Java Code Examples for org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab()
The following examples show how to use
org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: HDFSUtils.java From dk-fitting with Apache License 2.0 | 6 votes |
|
public static FileSystem getFs(String hdfs_xml, String core_xml, String krb5_conf, String principal, String keytab) throws Exception {
Configuration conf = new Configuration();
FileSystem fs = null;
conf.addResource(new Path(hdfs_xml));
conf.addResource(new Path(core_xml));
conf.set("dfs.client.block.write.replace-datanode-on-failure.policy", "NEVER");
conf.set("dfs.client.block.write.replace-datanode-on-failure.enable", "true");
conf.setBoolean("fs.hdfs.impl.disable.cache", true);
if (principal != null && !"".equals(principal) && keytab != null && !"".equals(keytab) && krb5_conf != null && !"".equals(krb5_conf)) {
System.setProperty("java.security.krb5.conf", krb5_conf);
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(principal, keytab);
UserGroupInformation.getLoginUser();
}
fs = FileSystem.get(conf);
return fs;
}
Example 2
| Source File: HdfsConfiguration.java From spring-boot-tutorial with Creative Commons Attribution Share Alike 4.0 International | 6 votes |
|
@Bean
public HdfsFactory hdfsFactory() {
org.apache.hadoop.conf.Configuration configuration = new org.apache.hadoop.conf.Configuration();
configuration.addResource(new Path(properties.getCoreSiteXmlPath()));
configuration.addResource(new Path(properties.getHdfsSiteXmlPath()));
if (properties.getAuth().isEnabled()) {
System.setProperty("java.security.krb5.conf", properties.getAuth().getKrb5Conf());
System.setProperty("java.security.auth.login.config", properties.getAuth().getAuthLoginConfig());
UserGroupInformation.setConfiguration(configuration);
try {
UserGroupInformation.loginUserFromKeytab(properties.getAuth().getPrincipal(),
properties.getAuth().getAuthKeyTabPath());
} catch (IOException e) {
e.printStackTrace();
}
}
return new HdfsFactory(configuration);
}
Example 3
| Source File: HDFSFileManagerImpl.java From entrada with GNU General Public License v3.0 | 6 votes |
|
private FileSystem createSecureFS() {
Configuration conf = conf();
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
try {
if (StringUtils.isNotBlank(krbKeyTab)) {
UserGroupInformation.loginUserFromKeytab(hdfsUsername, krbKeyTab);
}
return FileSystem.get(new URI(hdfsNameservice), conf);
} catch (Exception e) {
throw new ApplicationException("Cannot create secure HDFS filesystem", e);
}
}
Example 4
| Source File: HfsFileStorageKerberosTest.java From registry with Apache License 2.0 | 5 votes |
|
private void verifySimpleExecution() throws Exception {
verifyStatic(UserGroupInformation.class, never());
UserGroupInformation.loginUserFromKeytab(anyString(), anyString());
verify(userGroupInformation, never()).doAs(any(PrivilegedAction.class));
verify(userGroupInformation, never()).doAs(any(PrivilegedExceptionAction.class));
}
Example 5
| Source File: DACDaemon.java From dremio-oss with Apache License 2.0 | 5 votes |
|
/**
* Set up the current user in {@link UserGroupInformation} using the kerberos principal and keytab file path if
* present in config. If not present, this method call is a no-op. When communicating with the kerberos enabled
* Hadoop based filesystem credentials in {@link UserGroupInformation} will be used..
* @param config
* @throws IOException
*/
private void setupHadoopUserUsingKerberosKeytab(final DremioConfig config) throws IOException {
final String kerberosPrincipal = config.getString(DremioConfig.KERBEROS_PRINCIPAL);
final String kerberosKeytab = config.getString(DremioConfig.KERBEROS_KEYTAB_PATH);
if (Strings.isNullOrEmpty(kerberosPrincipal) || Strings.isNullOrEmpty(kerberosKeytab)) {
return;
}
UserGroupInformation.loginUserFromKeytab(kerberosPrincipal, kerberosKeytab);
logger.info("Setup Hadoop user info using kerberos principal {} and keytab file {} successful.",
kerberosPrincipal, kerberosKeytab);
}
Example 6
| Source File: HBaseAutoConfiguration.java From dew with Apache License 2.0 | 5 votes |
|
/**
* Init HBase connection.
