Java Code Examples for org.apache.hadoop.security.UserGroupInformation#createProxyUser()
The following examples show how to use
org.apache.hadoop.security.UserGroupInformation#createProxyUser() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ConnectionCache.java From hbase with Apache License 2.0 | 6 votes |
|
/**
* Get the cached connection for the current user.
* If none or timed out, create a new one.
*/
ConnectionInfo getCurrentConnection() throws IOException {
String userName = getEffectiveUser();
ConnectionInfo connInfo = connections.get(userName);
if (connInfo == null || !connInfo.updateAccessTime()) {
Lock lock = locker.acquireLock(userName);
try {
connInfo = connections.get(userName);
if (connInfo == null) {
UserGroupInformation ugi = realUser;
if (!userName.equals(realUserName)) {
ugi = UserGroupInformation.createProxyUser(userName, realUser);
}
User user = userProvider.create(ugi);
Connection conn = ConnectionFactory.createConnection(conf, user);
connInfo = new ConnectionInfo(conn, userName);
connections.put(userName, connInfo);
}
} finally {
lock.unlock();
}
}
return connInfo;
}
Example 2
| Source File: ApexCli.java From attic-apex-core with Apache License 2.0 | 6 votes |
|
public static void main(final String[] args) throws Exception
{
LoggerUtil.setupMDC("client");
final ApexCli shell = new ApexCli();
shell.preImpersonationInit(args);
String hadoopUserName = System.getenv("HADOOP_USER_NAME");
if (UserGroupInformation.isSecurityEnabled()
&& StringUtils.isNotBlank(hadoopUserName)
&& !hadoopUserName.equals(UserGroupInformation.getLoginUser().getUserName())) {
LOG.info("You ({}) are running as user {}", UserGroupInformation.getLoginUser().getUserName(), hadoopUserName);
UserGroupInformation ugi = UserGroupInformation.createProxyUser(hadoopUserName, UserGroupInformation.getLoginUser());
ugi.doAs(new PrivilegedExceptionAction<Void>()
{
@Override
public Void run() throws Exception
{
shell.mainHelper();
return null;
}
});
} else {
shell.mainHelper();
}
}
Example 3
| Source File: ProtoUtil.java From hadoop with Apache License 2.0 | 6 votes |
|
public static UserGroupInformation getUgi(UserInformationProto userInfo) {
UserGroupInformation ugi = null;
String effectiveUser = userInfo.hasEffectiveUser() ? userInfo
.getEffectiveUser() : null;
String realUser = userInfo.hasRealUser() ? userInfo.getRealUser() : null;
if (effectiveUser != null) {
if (realUser != null) {
UserGroupInformation realUserUgi = UserGroupInformation
.createRemoteUser(realUser);
ugi = UserGroupInformation
.createProxyUser(effectiveUser, realUserUgi);
} else {
ugi = org.apache.hadoop.security.UserGroupInformation
.createRemoteUser(effectiveUser);
}
}
return ugi;
}
Example 4
| Source File: AbstractDelegationTokenIdentifier.java From hadoop with Apache License 2.0 | 6 votes |
|
/**
* Get the username encoded in the token identifier
*
* @return the username or owner
*/
@Override
public UserGroupInformation getUser() {
if ( (owner == null) || (owner.toString().isEmpty())) {
return null;
}
final UserGroupInformation realUgi;
final UserGroupInformation ugi;
if ((realUser == null) || (realUser.toString().isEmpty())
|| realUser.equals(owner)) {
ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString());
} else {
realUgi = UserGroupInformation.createRemoteUser(realUser.toString());
ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi);
}
realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
return ugi;
}
Example 5
| Source File: BlurHiveOutputFormat.java From incubator-retired-blur with Apache License 2.0 | 5 votes |
|
public static UserGroupInformation getUGI(final Configuration configuration) throws IOException {
String user = getBlurUser(configuration);
UserGroupInformation userGroupInformation;
