/** * Applies Zookeeper ACLs if Kerberos is enabled. * @param cConf configuration object * @return Zookeeper ACLs */ static List<ACL> getACLs(CConfiguration cConf) { if (SecurityUtil.isKerberosEnabled(cConf)) { return ZooDefs.Ids.CREATOR_ALL_ACL; } LOG.warn("Not adding ACLs on keys in ZooKeeper as Kerberos is not enabled"); return ZooDefs.Ids.OPEN_ACL_UNSAFE; } }
@Inject @VisibleForTesting public DefaultImpersonator(CConfiguration cConf, UGIProvider ugiProvider) { this.ugiProvider = ugiProvider; this.kerberosEnabled = SecurityUtil.isKerberosEnabled(cConf); // on kerberos disabled cluster the master principal will be null String masterPrincipal = SecurityUtil.getMasterPrincipal(cConf); try { masterShortUsername = masterPrincipal == null ? null : new KerberosName(masterPrincipal).getShortName(); } catch (IOException e) { Throwables.propagate(e); } }
public Map<String, String> getSystemProperties(Id.Program id) throws IOException, NamespaceNotFoundException { Map<String, String> systemArgs = Maps.newHashMap(); systemArgs.put(Constants.CLUSTER_NAME, cConf.get(Constants.CLUSTER_NAME, "")); systemArgs.put(Constants.AppFabric.APP_SCHEDULER_QUEUE, queueResolver.getQueue(id.getNamespace())); if (SecurityUtil.isKerberosEnabled(cConf)) { ImpersonationInfo impersonationInfo = SecurityUtil.createImpersonationInfo(ownerAdmin, cConf, id.toEntityId()); systemArgs.put(ProgramOptionConstants.PRINCIPAL, impersonationInfo.getPrincipal()); systemArgs.put(ProgramOptionConstants.APP_PRINCIPAL_EXISTS, String.valueOf(ownerAdmin.exists(id.toEntityId().getParent()))); } return systemArgs; } }
if (!isKerberosEnabled(cConf)) { LOG.info("Kerberos login is not enabled. To enable Kerberos login, enable {} and configure {} and {}", Constants.Security.KERBEROS_ENABLED, Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL,
public Map<String, String> getSystemProperties(Id.Program id) throws IOException, NamespaceNotFoundException { Map<String, String> systemArgs = Maps.newHashMap(); systemArgs.put(Constants.CLUSTER_NAME, cConf.get(Constants.CLUSTER_NAME, "")); systemArgs.put(Constants.AppFabric.APP_SCHEDULER_QUEUE, queueResolver.getQueue(id.getNamespace())); if (SecurityUtil.isKerberosEnabled(cConf)) { ImpersonationInfo impersonationInfo = SecurityUtil.createImpersonationInfo(ownerAdmin, cConf, id.toEntityId()); systemArgs.put(ProgramOptionConstants.PRINCIPAL, impersonationInfo.getPrincipal()); systemArgs.put(ProgramOptionConstants.APP_PRINCIPAL_EXISTS, String.valueOf(ownerAdmin.exists(id.toEntityId().getParent()))); } return systemArgs; } }
DatasetServiceClient(final DiscoveryServiceClient discoveryClient, NamespaceId namespaceId, CConfiguration cConf, AuthenticationContext authenticationContext) { this.remoteClient = new RemoteClient( discoveryClient, Constants.Service.DATASET_MANAGER, new DefaultHttpRequestConfig(false), String.format("%s/namespaces/%s/data", Constants.Gateway.API_VERSION_3, namespaceId.getNamespace())); this.namespaceId = namespaceId; this.securityEnabled = cConf.getBoolean(Constants.Security.ENABLED); this.kerberosEnabled = SecurityUtil.isKerberosEnabled(cConf); this.authorizationEnabled = cConf.getBoolean(Constants.Security.Authorization.ENABLED); this.authenticationContext = authenticationContext; this.masterShortUserName = AuthorizationUtil.getEffectiveMasterUser(cConf); }
DatasetServiceClient(final DiscoveryServiceClient discoveryClient, NamespaceId namespaceId, CConfiguration cConf, AuthenticationContext authenticationContext) { this.remoteClient = new RemoteClient( discoveryClient, Constants.Service.DATASET_MANAGER, new DefaultHttpRequestConfig(false), String.format("%s/namespaces/%s/data", Constants.Gateway.API_VERSION_3, namespaceId.getNamespace())); this.namespaceId = namespaceId; this.securityEnabled = cConf.getBoolean(Constants.Security.ENABLED); this.kerberosEnabled = SecurityUtil.isKerberosEnabled(cConf); this.authorizationEnabled = cConf.getBoolean(Constants.Security.Authorization.ENABLED); this.authenticationContext = authenticationContext; this.masterShortUserName = AuthorizationUtil.getEffectiveMasterUser(cConf); }