*
* @param hbaseProperties hbase settings properties
* @return HBase connection
* @throws IOException IOException
*/
@Bean
public Connection connection(HBaseProperties hbaseProperties, org.apache.hadoop.conf.Configuration conf) throws IOException {
if ("kerberos".equalsIgnoreCase(hbaseProperties.getAuth().getType())) {
System.setProperty("java.security.krb5.conf", hbaseProperties.getAuth().getKrb5());
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(hbaseProperties.getAuth().getPrincipal(), hbaseProperties.getAuth().getKeytab());
}
ThreadPoolExecutor poolExecutor = new ThreadPoolExecutor(200, Integer.MAX_VALUE, 60L, TimeUnit.SECONDS, new SynchronousQueue<>());
poolExecutor.prestartCoreThread();
return ConnectionFactory.createConnection(conf, poolExecutor);
}
Example 7
| Source File: User.java From hbase with Apache License 2.0 | 5 votes |
|
/**
* Login through configured keytab and pricipal.
* @param keytabLocation location of keytab
* @param principalName principal in keytab
* @throws IOException exception from UserGroupInformation.loginUserFromKeytab
*/
public static void login(String keytabLocation, String principalName)
throws IOException {
if (isSecurityEnabled()) {
UserGroupInformation.loginUserFromKeytab(principalName, keytabLocation);
}
}
Example 8
| Source File: HBaseGraphUtils.java From hgraphdb with Apache License 2.0 | 5 votes |
|
public static Connection getConnection(HBaseGraphConfiguration config) {
Connection conn = connections.get(config.getGraphNamespace());
if (conn != null && !conn.isClosed()) return conn;
Configuration hbaseConfig = config.toHBaseConfiguration();
switch (config.getInstanceType()) {
case MOCK:
conn = MockConnectionFactory.createConnection(hbaseConfig);
break;
case BIGTABLE:
case DISTRIBUTED:
try {
UserGroupInformation ugi = null;
if ("kerberos".equals(hbaseConfig.get(HBASE_SECURITY_AUTHENTICATION))) {
String principal = hbaseConfig.get(HBASE_CLIENT_KERBEROS_PRINCIPAL);
String keytab = hbaseConfig.get(HBASE_CLIENT_KEYTAB_FILE);
if (principal != null && keytab != null) {
UserGroupInformation.setConfiguration(hbaseConfig);
UserGroupInformation.loginUserFromKeytab(principal, keytab);
ugi = UserGroupInformation.getLoginUser();
}
}
if (ugi != null) {
conn = ugi.doAs(new PrivilegedExceptionAction<Connection>() {
@Override
public Connection run() throws Exception {
return ConnectionFactory.createConnection(hbaseConfig);
}
});
} else {
conn = ConnectionFactory.createConnection(hbaseConfig);
}
break;
} catch (Exception e) {
throw new HBaseGraphException(e);
}
}
connections.put(config.getGraphNamespace(), conn);
return conn;
}
Example 9
| Source File: HBaseClient.java From hbase-tools with Apache License 2.0 | 5 votes |
|
private static synchronized void login(Args args, Configuration conf) throws Exception {
if (args.has(Args.OPTION_DEBUG)) {
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.spnego.debug", "true");
}
System.setProperty("java.security.auth.login.config", createJaasConfigFile(args));
System.setProperty("java.security.krb5.conf", kerberosConfigFile(args));
Config krbConfig = Config.getInstance();
final String realm;
if (args.has(Args.OPTION_REALM)) {
realm = (String) args.valueOf(Args.OPTION_REALM);
System.setProperty("java.security.krb5.realm", realm);
System.setProperty("java.security.krb5.kdc", krbConfig.getKDCList(realm));
Config.refresh();
} else {
realm = krbConfig.getDefaultRealm();
}
updateConf(conf, realm);
if (args.has(Args.OPTION_KEY_TAB, Args.OPTION_KEY_TAB_SHORT)) {
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(principal(args), (String) args.valueOf(Args.OPTION_KEY_TAB, Args.OPTION_KEY_TAB_SHORT));
} else {
loginWithPassword(args, conf);
}
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
System.out.println(currentUser + "\n");
}
Example 10
| Source File: KerberosAuthenticationHandler.java From sqoop-on-spark with Apache License 2.0 | 5 votes |
|
public void secureLogin() {