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
if (user.equals(currentUser.getUserName())) {
userGroupInformation = currentUser;
} else {
if (BlurHiveOutputFormat.isBlurUserAsProxy(configuration)) {
userGroupInformation = UserGroupInformation.createProxyUser(user, currentUser);
} else {
userGroupInformation = UserGroupInformation.createRemoteUser(user);
}
}
return userGroupInformation;
}
Example 6
| Source File: KerberosUtil.java From kite with Apache License 2.0 | 5 votes |
|
public static UserGroupInformation proxyAs(String username,
UserGroupInformation login) {
Preconditions.checkArgument(username != null && !username.isEmpty(),
"Invalid username: " + String.valueOf(username));
Preconditions.checkArgument(login != null,
"Cannot proxy without an authenticated user");
// hadoop impersonation works with or without kerberos security
return UserGroupInformation.createProxyUser(username, login);
}
Example 7
| Source File: TestSaslRPC.java From hadoop with Apache License 2.0 | 5 votes |
|
@Override
public UserGroupInformation getUser() {
if (realUser.toString().isEmpty()) {
return UserGroupInformation.createRemoteUser(tokenid.toString());
} else {
UserGroupInformation realUgi = UserGroupInformation
.createRemoteUser(realUser.toString());
return UserGroupInformation
.createProxyUser(tokenid.toString(), realUgi);
}
}
Example 8
| Source File: HadoopSecurityManager_H_1_0.java From azkaban-plugins with Apache License 2.0 | 5 votes |
|
/**
* Create a proxied user based on the explicit user name, taking other
* parameters necessary from properties file.
*
* @throws IOException
*/
@Override
public synchronized UserGroupInformation getProxiedUser(String userToProxy)
throws HadoopSecurityManagerException {
if (userToProxy == null) {
throw new HadoopSecurityManagerException("userToProxy can't be null");
}
UserGroupInformation ugi = userUgiMap.get(userToProxy);
if (ugi == null) {
logger.info("proxy user " + userToProxy
+ " not exist. Creating new proxy user");
if (shouldProxy) {
try {
ugi =
UserGroupInformation.createProxyUser(userToProxy,
UserGroupInformation.getLoginUser());
} catch (IOException e) {
e.printStackTrace();
throw new HadoopSecurityManagerException(
"Failed to create proxy user", e);
}
} else {
ugi = UserGroupInformation.createRemoteUser(userToProxy);
}
userUgiMap.putIfAbsent(userToProxy, ugi);
}
return ugi;
}
Example 9
| Source File: SecurityUtils.java From azkaban-plugins with Apache License 2.0 | 5 votes |
|
/**
* Create a proxied user based on the explicit user name, taking other
* parameters necessary from properties file.
*/
public static synchronized UserGroupInformation getProxiedUser(
String toProxy, Properties prop, Logger log, Configuration conf)
throws IOException {
if (conf == null) {
throw new IllegalArgumentException("conf can't be null");
}
UserGroupInformation.setConfiguration(conf);
if (toProxy == null) {
throw new IllegalArgumentException("toProxy can't be null");
}
if (loginUser == null) {
log.info("No login user. Creating login user");
String keytab = verifySecureProperty(prop, PROXY_KEYTAB_LOCATION, log);
String proxyUser = verifySecureProperty(prop, PROXY_USER, log);
UserGroupInformation.loginUserFromKeytab(proxyUser, keytab);
loginUser = UserGroupInformation.getLoginUser();
log.info("Logged in with user " + loginUser);
} else {
log.info("loginUser (" + loginUser + ") already created, refreshing tgt.");
loginUser.checkTGTAndReloginFromKeytab();
}
return UserGroupInformation.createProxyUser(toProxy, loginUser);
}
Example 10
| Source File: RESTServletContainer.java From hbase with Apache License 2.0 | 5 votes |
|
/**
* This container is used only if authentication and
* impersonation is enabled. The remote request user is used
* as a proxy user for impersonation in invoking any REST service.