if (SecurityUtil.isKerberosEnabled(cConf)) {
if (SecurityUtil.isKerberosEnabled(cConf)) {
if (SecurityUtil.isKerberosEnabled(cConf)) {
boolean createdTemp = false; try { if (createdHome && SecurityUtil.isKerberosEnabled(cConf)) { if (SecurityUtil.isKerberosEnabled(cConf) && configuredGroupName != null) { for (Location loc : new Location[] { dataLoc, tempLoc }) { loc.setGroup(configuredGroupName);
/** * Executes a program without blocking until its completion. */ public void execute(final ProgramId id, Map<String, String> sysArgs, Map<String, String> userArgs) throws Exception { String originalUserId = SecurityRequestContext.getUserId(); try { // if the program has a namespace user configured then set that user in the security request context. // See: CDAP-7396 String nsPrincipal = namespaceQueryAdmin.get(id.getNamespaceId()).getConfig().getPrincipal(); if (nsPrincipal != null && SecurityUtil.isKerberosEnabled(cConf)) { SecurityRequestContext.setUserId(new KerberosName(nsPrincipal).getServiceName()); } lifecycleService.runInternal(id, userArgs, sysArgs, false); } catch (ProgramNotFoundException | ApplicationNotFoundException e) { throw new TaskExecutionException(String.format(UserMessages.getMessage(UserErrors.PROGRAM_NOT_FOUND), id), e, false); } finally { SecurityRequestContext.setUserId(originalUserId); } } }
/** * Executes a program without blocking until its completion. */ public void execute(final ProgramId id, Map<String, String> sysArgs, Map<String, String> userArgs) throws Exception { String originalUserId = SecurityRequestContext.getUserId(); try { // if the program has a namespace user configured then set that user in the security request context. // See: CDAP-7396 String nsPrincipal = namespaceQueryAdmin.get(id.getNamespaceId()).getConfig().getPrincipal(); if (nsPrincipal != null && SecurityUtil.isKerberosEnabled(cConf)) { SecurityRequestContext.setUserId(new KerberosName(nsPrincipal).getServiceName()); } lifecycleService.runInternal(id, userArgs, sysArgs, false); } catch (ProgramNotFoundException | ApplicationNotFoundException e) { throw new TaskExecutionException(String.format(UserMessages.getMessage(UserErrors.PROGRAM_NOT_FOUND), id), e, false); } finally { SecurityRequestContext.setUserId(originalUserId); } } }
@Test public void isKerberosEnabled() throws Exception { CConfiguration kerbConf = CConfiguration.create(); kerbConf.set(Constants.Security.KERBEROS_ENABLED, "true"); kerbConf.set(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL, "prinicpal@REALM.NET"); kerbConf.set(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH, "/path/to/keytab"); Assert.assertTrue(SecurityUtil.isKerberosEnabled(kerbConf)); CConfiguration noPrincipalConf = CConfiguration.create(); kerbConf.set(Constants.Security.KERBEROS_ENABLED, "false"); noPrincipalConf.unset(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL); noPrincipalConf.set(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH, "/path/to/keytab"); Assert.assertFalse(SecurityUtil.isKerberosEnabled(noPrincipalConf)); CConfiguration noKeyTabConf = CConfiguration.create(); kerbConf.set(Constants.Security.KERBEROS_ENABLED, "false"); noKeyTabConf.unset(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH); noKeyTabConf.set(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL, "prinicpal@REALM.NET"); Assert.assertFalse(SecurityUtil.isKerberosEnabled(noKeyTabConf)); }
boolean createdStreams = false; try { if (createdHome && SecurityUtil.isKerberosEnabled(cConf)) { if (SecurityUtil.isKerberosEnabled(cConf) && configuredGroupName != null) { for (Location loc : new Location[] { dataLoc, tempLoc, streamsLoc, deletedLoc }) { loc.setGroup(configuredGroupName);