Java Code Examples for org.apache.hadoop.hbase.security.UserProvider#isHadoopSecurityEnabled()

The following examples show how to use org.apache.hadoop.hbase.security.UserProvider#isHadoopSecurityEnabled() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TableMapReduceUtil.java    From hbase with Apache License 2.0 6 votes vote down vote up
public static void initCredentials(JobConf job) throws IOException {
  UserProvider userProvider = UserProvider.instantiate(job);
  if (userProvider.isHadoopSecurityEnabled()) {
    // propagate delegation related props from launcher job to MR job
    if (System.getenv("HADOOP_TOKEN_FILE_LOCATION") != null) {
      job.set("mapreduce.job.credentials.binary", System.getenv("HADOOP_TOKEN_FILE_LOCATION"));
    }
  }

  if (userProvider.isHBaseSecurityEnabled()) {
    Connection conn = ConnectionFactory.createConnection(job);
    try {
      // login the server principal (if using secure Hadoop)
      User user = userProvider.getCurrent();
      TokenUtil.addTokenForJob(conn, job, user);
    } catch (InterruptedException ie) {
      LOG.error("Interrupted obtaining user authentication token", ie);
      Thread.currentThread().interrupt();
    } finally {
      conn.close();
    }
  }
}
 
Example 2
Source File: TableMapReduceUtil.java    From hbase with Apache License 2.0 5 votes vote down vote up
public static void initCredentials(Job job) throws IOException {
  UserProvider userProvider = UserProvider.instantiate(job.getConfiguration());
  if (userProvider.isHadoopSecurityEnabled()) {
    // propagate delegation related props from launcher job to MR job
    if (System.getenv("HADOOP_TOKEN_FILE_LOCATION") != null) {
      job.getConfiguration().set("mapreduce.job.credentials.binary",
                                 System.getenv("HADOOP_TOKEN_FILE_LOCATION"));
    }
  }

  if (userProvider.isHBaseSecurityEnabled()) {
    try {
      // init credentials for remote cluster
      String quorumAddress = job.getConfiguration().get(TableOutputFormat.QUORUM_ADDRESS);
      User user = userProvider.getCurrent();
      if (quorumAddress != null) {
        Configuration peerConf = HBaseConfiguration.createClusterConf(job.getConfiguration(),
            quorumAddress, TableOutputFormat.OUTPUT_CONF_PREFIX);
        Connection peerConn = ConnectionFactory.createConnection(peerConf);
        try {
          TokenUtil.addTokenForJob(peerConn, user, job);
        } finally {
          peerConn.close();
        }
      }

      Connection conn = ConnectionFactory.createConnection(job.getConfiguration());
      try {
        TokenUtil.addTokenForJob(conn, user, job);
      } finally {
        conn.close();
      }
    } catch (InterruptedException ie) {
      LOG.info("Interrupted obtaining user authentication token");
      Thread.currentThread().interrupt();
    }
  }
}
 
Example 3
Source File: RESTServer.java    From hbase with Apache License 2.0 5 votes vote down vote up
private static Pair<FilterHolder, Class<? extends ServletContainer>> loginServerPrincipal(
  UserProvider userProvider, Configuration conf) throws Exception {
  Class<? extends ServletContainer> containerClass = ServletContainer.class;
  if (userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled()) {
    String machineName = Strings.domainNamePointerToHostName(
      DNS.getDefaultHost(conf.get(REST_DNS_INTERFACE, "default"),
        conf.get(REST_DNS_NAMESERVER, "default")));
    String keytabFilename = conf.get(REST_KEYTAB_FILE);
    Preconditions.checkArgument(keytabFilename != null && !keytabFilename.isEmpty(),
      REST_KEYTAB_FILE + " should be set if security is enabled");
    String principalConfig = conf.get(REST_KERBEROS_PRINCIPAL);
    Preconditions.checkArgument(principalConfig != null && !principalConfig.isEmpty(),
      REST_KERBEROS_PRINCIPAL + " should be set if security is enabled");
    // Hook for unit tests, this will log out any other user and mess up tests.
    if (!conf.getBoolean(SKIP_LOGIN_KEY, false)) {
      userProvider.login(REST_KEYTAB_FILE, REST_KERBEROS_PRINCIPAL, machineName);
    }
    if (conf.get(REST_AUTHENTICATION_TYPE) != null) {
      containerClass = RESTServletContainer.class;
      FilterHolder authFilter = new FilterHolder();
      authFilter.setClassName(AuthFilter.class.getName());
      authFilter.setName("AuthenticationFilter");
      return new Pair<>(authFilter,containerClass);
    }
  }
  return new Pair<>(null, containerClass);
}
 