MapContext mapContext = SqoopConfiguration.getInstance().getContext();
String keytab = mapContext.getString(
SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB).trim();
if (keytab.length() == 0) {
throw new SqoopException(SecurityError.AUTH_0001,
SecurityConstants.AUTHENTICATION_KERBEROS_KEYTAB);
}
keytabFile = keytab;
String principal = mapContext.getString(
SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL).trim();
if (principal.length() == 0) {
throw new SqoopException(SecurityError.AUTH_0002,
SecurityConstants.AUTHENTICATION_KERBEROS_PRINCIPAL);
}
keytabPrincipal = principal;
Configuration conf = new Configuration();
conf.set(get_hadoop_security_authentication(),
SecurityConstants.TYPE.KERBEROS.name());
UserGroupInformation.setConfiguration(conf);
try {
String hostPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0");
UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytab);
} catch (IOException ex) {
throw new SqoopException(SecurityError.AUTH_0003, ex);
}
LOG.info("Using Kerberos authentication, principal ["
+ principal + "] keytab [" + keytab + "]");
}
Example 11
| Source File: TestSecureIPC.java From hbase with Apache License 2.0 | 5 votes |
|
private UserGroupInformation loginKerberosPrincipal(String krbKeytab, String krbPrincipal)
throws Exception {
Configuration cnf = new Configuration();
cnf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(cnf);
UserGroupInformation.loginUserFromKeytab(krbPrincipal, krbKeytab);
return UserGroupInformation.getLoginUser();
}
Example 12
| Source File: Kerberos.java From nifi with Apache License 2.0 | 5 votes |
|
@Override
public AtlasClientV2 createClient(String[] baseUrls) {
final Configuration hadoopConf = new Configuration();
hadoopConf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(hadoopConf);
final UserGroupInformation ugi;
try {
UserGroupInformation.loginUserFromKeytab(principal, keytab);
ugi = UserGroupInformation.getCurrentUser();
} catch (IOException e) {
throw new RuntimeException("Failed to login with Kerberos due to: " + e, e);
}
return new AtlasClientV2(ugi, null, baseUrls);
}
Example 13
| Source File: SolrAuthzBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
/**
* Initialize kerberos via UserGroupInformation. Will only attempt to login
* during the first request, subsequent calls will have no effect.
*/
public void initKerberos(String keytabFile, String principal) {
if (keytabFile == null || keytabFile.length() == 0) {
throw new IllegalArgumentException("keytabFile required because kerberos is enabled");
}
if (principal == null || principal.length() == 0) {
throw new IllegalArgumentException("principal required because kerberos is enabled");
}
synchronized (SolrAuthzBinding.class) {
if (kerberosInit == null) {
kerberosInit = Boolean.TRUE;
final String authVal = authzConf.get(HADOOP_SECURITY_AUTHENTICATION);
final String kerberos = "kerberos";
if (authVal != null && !authVal.equals(kerberos)) {
throw new IllegalArgumentException(HADOOP_SECURITY_AUTHENTICATION
+ " set to: " + authVal + ", not kerberos, but attempting to "
+ " connect to HDFS via kerberos");
}
// let's avoid modifying the supplied configuration, just to be conservative
final Configuration ugiConf = new Configuration(authzConf);
ugiConf.set(HADOOP_SECURITY_AUTHENTICATION, kerberos);
UserGroupInformation.setConfiguration(ugiConf);
LOG.info(
"Attempting to acquire kerberos ticket with keytab: {}, principal: {} ",
keytabFile, principal);
try {
UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
LOG.info("Got Kerberos ticket");
}
}
}
Example 14
| Source File: CreateFile.java From Transwarp-Sample-Code with MIT License | 5 votes |
|
public static void main(String[] args) throws IOException {
// 通过Java API创建文件
String rootPath = "hdfs://nameservice1";
Path p = new Path(rootPath + "/tmp/file.txt");
Configuration conf = new Configuration();
conf.addResource("core-site.xml");
conf.addResource("hdfs-site.xml");