*/
@Override
public void service(final HttpServletRequest request,
final HttpServletResponse response) throws ServletException, IOException {
final String doAsUserFromQuery = request.getParameter("doAs");
RESTServlet servlet = RESTServlet.getInstance();
if (doAsUserFromQuery != null) {
Configuration conf = servlet.getConfiguration();
if (!servlet.supportsProxyuser()) {
throw new ServletException("Support for proxyuser is not configured");
}
// Authenticated remote user is attempting to do 'doAs' proxy user.
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
// create and attempt to authorize a proxy user (the client is attempting
// to do proxy user)
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
// validate the proxy user authorization
try {
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
} catch(AuthorizationException e) {
throw new ServletException(e.getMessage());
}
servlet.setEffectiveUser(doAsUserFromQuery);
} else {
String effectiveUser = request.getRemoteUser();
servlet.setEffectiveUser(effectiveUser);
}
super.service(request, response);
}
Example 11
| Source File: SSLAndKerberosTest.java From incubator-atlas with Apache License 2.0 | 4 votes |
|
@BeforeClass
public void setUp() throws Exception {
jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();
String persistDir = TestUtils.getTempDirectory();
setupKDCAndPrincipals();
setupCredentials();
// client will actually only leverage subset of these properties
final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);
persistSSLClientConfiguration(configuration);
TestUtils.writeConfiguration(configuration, persistDir + File.separator +
ApplicationProperties.APPLICATION_PROPERTIES);
String confLocation = System.getProperty("atlas.conf");
URL url;
if (confLocation == null) {
url = SSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
} else {
url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
}
configuration.load(url);
configuration.setProperty(TLS_ENABLED, true);
configuration.setProperty("atlas.authentication.method.kerberos", "true");
configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());
configuration.setProperty("atlas.authentication.method.file", "false");
configuration.setProperty("atlas.authentication.method.kerberos", "true");
configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
"RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");
configuration.setProperty("atlas.authentication.method.file", "true");
configuration.setProperty("atlas.authentication.method.file.filename", persistDir
+ "/users-credentials");
configuration.setProperty("atlas.auth.policy.file",persistDir
+ "/policy-store.txt" );
TestUtils.writeConfiguration(configuration, persistDir + File.separator +
"atlas-application.properties");
setupUserCredential(persistDir);
setUpPolicyStore(persistDir);
subject = loginTestUser();
UserGroupInformation.loginUserFromSubject(subject);
UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
"testUser",
UserGroupInformation.getLoginUser());
// save original setting
originalConf = System.getProperty("atlas.conf");
System.setProperty("atlas.conf", persistDir);
originalHomeDir = System.getProperty("atlas.home");
System.setProperty("atlas.home", TestUtils.getTargetDirectory());
dgiCLient = proxyUser.doAs(new PrivilegedExceptionAction<AtlasClient>() {
@Override
public AtlasClient run() throws Exception {
return new AtlasClient(configuration, DGI_URL);
}
});
secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
@Override
public PropertiesConfiguration getConfiguration() {
return configuration;
}
};
secureEmbeddedServer.getServer().start();
}
Example 12
| Source File: Server.java From hadoop with Apache License 2.0 | 4 votes |
|
/** Reads the connection context following the connection header
* @param dis - DataInputStream from which to read the header
* @throws WrappedRpcServerException - if the header cannot be
* deserialized, or the user is not authorized
*/
private void processConnectionContext(DataInputStream dis)
throws WrappedRpcServerException {
// allow only one connection context during a session
if (connectionContextRead) {
throw new WrappedRpcServerException(
RpcErrorCodeProto.FATAL_INVALID_RPC_HEADER,
"Connection context already processed");
}
connectionContext = decodeProtobufFromStream(
IpcConnectionContextProto.newBuilder(), dis);
protocolName = connectionContext.hasProtocol() ? connectionContext
.getProtocol() : null;
UserGroupInformation protocolUser = ProtoUtil.getUgi(connectionContext);
if (saslServer == null) {
user = protocolUser;
} else {
// user is authenticated
user.setAuthenticationMethod(authMethod);
//Now we check if this is a proxy user case. If the protocol user is
//different from the 'user', it is a proxy user scenario. However,
//this is not allowed if user authenticated with DIGEST.
