@Override public UserGroupInformation getUserGroupInformation() { try { return UserGroupInformation.getLoginUser(); } catch (IOException e) { throw new UncheckedIOException(e); } } }
public static UserGroupInformation getUGI() throws LoginException, IOException { String doAs = System.getenv("HADOOP_USER_NAME"); if(doAs != null && doAs.length() > 0) { /* * this allows doAs (proxy user) to be passed along across process boundary where * delegation tokens are not supported. For example, a DDL stmt via WebHCat with * a doAs parameter, forks to 'hcat' which needs to start a Session that * proxies the end user */ return UserGroupInformation.createProxyUser(doAs, UserGroupInformation.getLoginUser()); } return UserGroupInformation.getCurrentUser(); }
/** * Did the login happen via ticket cache * @return true or false */ public static boolean isLoginTicketBased() throws IOException { return getLoginUser().isFromTicket(); }
private static UserGroupInformation loginAndProxyAsUser(@NonNull String userNameToProxyAs, @NonNull String superUserName, Path superUserKeytabLocation) throws IOException { if (!UserGroupInformation.getLoginUser().getUserName().equals(superUserName)) { Preconditions.checkNotNull(superUserKeytabLocation); UserGroupInformation.loginUserFromKeytab(superUserName, superUserKeytabLocation.toString()); } return UserGroupInformation.createProxyUser(userNameToProxyAs, UserGroupInformation.getLoginUser()); }
/** * Perform the given action as the daemon's login user. If an * InterruptedException is thrown, it is converted to an IOException. * * @param action the action to perform * @return the result of the action * @throws IOException in the event of error */ public static <T> T doAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException { return doAsUser(UserGroupInformation.getLoginUser(), action); }
public static UserGroupInformation getUGI() throws LoginException, IOException { String doAs = System.getenv("HADOOP_USER_NAME"); if (doAs != null && doAs.length() > 0) { /* * this allows doAs (proxy user) to be passed along across process boundary where * delegation tokens are not supported. For example, a DDL stmt via WebHCat with * a doAs parameter, forks to 'hcat' which needs to start a Session that * proxies the end user */ return UserGroupInformation.createProxyUser(doAs, UserGroupInformation.getLoginUser()); } return UserGroupInformation.getCurrentUser(); } /**
@Override public boolean runDistCpAs(List<Path> srcPaths, Path dst, Configuration conf, String doAsUser) throws IOException { UserGroupInformation proxyUser = UserGroupInformation.createProxyUser( doAsUser, UserGroupInformation.getLoginUser()); try { return proxyUser.doAs(new PrivilegedExceptionAction<Boolean>() { @Override public Boolean run() throws Exception { return runDistCp(srcPaths, dst, conf); } }); } catch (InterruptedException e) { throw new IOException(e); } }
public static UserGroupInformation getUgi(String user) throws IOException { UserGroupInformation ugi = userUgiMap.get(user); if (ugi == null) { //create new ugi and add to map final UserGroupInformation newUgi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); //if another thread adds an entry before the check in this one // the one created here will not be added. userUgiMap.putIfAbsent(user, newUgi); //use the UGI object that got added return userUgiMap.get(user); } return ugi; }
public static boolean runDistCpAs(List<Path> srcPaths, Path dst, Configuration conf, String doAsUser) throws IOException { UserGroupInformation proxyUser = UserGroupInformation.createProxyUser( doAsUser, UserGroupInformation.getLoginUser()); try { return proxyUser.doAs(new PrivilegedExceptionAction<Boolean>() { @Override public Boolean run() throws Exception { return runDistCp(srcPaths, dst, conf); } }); } catch (InterruptedException e) { throw new IOException(e); } }