conf.addResource("yarn-site.xml");
// 没开kerberos,注释下面两行
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("hdfs@TDH","E:\\星环\\hdfs.keytab");
FileSystem fs = p.getFileSystem(conf);
fs.create(p);
fs.close();
}
Example 15
| Source File: SentryHdfsServiceIntegrationBase.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Before
public void before() throws Exception {
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL,
clientKeytab.getPath());
connectToHdfsSyncService();
}
Example 16
| Source File: Connector.java From Transwarp-Sample-Code with MIT License | 5 votes |
|
public Connector() {
Configuration HBASE_CONFIG = new Configuration();
Constant constant = new Constant();
HBASE_CONFIG.addResource("hbase-site.xml");
HBASE_CONFIG.addResource("core-site.xml");
HBASE_CONFIG.addResource("hdfs-site.xml");
configuration = HBaseConfiguration.create(HBASE_CONFIG);
try {
if (constant.MODE.equals("kerberos")) {
UserGroupInformation.setConfiguration(configuration);
// UserGroupInformation.loginUserFromPassword(constant.KERBEROS_USER,constant.KERBEROS_PASSWD);
UserGroupInformation.loginUserFromKeytab(constant.KERBEROS_WITH_KEYTAB_USER,constant.KERBEROS_KEYTAB);
}
hBaseAdmin = new HBaseAdmin(configuration);
hyperbaseAdmin = new HyperbaseAdmin(configuration);
Configuration hdfsConf = getHDFSConf();
String rootPath = "hdfs://nameservice1";
Path p = new Path(rootPath + constant.HDFS_LARGE_FILE_DIR);
FileSystem fs = p.getFileSystem(hdfsConf);
boolean b = fs.mkdirs(p);
System.out.println(b);
fs.close();
} catch (Exception e) {
e.printStackTrace();
}
}
Example 17
| Source File: RangerNiFiAuthorizer.java From localization_nifi with Apache License 2.0 | 4 votes |
|
@Override
public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
try {
if (nifiPlugin == null) {
logger.info("RangerNiFiAuthorizer(): initializing base plugin");
final PropertyValue securityConfigValue = configurationContext.getProperty(RANGER_SECURITY_PATH_PROP);
addRequiredResource(RANGER_SECURITY_PATH_PROP, securityConfigValue);
final PropertyValue auditConfigValue = configurationContext.getProperty(RANGER_AUDIT_PATH_PROP);
addRequiredResource(RANGER_AUDIT_PATH_PROP, auditConfigValue);
final String rangerKerberosEnabledValue = getConfigValue(configurationContext, RANGER_KERBEROS_ENABLED_PROP, Boolean.FALSE.toString());
rangerKerberosEnabled = rangerKerberosEnabledValue.equals(Boolean.TRUE.toString()) ? true : false;
if (rangerKerberosEnabled) {
// configure UGI for when RangerAdminRESTClient calls UserGroupInformation.isSecurityEnabled()
final Configuration securityConf = new Configuration();
securityConf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS_AUTHENTICATION);
UserGroupInformation.setConfiguration(securityConf);
// login with the nifi principal and keytab, RangerAdminRESTClient will use Ranger's MiscUtil which
// will grab UserGroupInformation.getLoginUser() and call ugi.checkTGTAndReloginFromKeytab();
final String nifiPrincipal = nifiProperties.getKerberosServicePrincipal();
final String nifiKeytab = nifiProperties.getKerberosServiceKeytabLocation();
if (StringUtils.isBlank(nifiPrincipal) || StringUtils.isBlank(nifiKeytab)) {
throw new AuthorizerCreationException("Principal and Keytab must be provided when Kerberos is enabled");
}
UserGroupInformation.loginUserFromKeytab(nifiPrincipal.trim(), nifiKeytab.trim());
}
final String serviceType = getConfigValue(configurationContext, RANGER_SERVICE_TYPE_PROP, DEFAULT_SERVICE_TYPE);
final String appId = getConfigValue(configurationContext, RANGER_APP_ID_PROP, DEFAULT_APP_ID);
nifiPlugin = createRangerBasePlugin(serviceType, appId);
nifiPlugin.init();
defaultAuditHandler = new RangerDefaultAuditHandler();
rangerAdminIdentity = getConfigValue(configurationContext, RANGER_ADMIN_IDENTITY_PROP, null);
} else {
logger.info("RangerNiFiAuthorizer(): base plugin already initialized");
}
} catch (Throwable t) {
throw new AuthorizerCreationException("Error creating RangerBasePlugin", t);