if ((protocolUser != null)
&& (!protocolUser.getUserName().equals(user.getUserName()))) {
if (authMethod == AuthMethod.TOKEN) {
// Not allowed to doAs if token authentication is used
throw new WrappedRpcServerException(
RpcErrorCodeProto.FATAL_UNAUTHORIZED,
new AccessControlException("Authenticated user (" + user
+ ") doesn't match what the client claims to be ("
+ protocolUser + ")"));
} else {
// Effective user can be different from authenticated user
// for simple auth or kerberos auth
// The user is the real user. Now we create a proxy user
UserGroupInformation realUser = user;
user = UserGroupInformation.createProxyUser(protocolUser
.getUserName(), realUser);
}
}
}
authorizeConnection();
// don't set until after authz because connection isn't established
connectionContextRead = true;
}
Example 13
| Source File: TestWebHdfsUrl.java From hadoop with Apache License 2.0 | 4 votes |
|
@Test(timeout=60000)
public void testSecureProxyAuthParamsInUrl() throws IOException {
Configuration conf = new Configuration();
// fake turning on security so api thinks it should use tokens
SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
UserGroupInformation.setConfiguration(conf);
UserGroupInformation ugi =
UserGroupInformation.createRemoteUser("test-user");
ugi.setAuthenticationMethod(KERBEROS);
ugi = UserGroupInformation.createProxyUser("test-proxy-user", ugi);
UserGroupInformation.setLoginUser(ugi);
WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
Path fsPath = new Path("/");
String tokenString = webhdfs.getDelegationToken().encodeToUrlString();
// send real+effective
URL getTokenUrl = webhdfs.toUrl(GetOpParam.Op.GETDELEGATIONTOKEN, fsPath);
checkQueryParams(
new String[]{
GetOpParam.Op.GETDELEGATIONTOKEN.toQueryString(),
new UserParam(ugi.getRealUser().getShortUserName()).toString(),
new DoAsParam(ugi.getShortUserName()).toString()
},
getTokenUrl);
// send real+effective
URL renewTokenUrl = webhdfs.toUrl(PutOpParam.Op.RENEWDELEGATIONTOKEN,
fsPath, new TokenArgumentParam(tokenString));
checkQueryParams(
new String[]{
PutOpParam.Op.RENEWDELEGATIONTOKEN.toQueryString(),
new UserParam(ugi.getRealUser().getShortUserName()).toString(),
new DoAsParam(ugi.getShortUserName()).toString(),
new TokenArgumentParam(tokenString).toString(),
},
renewTokenUrl);
// send token
URL cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
fsPath, new TokenArgumentParam(tokenString));
checkQueryParams(
new String[]{
PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
new UserParam(ugi.getRealUser().getShortUserName()).toString(),
new DoAsParam(ugi.getShortUserName()).toString(),
new TokenArgumentParam(tokenString).toString(),
},
cancelTokenUrl);
// send token
URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
checkQueryParams(
new String[]{
GetOpParam.Op.GETFILESTATUS.toQueryString(),
new DelegationParam(tokenString).toString()
},
fileStatusUrl);
// wipe out internal token to simulate auth always required
webhdfs.setDelegationToken(null);
// send real+effective
cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
fsPath, new TokenArgumentParam(tokenString));
checkQueryParams(
new String[]{
PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
new UserParam(ugi.getRealUser().getShortUserName()).toString(),
new DoAsParam(ugi.getShortUserName()).toString(),
new TokenArgumentParam(tokenString).toString()
},
cancelTokenUrl);
// send real+effective
fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
checkQueryParams(
new String[]{
GetOpParam.Op.GETFILESTATUS.toQueryString(),
new UserParam(ugi.getRealUser().getShortUserName()).toString(),
new DoAsParam(ugi.getShortUserName()).toString()
},
fileStatusUrl);
}
Example 14
| Source File: ProxyUserAuthenticationFilter.java From hbase with Apache License 2.0 | 4 votes |
|
@Override
protected void doFilter(FilterChain filterChain, HttpServletRequest request,
HttpServletResponse response) throws IOException, ServletException {
final HttpServletRequest lowerCaseRequest = toLowerCase(request);
String doAsUser = lowerCaseRequest.getParameter(DO_AS);
if (doAsUser != null && !doAsUser.equals(request.getRemoteUser())) {
LOG.debug("doAsUser = {}, RemoteUser = {} , RemoteAddress = {} ",
doAsUser, request.getRemoteUser(), request.getRemoteAddr());
UserGroupInformation requestUgi = (request.getUserPrincipal() != null) ?
