public ThriftHttpServlet(TProcessor processor, TProtocolFactory protocolFactory, UserGroupInformation serviceUGI, Configuration conf, HBaseServiceHandler handler, boolean securityEnabled, boolean doAsEnabled) throws IOException { super(processor, protocolFactory); this.serviceUGI = serviceUGI; this.handler = handler; this.securityEnabled = securityEnabled; this.doAsEnabled = doAsEnabled; if (securityEnabled) { // login the spnego principal UserGroupInformation.setConfiguration(conf); this.httpUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI( conf.get(THRIFT_SPNEGO_PRINCIPAL_KEY), conf.get(THRIFT_SPNEGO_KEYTAB_FILE_KEY) ); } else { this.httpUGI = null; } }
public static UserGroupInformation loginFromSpnegoKeytabAndReturnUGI(HiveConf hiveConf) throws IOException { String principal = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL); String keyTabFile = hiveConf.getVar(ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB); if (principal.isEmpty() || keyTabFile.isEmpty()) { throw new IOException("HiveServer2 SPNEGO principal or keytab is not correctly configured"); } else { return UserGroupInformation.loginUserFromKeytabAndReturnUGI(SecurityUtil.getServerPrincipal(principal, "0.0.0.0"), keyTabFile); } }
/** * Login using kerberos. But does not change the current logged in user. * * @param principal - kerberos principal * @param keytabFile - keytab file * @return UGI * @throws IOException - if keytab file cannot be found */ public static UserGroupInformation loginWithKerberos( String principal, String keytabFile) throws IOException { if (!UserGroupInformation.isSecurityEnabled()) { return null; } if (principal == null || principal.isEmpty() || keytabFile == null || keytabFile.isEmpty()) { throw new RuntimeException("Kerberos principal and/or keytab are null or empty"); } final String serverPrincipal = SecurityUtil.getServerPrincipal(principal, "0.0.0.0"); LOG.info("Logging in as " + serverPrincipal + " via " + keytabFile); return UserGroupInformation.loginUserFromKeytabAndReturnUGI(serverPrincipal, keytabFile); }
public static UserGroupInformation loginAndReturnUGI(Configuration conf, String username) throws IOException { String hostname = InetAddress.getLocalHost().getHostName(); String keyTabFileConfKey = "hbase." + username + ".keytab.file"; String keyTabFileLocation = conf.get(keyTabFileConfKey); String principalConfKey = "hbase." + username + ".kerberos.principal"; String principal = org.apache.hadoop.security.SecurityUtil .getServerPrincipal(conf.get(principalConfKey), hostname); if (keyTabFileLocation == null || principal == null) { LOG.warn("Principal or key tab file null for : " + principalConfKey + ", " + keyTabFileConfKey); } UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keyTabFileLocation); return ugi; } }
private static User getUserByLogin(final String user) throws IOException { return User.create(UserGroupInformation.loginUserFromKeytabAndReturnUGI( getPrinciple(user), KEYTAB_FILE.getAbsolutePath())); }
/** * Log a user in from a keytab file. Loads a user identity from a keytab * file and logs them in. They become the currently logged-in user. * @param user the principal name to load from the keytab * @param path the path to the keytab file * @throws IOException * @throws KerberosAuthException if it's a kerberos login exception. */ @InterfaceAudience.Public @InterfaceStability.Evolving public static void loginUserFromKeytab(String user, String path ) throws IOException { if (!isSecurityEnabled()) return; setLoginUser(loginUserFromKeytabAndReturnUGI(user, path)); LOG.info("Login successful for user " + user + " using keytab file " + path); }
