@Override public UserGroupInformation getUser() { if (username == null || "".equals(username)) { return null; } return UserGroupInformation.createRemoteUser(username); }
public UserGroupInformation getUmbilicalUgi() { UserGroupInformation ugi; ugi = ugiPool.poll(); if (ugi == null) { ugi = UserGroupInformation.createRemoteUser(appTokenIdentifier); ugi.addToken(appToken); } return ugi; }
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
/** * Get the admin ACLs from the given ServletContext and check if the given * user is in the ACL. * * @param servletContext the context containing the admin ACL. * @param remoteUser the remote user to check for. * @return true if the user is present in the ACL, false if no ACL is set or * the user is not present */ public static boolean userHasAdministratorAccess(ServletContext servletContext, String remoteUser) { AccessControlList adminsAcl = (AccessControlList) servletContext .getAttribute(ADMINS_ACL); UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser); return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI); }
/** * Find the most appropriate UserGroupInformation to use * * @param ticketCachePath The Kerberos ticket cache path, or NULL * if none is specfied * @param user The user name, or NULL if none is specified. * * @return The most appropriate UserGroupInformation */ public static UserGroupInformation getBestUGI( String ticketCachePath, String user) throws IOException { if (ticketCachePath != null) { return getUGIFromTicketCache(ticketCachePath, user); } else if (user == null) { return getCurrentUser(); } else { return createRemoteUser(user); } }
/** * Create a user from a login name. It is intended to be used for remote * users in RPC, since it won't have any credentials. * @param user the full user principal name, must not be empty or null * @return the UserGroupInformation for the remote user. */ @InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createRemoteUser(String user) { return createRemoteUser(user, AuthMethod.SIMPLE); }
/** * Get the user name from the security context, i.e. the user making the HTTP request. * With simple/pseudo security mode this should return the * value of user.name query param, in kerberos mode it's the kinit'ed user. */ private String getRequestingUser() { if (theSecurityContext == null) { return null; } String userName = null; if (theSecurityContext.getUserPrincipal() == null) { userName = Main.UserNameHandler.getUserName(request); } else { userName = theSecurityContext.getUserPrincipal().getName(); } if(userName == null) { return null; } //map hue/foo.bar@something.com->hue since user group checks // and config files are in terms of short name return UserGroupInformation.createRemoteUser(userName).getShortUserName(); }
@Override public List<String> getGroupNames() { // In case of embedded hs2, sessionState.getUserName()=null if (groups == null && sessionState.getUserName() != null) { groups = UserGroupInformation.createRemoteUser(sessionState.getUserName()).getGroups(); } return groups; }
public static User toUserInfo(UserInformation userInfoProto) { if (userInfoProto.hasEffectiveUser()) { String effectiveUser = userInfoProto.getEffectiveUser(); if (userInfoProto.hasRealUser()) { String realUser = userInfoProto.getRealUser(); UserGroupInformation realUserUgi = UserGroupInformation.createRemoteUser(realUser); return User.create(UserGroupInformation.createProxyUser(effectiveUser, realUserUgi)); } return User.create(UserGroupInformation.createRemoteUser(effectiveUser)); } return null; }
public static UserGroupInformation getUgi(UserInformationProto userInfo) { UserGroupInformation ugi = null; String effectiveUser = userInfo.hasEffectiveUser() ? userInfo .getEffectiveUser() : null; String realUser = userInfo.hasRealUser() ? userInfo.getRealUser() : null; if (effectiveUser != null) { if (realUser != null) { UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(realUser); ugi = UserGroupInformation .createProxyUser(effectiveUser, realUserUgi); } else { ugi = org.apache.hadoop.security.UserGroupInformation .createRemoteUser(effectiveUser); } } return ugi; }
protected LlapTaskUmbilicalProtocol createUmbilical(final AMNodeInfo amNodeInfo) throws IOException, InterruptedException { final InetSocketAddress address = NetUtils.createSocketAddrForHost( amNodeInfo.amNodeId.getHostname(), amNodeInfo.amNodeId.getPort()); SecurityUtil.setTokenService(amNodeInfo.jobToken, address); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(amNodeInfo.umbilicalUser); ugi.addToken(amNodeInfo.jobToken); return ugi.doAs(new PrivilegedExceptionAction<LlapTaskUmbilicalProtocol>() { @Override public LlapTaskUmbilicalProtocol run() throws Exception { return RPC .getProxy(LlapTaskUmbilicalProtocol.class, LlapTaskUmbilicalProtocol.versionID, address, UserGroupInformation.getCurrentUser(), amNodeInfo.conf, amNodeInfo.socketFactory, (int) (amNodeInfo.timeout)); } }); }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws InvalidToken, AccessControlException { if (authMethod == AuthMethod.TOKEN) { TokenIdentifier tokenId = SaslRpcServer.getIdentifier(authorizedId, secretManager); UserGroupInformation ugi = tokenId.getUser(); if (ugi == null) { throw new AccessControlException( "Can't retrieve username from tokenIdentifier."); } ugi.addTokenIdentifier(tokenId); return ugi; } else { return UserGroupInformation.createRemoteUser(authorizedId, authMethod); } }