UserGroupInformation.createRemoteUser(request.getRemoteUser())
: null;
if (requestUgi != null) {
requestUgi = UserGroupInformation.createProxyUser(doAsUser,
requestUgi);
try {
ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
final UserGroupInformation ugiF = requestUgi;
request = new HttpServletRequestWrapper(request) {
@Override
public String getRemoteUser() {
return ugiF.getShortUserName();
}
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return ugiF.getUserName();
}
};
}
};
LOG.debug("Proxy user Authentication successful");
} catch (AuthorizationException ex) {
HttpExceptionUtils.createServletExceptionResponse(response,
HttpServletResponse.SC_FORBIDDEN, ex);
LOG.warn("Proxy user Authentication exception", ex);
return;
}
}
}
super.doFilter(filterChain, request, response);
}
Example 15
| Source File: FileSystemAccessService.java From big-c with Apache License 2.0 | 4 votes |
|
protected UserGroupInformation getUGI(String user) throws IOException {
return UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser());
}
Example 16
| Source File: HiveImpersonationUtil.java From dremio-oss with Apache License 2.0 | 4 votes |
|
@Override
public UserGroupInformation load(Key key) throws Exception {
return UserGroupInformation.createProxyUser(key.proxyUserName, key.loginUser);
}
Example 17
| Source File: FileSystemAccessService.java From hadoop with Apache License 2.0 | 4 votes |
|
protected UserGroupInformation getUGI(String user) throws IOException {
return UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser());
}
Example 18
| Source File: SSLAndKerberosTest.java From atlas with Apache License 2.0 | 4 votes |
|
public void setUp() throws Exception {
jksPath = new Path(Files.createTempDirectory("tempproviders").toString(), "test.jks");
providerUrl = JavaKeyStoreProvider.SCHEME_NAME + "://file/" + jksPath.toUri();
String persistDir = TestUtils.getTempDirectory();
setupKDCAndPrincipals();
setupCredentials();
// client will actually only leverage subset of these properties
final PropertiesConfiguration configuration = getSSLConfiguration(providerUrl);
persistSSLClientConfiguration(configuration);
TestUtils.writeConfiguration(configuration, persistDir + File.separator +
ApplicationProperties.APPLICATION_PROPERTIES);
String confLocation = System.getProperty("atlas.conf");
URL url;
if (confLocation == null) {
url = SSLAndKerberosTest.class.getResource("/" + ApplicationProperties.APPLICATION_PROPERTIES);
} else {
url = new File(confLocation, ApplicationProperties.APPLICATION_PROPERTIES).toURI().toURL();
}
configuration.load(url);
configuration.setProperty(TLS_ENABLED, true);
configuration.setProperty("atlas.authentication.method.kerberos", "true");
configuration.setProperty("atlas.authentication.keytab",userKeytabFile.getAbsolutePath());
configuration.setProperty("atlas.authentication.principal","dgi/localhost@"+kdc.getRealm());
configuration.setProperty("atlas.authentication.method.file", "false");
configuration.setProperty("atlas.authentication.method.trustedproxy", "false");
configuration.setProperty("atlas.authentication.method.kerberos", "true");
configuration.setProperty("atlas.authentication.method.kerberos.principal", "HTTP/localhost@" + kdc.getRealm());
configuration.setProperty("atlas.authentication.method.kerberos.keytab", httpKeytabFile.getAbsolutePath());
configuration.setProperty("atlas.authentication.method.kerberos.name.rules",
"RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT");
configuration.setProperty("atlas.authentication.method.file", "true");
configuration.setProperty("atlas.authentication.method.file.filename", persistDir
+ "/users-credentials");