private void login(final String keytabPrincipal, final String keytabPath) throws IOException { if (this.loggedInUser == null) { log.info( String.format("Logging in using Principal: %s Keytab: %s", keytabPrincipal, keytabPath)); UserGroupInformation.loginUserFromKeytab(keytabPrincipal, keytabPath); this.loggedInUser = UserGroupInformation.getLoginUser(); log.info(String.format("User %s logged in.", this.loggedInUser)); } else { log.info(String.format("User %s already logged in. Refreshing TGT", this.loggedInUser)); this.loggedInUser.checkTGTAndReloginFromKeytab(); } } }
@VisibleForTesting void addDelegationTokens(Collection<Token<? extends TokenIdentifier>> tokens) throws IOException { for (Token<? extends TokenIdentifier> token : tokens) { if (!UserGroupInformation.getCurrentUser().addToken(token)) { LOGGER.error(String.format("Failed to add token %s to user %s", token.toString(), UserGroupInformation.getLoginUser().getShortUserName())); } } } }
protected void relogin() throws IOException { if (UserGroupInformation.isLoginKeytabBased()) { UserGroupInformation.getLoginUser().reloginFromKeytab(); } else { UserGroupInformation.getLoginUser().reloginFromTicketCache(); } }
private static UserGroupInformation getUserGroupInfo(String user) throws ImpersonationFailed { try { return UserGroupInformation.createProxyUser( user, UserGroupInformation.getLoginUser()); } catch (IOException e) { LOG.error("Unable to get UserGroupInfo for user : " + user, e); throw new ImpersonationFailed(user,e); } }
protected boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); return authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser)); }
public void setSessionUGI(String owner) throws HiveSQLException { if (owner == null) { throw new HiveSQLException("No username provided for impersonation"); } try { sessionUgi = UserGroupInformation.createProxyUser( owner, UserGroupInformation.getLoginUser()); } catch (IOException e) { throw new HiveSQLException("Couldn't setup proxy user", e); } }
/** * Did the login happen via keytab * @return true or false */ @InterfaceAudience.Public @InterfaceStability.Evolving public static boolean isLoginKeytabBased() throws IOException { return getLoginUser().isFromKeytab(); }
private synchronized boolean shouldAuthenticateOverKrb() throws IOException { UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); if (authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT loginUser.hasKerberosCredentials() && // relogin only in case it is the login user (e.g. JT) // or superuser (like oozie). (loginUser.equals(currentUser) || loginUser.equals(realUser))) { return true; } return false; }
private UserGroupInformation loginKerberosPrincipal(String krbKeytab, String krbPrincipal) throws Exception { Configuration cnf = new Configuration(); cnf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); UserGroupInformation.setConfiguration(cnf); UserGroupInformation.loginUserFromKeytab(krbPrincipal, krbKeytab); return UserGroupInformation.getLoginUser(); }
private static void setUpKdcServer() throws Exception { KDC = UTIL.setupMiniKdc(KEYTAB_FILE); USERNAME = UserGroupInformation.getLoginUser().getShortUserName(); SERVER_PRINCIPAL = USERNAME + "/" + LOCALHOST; HTTP_PRINCIPAL = "HTTP/" + LOCALHOST; KDC.createPrincipal(KEYTAB_FILE, SERVER_PRINCIPAL, HTTP_PRINCIPAL, USER_ADMIN + "/" + LOCALHOST, USER_OWNER + "/" + LOCALHOST, USER_RX + "/" + LOCALHOST, USER_RO + "/" + LOCALHOST, USER_XO + "/" + LOCALHOST, USER_NONE + "/" + LOCALHOST); }
@BeforeClass public static void setUpBeforeClass() throws Exception { EVENT_LOOP_GROUP = new NioEventLoopGroup(); CHANNEL_CLASS = NioSocketChannel.class; TEST_UTIL.getConfiguration().setInt(DFS_CLIENT_SOCKET_TIMEOUT_KEY, READ_TIMEOUT_MS); KDC = TEST_UTIL.setupMiniKdc(KEYTAB_FILE); USERNAME = UserGroupInformation.getLoginUser().getShortUserName(); PRINCIPAL = USERNAME + "/" + HOST; HTTP_PRINCIPAL = "HTTP/" + HOST; KDC.createPrincipal(KEYTAB_FILE, PRINCIPAL, HTTP_PRINCIPAL); setUpKeyProvider(TEST_UTIL.getConfiguration()); HBaseKerberosUtils.setSecuredConfiguration(TEST_UTIL.getConfiguration(), PRINCIPAL + "@" + KDC.getRealm(), HTTP_PRINCIPAL + "@" + KDC.getRealm()); HBaseKerberosUtils.setSSLConfiguration(TEST_UTIL, TestSaslFanOutOneBlockAsyncDFSOutput.class); }