/** * Create UserGroupInformation for specified user and credentials. * * @param user User. * @param credentialsBytes Credentials byte array. */ public static UserGroupInformation createUGI(String user, byte[] credentialsBytes) throws IOException { Credentials credentials = new Credentials(); HadoopUtils.deserialize(credentials, credentialsBytes); UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); ugi.addCredentials(credentials); if (credentials.numberOfTokens() > 0) ugi.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.TOKEN); return ugi; } }
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws IOException { UserGroupInformation authorizedUgi; if (authMethod == AuthMethod.DIGEST) { TokenIdentifier tokenId = HBaseSaslRpcServer.getIdentifier(authorizedId, this.rpcServer.secretManager); authorizedUgi = tokenId.getUser(); if (authorizedUgi == null) { throw new AccessDeniedException( "Can't retrieve username from tokenIdentifier."); } authorizedUgi.addTokenIdentifier(tokenId); } else { authorizedUgi = UserGroupInformation.createRemoteUser(authorizedId); } authorizedUgi.setAuthenticationMethod(authMethod.authenticationMethod.getAuthMethod()); return authorizedUgi; }
public static void verifyProxyAccess(String realUser, String proxyUser, String ipAddress, HiveConf hiveConf) throws HiveSQLException { try { UserGroupInformation sessionUgi; if (UserGroupInformation.isSecurityEnabled()) { KerberosNameShim kerbName = ShimLoader.getHadoopShims().getKerberosNameShim(realUser); sessionUgi = UserGroupInformation.createProxyUser( kerbName.getServiceName(), UserGroupInformation.getLoginUser()); } else { sessionUgi = UserGroupInformation.createRemoteUser(realUser); } if (!proxyUser.equalsIgnoreCase(realUser)) { ProxyUsers.refreshSuperUserGroupsConfiguration(hiveConf); ProxyUsers.authorize(UserGroupInformation.createProxyUser(proxyUser, sessionUgi), ipAddress, hiveConf); } } catch (IOException e) { throw new HiveSQLException( "Failed to validate proxy privilege of " + realUser + " for " + proxyUser, "08S01", e); } } }
@Test public void testCacheGetGroupsRoot() throws Exception { // Windows users don't have a root user. // However pretty much every other *NIX os will have root. if (!SystemUtils.IS_OS_WINDOWS) { Configuration conf = HBaseConfiguration.create(); UserProvider up = UserProvider.instantiate(conf); String rootUserName = "root"; // Create two UGI's for this username UserGroupInformation ugiOne = UserGroupInformation.createRemoteUser(rootUserName); UserGroupInformation ugiTwo = UserGroupInformation.createRemoteUser(rootUserName); // Now try and get the user twice. User uOne = up.create(ugiOne); User uTwo = up.create(ugiTwo); // Make sure that we didn't break groups and everything worked well. assertArrayEquals(uOne.getGroupNames(),uTwo.getGroupNames()); String[] groupNames = ugiOne.getGroupNames(); assertTrue(groupNames.length > 0); } }
@Test public void testCreateUserForTestingGroupCache() throws Exception { Configuration conf = HBaseConfiguration.create(); User uCreated = User.createUserForTesting(conf, "group_user", new String[] { "MYGROUP" }); UserProvider up = UserProvider.instantiate(conf); User uProvided = up.create(UserGroupInformation.createRemoteUser("group_user")); assertArrayEquals(uCreated.getGroupNames(), uProvided.getGroupNames()); }
@Test public void testCreateACLWithSameUser() throws ZooKeeperConnectionException, IOException { Configuration conf = HBaseConfiguration.create(); conf.set(Superusers.SUPERUSER_CONF_KEY, "user4,@group1,user5,user6"); UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("user4")); String node = "/hbase/testCreateACL"; ZKWatcher watcher = new ZKWatcher(conf, node, null, false); List<ACL> aclList = ZKUtil.createACL(watcher, node, true); assertEquals(3, aclList.size()); // 3, since service user the same as one of superuser assertFalse(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "@group1")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("auth", "")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user5")))); assertTrue(aclList.contains(new ACL(Perms.ALL, new Id("sasl", "user6")))); }
@Test public void testCacheGetGroups() throws Exception { Configuration conf = HBaseConfiguration.create(); UserProvider up = UserProvider.instantiate(conf); // VERY unlikely that this user will exist on the box. // This should mean the user has no groups. String nonUser = "kklvfnvhdhcenfnniilggljhdecjhidkle"; // Create two UGI's for this username UserGroupInformation ugiOne = UserGroupInformation.createRemoteUser(nonUser); UserGroupInformation ugiTwo = UserGroupInformation.createRemoteUser(nonUser); // Now try and get the user twice. User uOne = up.create(ugiOne); User uTwo = up.create(ugiTwo); // Make sure that we didn't break groups and everything worked well. assertArrayEquals(uOne.getGroupNames(),uTwo.getGroupNames()); // Check that they are referentially equal. // Since getting a group for a users that doesn't exist creates a new string array // the only way that they should be referentially equal is if the cache worked and // made sure we didn't go to hadoop's script twice. assertTrue(uOne.getGroupNames() == uTwo.getGroupNames()); assertEquals(0, ugiOne.getGroupNames().length); }