configuration.setProperty("atlas.auth.policy.file",persistDir
+ "/policy-store.txt" );
TestUtils.writeConfiguration(configuration, persistDir + File.separator +
"atlas-application.properties");
setupUserCredential(persistDir);
setUpPolicyStore(persistDir);
subject = loginTestUser();
UserGroupInformation.loginUserFromSubject(subject);
UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
"testUser",
UserGroupInformation.getLoginUser());
// save original setting
originalConf = System.getProperty("atlas.conf");
System.setProperty("atlas.conf", persistDir);
originalHomeDir = System.getProperty("atlas.home");
System.setProperty("atlas.home", TestUtils.getTargetDirectory());
dgiCLient = proxyUser.doAs(new PrivilegedExceptionAction<AtlasClient>() {
@Override
public AtlasClient run() throws Exception {
return new AtlasClient(configuration, DGI_URL);
}
});
secureEmbeddedServer = new TestSecureEmbeddedServer(21443, getWarPath()) {
@Override
public PropertiesConfiguration getConfiguration() {
return configuration;
}
};
secureEmbeddedServer.getServer().start();
}
Example 19
| Source File: Server.java From big-c with Apache License 2.0 | 4 votes |
|
/** Reads the connection context following the connection header
* @param dis - DataInputStream from which to read the header
* @throws WrappedRpcServerException - if the header cannot be
* deserialized, or the user is not authorized
*/
private void processConnectionContext(DataInputStream dis)
throws WrappedRpcServerException {
// allow only one connection context during a session
if (connectionContextRead) {
throw new WrappedRpcServerException(
RpcErrorCodeProto.FATAL_INVALID_RPC_HEADER,
"Connection context already processed");
}
connectionContext = decodeProtobufFromStream(
IpcConnectionContextProto.newBuilder(), dis);
protocolName = connectionContext.hasProtocol() ? connectionContext
.getProtocol() : null;
UserGroupInformation protocolUser = ProtoUtil.getUgi(connectionContext);
if (saslServer == null) {
user = protocolUser;
} else {
// user is authenticated
user.setAuthenticationMethod(authMethod);
//Now we check if this is a proxy user case. If the protocol user is
//different from the 'user', it is a proxy user scenario. However,
//this is not allowed if user authenticated with DIGEST.
if ((protocolUser != null)
&& (!protocolUser.getUserName().equals(user.getUserName()))) {
if (authMethod == AuthMethod.TOKEN) {
// Not allowed to doAs if token authentication is used
throw new WrappedRpcServerException(
RpcErrorCodeProto.FATAL_UNAUTHORIZED,
new AccessControlException("Authenticated user (" + user
+ ") doesn't match what the client claims to be ("
+ protocolUser + ")"));
} else {
// Effective user can be different from authenticated user
// for simple auth or kerberos auth
// The user is the real user. Now we create a proxy user
UserGroupInformation realUser = user;
user = UserGroupInformation.createProxyUser(protocolUser
.getUserName(), realUser);
}
}
}
authorizeConnection();
// don't set until after authz because connection isn't established
connectionContextRead = true;
}
Example 20
| Source File: UGIProvider.java From pxf with Apache License 2.0 | 2 votes |
|
/**
* Wrapper for {@link UserGroupInformation} creation
*
* @param effectiveUser the name of the user that we want to impersonate
* @param loginUser the UGI of the login user (or Kerberos principal)
* @return a {@link UserGroupInformation} for impersonation.
* @throws IOException
*/
UserGroupInformation createProxyUGI(String effectiveUser, UserGroupInformation loginUser) throws IOException {
return UserGroupInformation.createProxyUser(effectiveUser, loginUser);
}
