Search in sources :

Example 6 with UserProvider

use of org.apache.hadoop.hbase.security.UserProvider in project hbase by apache.

the class TableMapReduceUtil method initCredentials.

public static void initCredentials(Job job) throws IOException {
    UserProvider userProvider = UserProvider.instantiate(job.getConfiguration());
    if (userProvider.isHadoopSecurityEnabled()) {
        // propagate delegation related props from launcher job to MR job
        if (System.getenv("HADOOP_TOKEN_FILE_LOCATION") != null) {
            job.getConfiguration().set("mapreduce.job.credentials.binary", System.getenv("HADOOP_TOKEN_FILE_LOCATION"));
        }
    }
    if (userProvider.isHBaseSecurityEnabled()) {
        try {
            // init credentials for remote cluster
            String quorumAddress = job.getConfiguration().get(TableOutputFormat.QUORUM_ADDRESS);
            User user = userProvider.getCurrent();
            if (quorumAddress != null) {
                Configuration peerConf = HBaseConfiguration.createClusterConf(job.getConfiguration(), quorumAddress, TableOutputFormat.OUTPUT_CONF_PREFIX);
                Connection peerConn = ConnectionFactory.createConnection(peerConf);
                try {
                    TokenUtil.addTokenForJob(peerConn, user, job);
                } finally {
                    peerConn.close();
                }
            }
            Connection conn = ConnectionFactory.createConnection(job.getConfiguration());
            try {
                TokenUtil.addTokenForJob(conn, user, job);
            } finally {
                conn.close();
            }
        } catch (InterruptedException ie) {
            LOG.info("Interrupted obtaining user authentication token");
            Thread.currentThread().interrupt();
        }
    }
}
Also used : User(org.apache.hadoop.hbase.security.User) Configuration(org.apache.hadoop.conf.Configuration) HBaseConfiguration(org.apache.hadoop.hbase.HBaseConfiguration) UserProvider(org.apache.hadoop.hbase.security.UserProvider) Connection(org.apache.hadoop.hbase.client.Connection)

Example 7 with UserProvider

use of org.apache.hadoop.hbase.security.UserProvider in project hbase by apache.

the class TestGetAndPutResource method testMetrics.

@Test
public void testMetrics() throws IOException, JAXBException {
    final String path = "/" + TABLE + "/" + ROW_4 + "/" + COLUMN_1;
    Response response = client.put(path, Constants.MIMETYPE_BINARY, Bytes.toBytes(VALUE_4));
    assertEquals(response.getCode(), 200);
    Thread.yield();
    response = client.get(path, Constants.MIMETYPE_JSON);
    assertEquals(response.getCode(), 200);
    assertEquals(Constants.MIMETYPE_JSON, response.getHeader("content-type"));
    response = deleteRow(TABLE, ROW_4);
    assertEquals(response.getCode(), 200);
    UserProvider userProvider = UserProvider.instantiate(conf);
    METRICS_ASSERT.assertCounterGt("requests", 2l, RESTServlet.getInstance(conf, userProvider).getMetrics().getSource());
    METRICS_ASSERT.assertCounterGt("successfulGet", 0l, RESTServlet.getInstance(conf, userProvider).getMetrics().getSource());
    METRICS_ASSERT.assertCounterGt("successfulPut", 0l, RESTServlet.getInstance(conf, userProvider).getMetrics().getSource());
    METRICS_ASSERT.assertCounterGt("successfulDelete", 0l, RESTServlet.getInstance(conf, userProvider).getMetrics().getSource());
}
Also used : Response(org.apache.hadoop.hbase.rest.client.Response) UserProvider(org.apache.hadoop.hbase.security.UserProvider) Test(org.junit.Test)

Example 8 with UserProvider

use of org.apache.hadoop.hbase.security.UserProvider in project hbase by apache.

the class TableMapReduceUtil method initCredentials.