Example 4
Source File: AuthUtil.java    From hbase with Apache License 2.0 5 votes vote down vote up
/**
 * For kerberized cluster, return login user (from kinit or from keytab if specified).
 * For non-kerberized cluster, return system user.
 * @param conf configuartion file
 * @return user
 * @throws IOException login exception
 */
@InterfaceAudience.Private
public static User loginClient(Configuration conf) throws IOException {
  UserProvider provider = UserProvider.instantiate(conf);
  User user = provider.getCurrent();
  boolean securityOn = provider.isHBaseSecurityEnabled() && provider.isHadoopSecurityEnabled();

  if (securityOn) {
    boolean fromKeytab = provider.shouldLoginFromKeytab();
    if (user.getUGI().hasKerberosCredentials()) {
      // There's already a login user.
      // But we should avoid misuse credentials which is a dangerous security issue,
      // so here check whether user specified a keytab and a principal:
      // 1. Yes, check if user principal match.
      //    a. match, just return.
      //    b. mismatch, login using keytab.
      // 2. No, user may login through kinit, this is the old way, also just return.
      if (fromKeytab) {
        return checkPrincipalMatch(conf, user.getUGI().getUserName()) ? user :
          loginFromKeytabAndReturnUser(provider);
      }
      return user;
    } else if (fromKeytab) {
      // Kerberos is on and client specify a keytab and principal, but client doesn't login yet.
      return loginFromKeytabAndReturnUser(provider);
    }
  }
  return user;
}
 
Example 5
Source File: ThriftServer.java    From hbase with Apache License 2.0 4 votes vote down vote up
protected void setupParamters() throws IOException {
  // login the server principal (if using secure Hadoop)
  UserProvider userProvider = UserProvider.instantiate(conf);
  securityEnabled = userProvider.isHadoopSecurityEnabled()
      && userProvider.isHBaseSecurityEnabled();
  if (securityEnabled) {
    host = Strings.domainNamePointerToHostName(DNS.getDefaultHost(
        conf.get(THRIFT_DNS_INTERFACE_KEY, "default"),
        conf.get(THRIFT_DNS_NAMESERVER_KEY, "default")));
    userProvider.login(THRIFT_KEYTAB_FILE_KEY, THRIFT_KERBEROS_PRINCIPAL_KEY, host);

    // Setup the SPNEGO user for HTTP if configured
    String spnegoPrincipal = getSpengoPrincipal(conf, host);
    String spnegoKeytab = getSpnegoKeytab(conf);
    UserGroupInformation.setConfiguration(conf);
    // login the SPNEGO principal using UGI to avoid polluting the login user
    this.httpUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(spnegoPrincipal,
      spnegoKeytab);
  }
  this.serviceUGI = userProvider.getCurrent().getUGI();
  if (httpUGI == null) {
    this.httpUGI = serviceUGI;
  }

  this.listenPort = conf.getInt(PORT_CONF_KEY, DEFAULT_LISTEN_PORT);
  this.metrics = createThriftMetrics(conf);
  this.pauseMonitor = new JvmPauseMonitor(conf, this.metrics.getSource());
  this.hbaseServiceHandler = createHandler(conf, userProvider);
  this.hbaseServiceHandler.initMetrics(metrics);
  this.processor = createProcessor();

  httpEnabled = conf.getBoolean(USE_HTTP_CONF_KEY, false);
  doAsEnabled = conf.getBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, false);
  if (doAsEnabled && !httpEnabled) {
    LOG.warn("Fail to enable the doAs feature. " + USE_HTTP_CONF_KEY + " is not configured");
  }

  String strQop = conf.get(THRIFT_QOP_KEY);
  if (strQop != null) {
    this.qop = SaslUtil.getQop(strQop);
  }
  if (qop != null) {
    if (qop != SaslUtil.QualityOfProtection.AUTHENTICATION &&
        qop != SaslUtil.QualityOfProtection.INTEGRITY &&
        qop != SaslUtil.QualityOfProtection.PRIVACY) {
      throw new IOException(String.format("Invalid %s: It must be one of %s, %s, or %s.",
          THRIFT_QOP_KEY,
          SaslUtil.QualityOfProtection.AUTHENTICATION.name(),
          SaslUtil.QualityOfProtection.INTEGRITY.name(),
          SaslUtil.QualityOfProtection.PRIVACY.name()));
    }
    checkHttpSecurity(qop, conf);
    if (!securityEnabled) {
      throw new IOException("Thrift server must run in secure mode to support authentication");
    }
  }
  registerFilters(conf);
  pauseMonitor.start();
}