/** * Login through configured keytab and pricipal. * @param keytabLocation location of keytab * @param principalName principal in keytab * @throws IOException exception from UserGroupInformation.loginUserFromKeytab */ public static void login(String keytabLocation, String principalName) throws IOException { if (isSecurityEnabled()) { UserGroupInformation.loginUserFromKeytab(principalName, keytabLocation); } }
private void login(final String keytabPrincipal, final String keytabPath) throws IOException { if (this.loggedInUser == null) { log.info( String.format("Logging in using Principal: %s Keytab: %s", keytabPrincipal, keytabPath)); UserGroupInformation.loginUserFromKeytab(keytabPrincipal, keytabPath); this.loggedInUser = UserGroupInformation.getLoginUser(); log.info(String.format("User %s logged in.", this.loggedInUser)); } else { log.info(String.format("User %s already logged in. Refreshing TGT", this.loggedInUser)); this.loggedInUser.checkTGTAndReloginFromKeytab(); } } }
private static UserGroupInformation loginAndProxyAsUser(@NonNull String userNameToProxyAs, @NonNull String superUserName, Path superUserKeytabLocation) throws IOException { if (!UserGroupInformation.getLoginUser().getUserName().equals(superUserName)) { Preconditions.checkNotNull(superUserKeytabLocation); UserGroupInformation.loginUserFromKeytab(superUserName, superUserKeytabLocation.toString()); } return UserGroupInformation.createProxyUser(userNameToProxyAs, UserGroupInformation.getLoginUser()); }
/** * Login using kerberos and also updates the current logged in user * * @param principal - kerberos principal * @param keytabFile - keytab file * @throws IOException - if keytab file cannot be found */ public static void loginWithKerberosAndUpdateCurrentUser(String principal, String keytabFile) throws IOException { if (!UserGroupInformation.isSecurityEnabled()) { return; } if (principal == null || principal.isEmpty() || keytabFile == null || keytabFile.isEmpty()) { throw new RuntimeException("Kerberos principal and/or keytab is null or empty"); } final String serverPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); LOG.info("Logging in as " + serverPrincipal + " via " + keytabFile + " and updating current logged in user"); UserGroupInformation.loginUserFromKeytab(serverPrincipal, keytabFile); }
private void authenticate(Configuration hadoopConf, org.apache.commons.configuration.Configuration configs) { String principal = configs.getString(PRINCIPAL); String keytab = configs.getString(KEYTAB); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { UserGroupInformation.setConfiguration(hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { try { if (!UserGroupInformation.getCurrentUser().hasKerberosCredentials() || !UserGroupInformation.getCurrentUser() .getUserName().equals(principal)) { LOGGER.info("Trying to authenticate user [%s] with keytab [%s]..", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); } } catch (IOException e) { throw new RuntimeException( String.format("Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab), e); } } } }
public static void loginFromKeytab(HiveConf hiveConf) throws IOException { String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL); String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB); if (principal.isEmpty() || keyTabFile.isEmpty()) { throw new IOException("HiveServer2 Kerberos principal or keytab is not correctly configured"); } else { UserGroupInformation.loginUserFromKeytab(SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keyTabFile); } }
@Override public AtlasClientV2 createClient(String[] baseUrls) { final Configuration hadoopConf = new Configuration(); hadoopConf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(hadoopConf); final UserGroupInformation ugi; try { UserGroupInformation.loginUserFromKeytab(principal, keytab); ugi = UserGroupInformation.getCurrentUser(); } catch (IOException e) { throw new RuntimeException("Failed to login with Kerberos due to: " + e, e); } return new AtlasClientV2(ugi, null, baseUrls); } }
private void authenticate(org.apache.hadoop.conf.Configuration hadoopConf, org.apache.commons.configuration.Configuration configs) { String principal = configs.getString(PRINCIPAL); String keytab = configs.getString(KEYTAB); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { UserGroupInformation.setConfiguration(hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { try { if (!UserGroupInformation.getCurrentUser().hasKerberosCredentials() || !UserGroupInformation.getCurrentUser() .getUserName().equals(principal)) { LOGGER.info("Trying to authenticate user [%s] with keytab [%s]..", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); } } catch (IOException e) { throw new RuntimeException( String.format("Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab), e); } } } }