}
}
Example 18
| Source File: BootStrapContext.java From Bats with Apache License 2.0 | 4 votes |
|
private void login(final DrillConfig config) throws DrillbitStartupException {
try {
if (config.hasPath(ExecConstants.SERVICE_PRINCIPAL)) {
// providing a service principal => Kerberos mechanism
final Configuration loginConf = new Configuration();
loginConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
// set optional user name mapping
if (config.hasPath(ExecConstants.KERBEROS_NAME_MAPPING)) {
loginConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTH_TO_LOCAL,
config.getString(ExecConstants.KERBEROS_NAME_MAPPING));
}
UserGroupInformation.setConfiguration(loginConf);
// service principal canonicalization
final String principal = config.getString(ExecConstants.SERVICE_PRINCIPAL);
final String parts[] = KerberosUtil.splitPrincipalIntoParts(principal);
if (parts.length != 3) {
throw new DrillbitStartupException(
String.format("Invalid %s, Drill service principal must be of format: primary/instance@REALM",
ExecConstants.SERVICE_PRINCIPAL));
}
parts[1] = KerberosUtil.canonicalizeInstanceName(parts[1], hostName);
final String canonicalizedPrincipal = KerberosUtil.getPrincipalFromParts(parts[0], parts[1], parts[2]);
final String keytab = config.getString(ExecConstants.SERVICE_KEYTAB_LOCATION);
// login to KDC (AS)
// Note that this call must happen before any call to UserGroupInformation#getLoginUser,
// but there is no way to enforce the order (this static init. call and parameters from
// DrillConfig are both required).
UserGroupInformation.loginUserFromKeytab(canonicalizedPrincipal, keytab);
logger.info("Process user name: '{}' and logged in successfully as '{}'", processUserName,
canonicalizedPrincipal);
} else {
UserGroupInformation.getLoginUser(); // init
}
// ugi does not support logout
} catch (final IOException e) {
throw new DrillbitStartupException("Failed to login.", e);
}
}
Example 19
| Source File: SecurityUtil.java From pulsar with Apache License 2.0 | 3 votes |
|
/**
* Initializes UserGroupInformation with the given Configuration and performs the login for the
* given principal and keytab. All logins should happen through this class to ensure other threads
* are not concurrently modifying UserGroupInformation.
* <p/>
* @param config the configuration instance
* @param principal the principal to authenticate as
* @param keyTab the keytab to authenticate with
*
* @return the UGI for the given principal
*
* @throws IOException if login failed
*/
public static synchronized UserGroupInformation loginKerberos(final Configuration config,
final String principal, final String keyTab) throws IOException {
Validate.notNull(config);
Validate.notNull(principal);
Validate.notNull(keyTab);
UserGroupInformation.setConfiguration(config);
UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim());
return UserGroupInformation.getCurrentUser();
}
Example 20
| Source File: SecurityUtil.java From pulsar with Apache License 2.0 | 3 votes |
|
/**
* Initializes UserGroupInformation with the given Configuration and performs the login for the
* given principal and keytab. All logins should happen through this class to ensure other threads
* are not concurrently modifying UserGroupInformation.
* <p/>
* @param config the configuration instance
* @param principal the principal to authenticate as
* @param keyTab the keytab to authenticate with
*
* @return the UGI for the given principal
*
* @throws IOException if login failed
*/
public static synchronized UserGroupInformation loginKerberos(final Configuration config,
final String principal, final String keyTab) throws IOException {
Validate.notNull(config);
Validate.notNull(principal);
Validate.notNull(keyTab);
UserGroupInformation.setConfiguration(config);
UserGroupInformation.loginUserFromKeytab(principal.trim(), keyTab.trim());
return UserGroupInformation.getCurrentUser();
}