private synchronized void setProxiedConnection(final List<String> proxies) throws IOException, InterruptedException, TException { Preconditions.checkArgument(this.state.contains(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION), "Missing required property " + ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String superUser = this.state.getProp(ComplianceConfigurationKeys.GOBBLIN_COMPLIANCE_SUPER_USER); String keytabLocation = this.state.getProp(ConfigurationKeys.SUPER_USER_KEY_TAB_LOCATION); String realm = this.state.getProp(ConfigurationKeys.KERBEROS_REALM); UserGroupInformation loginUser = UserGroupInformation .loginUserFromKeytabAndReturnUGI(HostUtils.getPrincipalUsingHostname(superUser, realm), keytabLocation); loginUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws MetaException, SQLException, ClassNotFoundException { for (String proxy : proxies) { HiveConnection hiveConnection = getHiveConnection(Optional.fromNullable(proxy)); Statement statement = hiveConnection.createStatement(); statementMap.put(proxy, statement); connectionMap.put(proxy, hiveConnection); for (String setting : settings) { statement.execute(setting); } } return null; } }); }
ugi = loginUserFromKeytabAndReturnUGI(principal, kt.getPath()); dumpUGI(identity, ugi); validateUGI(principal, ugi);
private UserGroupInformation loginUserWithKeyTab(String user, String path) throws IOException { return UserGroupInformation.loginUserFromKeytabAndReturnUGI(user, path); }
@Override public void start() throws IgniteException { super.start(); KerberosHadoopFileSystemFactory proxy0 = (KerberosHadoopFileSystemFactory)proxy; A.ensure(!F.isEmpty(proxy0.getKeyTab()), "keyTab cannot not be empty."); A.ensure(!F.isEmpty(proxy0.getKeyTabPrincipal()), "keyTabPrincipal cannot not be empty."); A.ensure(proxy0.getReloginInterval() >= 0, "reloginInterval cannot not be negative."); reloginInterval = proxy0.getReloginInterval(); try { UserGroupInformation.setConfiguration(cfg); user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxy0.getKeyTabPrincipal(), proxy0.getKeyTab()); } catch (IOException ioe) { throw new IgniteException("Failed login from keytab [keyTab=" + proxy0.getKeyTab() + ", keyTabPrincipal=" + proxy0.getKeyTabPrincipal() + ']', ioe); } }
final String tableName = "DISALLOWED_IMPERSONATION"; final int numRows = 5; final UserGroupInformation serviceUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(SERVICE_PRINCIPAL, KEYTAB.getAbsolutePath()); serviceUgi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { UserGroupInformation user2Ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user2.getKey(), user2.getValue().getAbsolutePath()); user2Ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception {
final String tableName = "POSITIVE_IMPERSONATION"; final int numRows = 5; final UserGroupInformation serviceUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(SERVICE_PRINCIPAL, KEYTAB.getAbsolutePath()); serviceUgi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { UserGroupInformation user1Ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1.getKey(), user1.getValue().getAbsolutePath()); user1Ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception {
@Test public void testBasicReadWrite() throws Exception { final Entry<String,File> user1 = getUser(1); UserGroupInformation user1Ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1.getKey(), user1.getValue().getAbsolutePath()); user1Ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { // Phoenix final String tableName = "phx_table1"; try (java.sql.Connection conn = DriverManager.getConnection(PQS_URL); Statement stmt = conn.createStatement()) { conn.setAutoCommit(true); assertFalse(stmt.execute("CREATE TABLE " + tableName + "(pk integer not null primary key)")); final int numRows = 5; for (int i = 0; i < numRows; i++) { assertEquals(1, stmt.executeUpdate("UPSERT INTO " + tableName + " values(" + i + ")")); } try (ResultSet rs = stmt.executeQuery("SELECT * FROM " + tableName)) { for (int i = 0; i < numRows; i++) { assertTrue(rs.next()); assertEquals(i, rs.getInt(1)); } assertFalse(rs.next()); } } return null; } }); }