/** {@inheritDoc} */ @Override protected void startUp() throws Exception { try { UserGroupInformation.setConfiguration(_hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { UserGroupInformation.loginUserFromKeytab(_loginUser, _loginUserKeytabFile); } } catch (Throwable t) { log.error("Failed to start up HadoopKerberosKeytabAuthenticationPlugin", t); throw t; } }
public static HttpURLConnection loginAuthenticatedURL(final URL url, final String keytabPrincipal, final String keytabPath) throws Exception { final List<URL> resources = new ArrayList<>(); resources.add(url); final URLClassLoader ucl = new URLClassLoader(resources.toArray(new URL[resources.size()])); final Configuration conf = new Configuration(); conf.setClassLoader(ucl); UserGroupInformation.setConfiguration(conf); logger.info( "Logging in URL: " + url.toString() + " using Principal: " + keytabPrincipal + ", Keytab: " + keytabPath); UserGroupInformation.loginUserFromKeytab(keytabPrincipal, keytabPath); final HttpURLConnection connection = UserGroupInformation.getLoginUser().doAs( (PrivilegedExceptionAction<HttpURLConnection>) () -> { final Token token = new Token(); return new AuthenticatedURL().openConnection(url, token); }); return connection; } }
/** * Dose authenticate against a secured hadoop cluster * In case of any bug fix make sure to fix the code at HdfsStorageAuthentication#authenticate as well. * * @param config containing the principal name and keytab path. */ public static void authenticate(HadoopDruidIndexerConfig config) { String principal = config.HADOOP_KERBEROS_CONFIG.getPrincipal(); String keytab = config.HADOOP_KERBEROS_CONFIG.getKeytab(); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { Configuration conf = new Configuration(); UserGroupInformation.setConfiguration(conf); if (UserGroupInformation.isSecurityEnabled()) { try { if (UserGroupInformation.getCurrentUser().hasKerberosCredentials() == false || !UserGroupInformation.getCurrentUser().getUserName().equals(principal)) { log.info("trying to authenticate user [%s] with keytab [%s]", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); } } catch (IOException e) { throw new ISE(e, "Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab); } } } }
localSubject = alreadyLoggedInUsers.get(combinedKey); if (localSubject == null) { UserGroupInformation.loginUserFromKeytab(principal, keyTab); localSubject = getHadoopUser(); alreadyLoggedInUsers.put(combinedKey, localSubject);
/** * Dose authenticate against a secured hadoop cluster * In case of any bug fix make sure to fix the code in JobHelper#authenticate as well. */ @LifecycleStart public void authenticate() { String principal = hdfsKerberosConfig.getPrincipal(); String keytab = hdfsKerberosConfig.getKeytab(); if (!Strings.isNullOrEmpty(principal) && !Strings.isNullOrEmpty(keytab)) { UserGroupInformation.setConfiguration(hadoopConf); if (UserGroupInformation.isSecurityEnabled()) { try { if (UserGroupInformation.getCurrentUser().hasKerberosCredentials() == false || !UserGroupInformation.getCurrentUser().getUserName().equals(principal)) { log.info("Trying to authenticate user [%s] with keytab [%s]..", principal, keytab); UserGroupInformation.loginUserFromKeytab(principal, keytab); } } catch (IOException e) { throw new ISE(e, "Failed to authenticate user principal [%s] with keytab [%s]", principal, keytab); } } } }
UserGroupInformation.loginUserFromKeytab(principal, keytab); return UserGroupInformation.getLoginUser(); } catch (IOException e) {
/** * A test method to print out the current user's UGI. * @param args if there are two arguments, read the user from the keytab * and print it out. * @throws Exception */ public static void main(String [] args) throws Exception { System.out.println("Getting UGI for current user"); UserGroupInformation ugi = getCurrentUser(); ugi.print(); System.out.println("UGI: " + ugi); System.out.println("Auth method " + ugi.user.getAuthenticationMethod()); System.out.println("Keytab " + ugi.isFromKeytab()); System.out.println("============================================================"); if (args.length == 2) { System.out.println("Getting UGI from keytab...."); loginUserFromKeytab(args[0], args[1]); getCurrentUser().print(); System.out.println("Keytab: " + ugi); UserGroupInformation loginUgi = getLoginUser(); System.out.println("Auth method " + loginUgi.getAuthenticationMethod()); System.out.println("Keytab " + loginUgi.isFromKeytab()); } } }
