolClientSideTranslatorPB(
        OmTransportFactory.create(conf, ugi, null),
        RandomStringUtils.randomAscii(5));

    //Creates a secret since it does not exist
    S3SecretValue attempt1 = omClient.getS3Secret(username);

    //Fetches the secret from db since it was created in previous step
    S3SecretValue attempt2 = omClient.getS3Secret(username);

    //secret fetched on both attempts must be same
    assertEquals(attempt1.getAwsSecret(), attempt2.getAwsSecret());

    //access key fetched on both attempts must be same
    assertEquals(attempt1.getAwsAccessKey(), attempt2.getAwsAccessKey());


    try {
      omClient.getS3Secret("HADOOP/JOHNDOE");
      fail("testGetS3Secret failed");
    } catch (IOException ex) {
      GenericTestUtils.assertExceptionContains("USER_MISMATCH", ex);
    }
  } finally {
    IOUtils.closeQuietly(om);
  }
}