@Test public void testMultipleUniqueUGIInstancesAreDisjoint() throws Exception { final HashSet<ConnectionInfo> connections = new HashSet<>(); final String princ1 = getUserPrincipal(1); final File keytab1 = getUserKeytabFile(1); UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath()); PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = joinUserAuthentication(BASE_URL, princ1, keytab1); connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES)); return null; } }; ugi.doAs(callable); assertEquals(1, connections.size()); verifyAllConnectionsAreKerberosBased(connections); // A second, but equivalent, call from the same "real" user but a different UGI instance // is expected functionality (programmer error). UserGroupInformation ugiCopy = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath()); ugiCopy.doAs(callable); assertEquals(2, connections.size()); verifyAllConnectionsAreKerberosBased(connections); }
.loginUserFromKeytabAndReturnUGI(principal, keytab.getAbsolutePath());
private static void startQueryServer() throws Exception { PQS = new QueryServer(new String[0], UTIL.getConfiguration()); // Get the PQS ident for PQS to use final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(PQS_PRINCIPAL, KEYTAB.getAbsolutePath()); PQS_EXECUTOR = Executors.newSingleThreadExecutor(); // Launch PQS, doing in the Kerberos login instead of letting PQS do it itself (which would // break the HBase/HDFS logins also running in the same test case). PQS_EXECUTOR.submit(new Runnable() { @Override public void run() { ugi.doAs(new PrivilegedAction<Void>() { @Override public Void run() { PQS.run(); return null; } }); } }); PQS.awaitRunning(); PQS_PORT = PQS.getPort(); PQS_URL = ThinClientUtil.getConnectionUrl("localhost", PQS_PORT) + ";authentication=SPNEGO"; }
@Test public void testMultipleInvocationsBySameUserAreEquivalent() throws Exception { final HashSet<ConnectionInfo> connections = new HashSet<>(); final String princ1 = getUserPrincipal(1); final File keytab1 = getUserKeytabFile(1); UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath()); PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = joinUserAuthentication(BASE_URL, princ1, keytab1); connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES)); return null; } }; // Using the same UGI should result in two equivalent ConnectionInfo objects ugi.doAs(callable); assertEquals(1, connections.size()); verifyAllConnectionsAreKerberosBased(connections); ugi.doAs(callable); assertEquals(1, connections.size()); verifyAllConnectionsAreKerberosBased(connections); }
private static void startQueryServer() throws Exception { PQS = new QueryServer(new String[0], UTIL.getConfiguration()); // Get the PQS ident for PQS to use final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(PQS_PRINCIPAL, KEYTAB.getAbsolutePath()); PQS_EXECUTOR = Executors.newSingleThreadExecutor(); // Launch PQS, doing in the Kerberos login instead of letting PQS do it itself (which would // break the HBase/HDFS logins also running in the same test case). PQS_EXECUTOR.submit(new Runnable() { @Override public void run() { ugi.doAs(new PrivilegedAction<Void>() { @Override public Void run() { PQS.run(); return null; } }); } }); PQS.awaitRunning(); PQS_PORT = PQS.getPort(); PQS_URL = ThinClientUtil.getConnectionUrl("localhost", PQS_PORT) + ";authentication=SPNEGO"; }
private static void startQueryServer() throws Exception { PQS = new QueryServer(new String[0], UTIL.getConfiguration()); // Get the PQS ident for PQS to use final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(PQS_PRINCIPAL, KEYTAB.getAbsolutePath()); PQS_EXECUTOR = Executors.newSingleThreadExecutor(); // Launch PQS, doing in the Kerberos login instead of letting PQS do it itself (which would // break the HBase/HDFS logins also running in the same test case). PQS_EXECUTOR.submit(new Runnable() { @Override public void run() { ugi.doAs(new PrivilegedAction<Void>() { @Override public Void run() { PQS.run(); return null; } }); } }); PQS.awaitRunning(); PQS_PORT = PQS.getPort(); PQS_URL = ThinClientUtil.getConnectionUrl("localhost", PQS_PORT) + ";authentication=SPNEGO"; }
final File keytab2 = getUserKeytabFile(2); UserGroupInformation ugi1 = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath()); UserGroupInformation ugi2 = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ2, keytab2.getPath());