private UserGroupInformation loginKerberosPrincipal(String krbKeytab, String krbPrincipal) throws Exception { Configuration cnf = new Configuration(); cnf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); UserGroupInformation.setConfiguration(cnf); UserGroupInformation.loginUserFromKeytab(krbPrincipal, krbKeytab); return UserGroupInformation.getLoginUser(); }
/** * Get Hadoop tokens (tokens for job history server, job tracker and HDFS) using Kerberos keytab. * * @param state A {@link State} object that should contain property {@link #USER_TO_PROXY}, * {@link #KEYTAB_USER} and {@link #KEYTAB_LOCATION}. To obtain tokens for * other namenodes, use property {@link #OTHER_NAMENODES} with comma separated HDFS URIs. * @param tokenFile If present, the file will store materialized credentials. * @param cred A im-memory representation of credentials. */ public static void getHadoopTokens(final State state, Optional<File> tokenFile, Credentials cred) throws IOException, InterruptedException { Preconditions.checkArgument(state.contains(KEYTAB_USER), "Missing required property " + KEYTAB_USER); Preconditions.checkArgument(state.contains(KEYTAB_LOCATION), "Missing required property " + KEYTAB_LOCATION); Configuration configuration = new Configuration(); configuration.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS); UserGroupInformation.setConfiguration(configuration); UserGroupInformation.loginUserFromKeytab(obtainKerberosPrincipal(state), state.getProp(KEYTAB_LOCATION)); final Optional<String> userToProxy = Strings.isNullOrEmpty(state.getProp(USER_TO_PROXY)) ? Optional.<String>absent() : Optional.fromNullable(state.getProp(USER_TO_PROXY)); final Configuration conf = new Configuration(); LOG.info("Getting tokens for " + userToProxy); getJhToken(conf, cred); getFsAndJtTokens(state, conf, userToProxy, cred); if (tokenFile.isPresent()) { persistTokens(cred, tokenFile.get()); } }
|| !UserGroupInformation.getCurrentUser().getUserName().equals(internalClientPrincipal)) { log.info("trying to authenticate user [%s] with keytab [%s]", internalClientPrincipal, internalClientKeytab); UserGroupInformation.loginUserFromKeytab(internalClientPrincipal, internalClientKeytab); return;
public static void cancelTokens(State state) throws IOException, InterruptedException, TException { Preconditions.checkArgument(state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION), "Missing required property " + ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); Preconditions.checkArgument(state.contains(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER), "Missing required property " + ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); Preconditions.checkArgument(state.contains(ConfigurationKeys.KERBEROS_REALM), "Missing required property " + ConfigurationKeys.KERBEROS_REALM); String superUser = state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String keytabLocation = state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String realm = state.getProp(ConfigurationKeys.KERBEROS_REALM); UserGroupInformation.loginUserFromKeytab(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation); UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); UserGroupInformation realUser = currentUser.getRealUser(); Credentials credentials = realUser.getCredentials(); for (Token<?> token : credentials.getAllTokens()) { if (token.getKind().equals(DelegationTokenIdentifier.HIVE_DELEGATION_KIND)) { log.info("Cancelling hive token"); HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(new HiveConf()); hiveClient.cancelDelegationToken(token.encodeToUrlString()); } } }
public void initHiveMetastoreClient() throws Exception { if (this.state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION)) { String superUser = this.state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String realm = this.state.getProp(ConfigurationKeys.KERBEROS_REALM); String keytabLocation = this.state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); log.info("Establishing MetastoreClient connection using " + keytabLocation); UserGroupInformation.loginUserFromKeytab(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation); UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws TException { HivePurgerPublisher.this.client = new HiveMetaStoreClient(new HiveConf()); return null; } }); } else { HivePurgerPublisher.this.client = new HiveMetaStoreClient(new HiveConf()); } }