public static void initCredentials(JobConf job) throws IOException {
    UserProvider userProvider = UserProvider.instantiate(job);
    if (userProvider.isHadoopSecurityEnabled()) {
        // propagate delegation related props from launcher job to MR job
        if (System.getenv("HADOOP_TOKEN_FILE_LOCATION") != null) {
            job.set("mapreduce.job.credentials.binary", System.getenv("HADOOP_TOKEN_FILE_LOCATION"));
        }
    }
    if (userProvider.isHBaseSecurityEnabled()) {
        Connection conn = ConnectionFactory.createConnection(job);
        try {
            // login the server principal (if using secure Hadoop)
            User user = userProvider.getCurrent();
            TokenUtil.addTokenForJob(conn, job, user);
        } catch (InterruptedException ie) {
            ie.printStackTrace();
            Thread.currentThread().interrupt();
        } finally {
            conn.close();
        }
    }
}
Also used : User(org.apache.hadoop.hbase.security.User) UserProvider(org.apache.hadoop.hbase.security.UserProvider) Connection(org.apache.hadoop.hbase.client.Connection)

Example 9 with UserProvider

use of org.apache.hadoop.hbase.security.UserProvider in project hbase by apache.

the class ThriftServer method run.

@Override
public int run(String[] args) throws Exception {
    final Configuration conf = getConf();
    TServer server = null;
    Options options = getOptions();
    CommandLine cmd = parseArguments(conf, options, args);
    int workerThreads = 0;
    int selectorThreads = 0;
    // use unbounded queue by default
    int maxCallQueueSize = -1;
    /**
     * This is to please both bin/hbase and bin/hbase-daemon. hbase-daemon provides "start" and "stop" arguments hbase
     * should print the help if no argument is provided
     */
    List<?> argList = cmd.getArgList();
    if (cmd.hasOption("help") || !argList.contains("start") || argList.contains("stop")) {
        printUsage();
        return 1;
    }
    // Get address to bind
    String bindAddress;
    if (cmd.hasOption("bind")) {
        bindAddress = cmd.getOptionValue("bind");
        conf.set("hbase.thrift.info.bindAddress", bindAddress);
    } else {
        bindAddress = conf.get("hbase.thrift.info.bindAddress");
    }
    // Get read timeout
    int readTimeout = THRIFT_SERVER_SOCKET_READ_TIMEOUT_DEFAULT;
    if (cmd.hasOption(READ_TIMEOUT_OPTION)) {
        try {
            readTimeout = Integer.parseInt(cmd.getOptionValue(READ_TIMEOUT_OPTION));
        } catch (NumberFormatException e) {
            throw new RuntimeException("Could not parse the value provided for the timeout option", e);
        }
    } else {
        readTimeout = conf.getInt(THRIFT_SERVER_SOCKET_READ_TIMEOUT_KEY, THRIFT_SERVER_SOCKET_READ_TIMEOUT_DEFAULT);
    }
    // Get port to bind to
    int listenPort = 0;
    try {
        if (cmd.hasOption("port")) {
            listenPort = Integer.parseInt(cmd.getOptionValue("port"));
        } else {
            listenPort = conf.getInt("hbase.regionserver.thrift.port", DEFAULT_LISTEN_PORT);
        }
    } catch (NumberFormatException e) {
        throw new RuntimeException("Could not parse the value provided for the port option", e);
    }
    // Thrift's implementation uses '0' as a placeholder for 'use the default.'
    int backlog = conf.getInt(BACKLOG_CONF_KEY, 0);
    // Local hostname and user name,
    // used only if QOP is configured.
    String host = null;
    String name = null;
    UserProvider userProvider = UserProvider.instantiate(conf);
    // login the server principal (if using secure Hadoop)
    boolean securityEnabled = userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled();
    if (securityEnabled) {
        host = Strings.domainNamePointerToHostName(DNS.getDefaultHost(conf.get("hbase.thrift.dns.interface", "default"), conf.get("hbase.thrift.dns.nameserver", "default")));
        userProvider.login("hbase.thrift.keytab.file", "hbase.thrift.kerberos.principal", host);
    }
    UserGroupInformation realUser = userProvider.getCurrent().getUGI();
    String stringQop = conf.get(THRIFT_QOP_KEY);
    SaslUtil.QualityOfProtection qop = null;
    if (stringQop != null) {
        qop = SaslUtil.getQop(stringQop);
        if (!securityEnabled) {
            throw new IOException("Thrift server must" + " run in secure mode to support authentication");
        }
        // Extract the name from the principal
        name = SecurityUtil.getUserFromPrincipal(conf.get("hbase.thrift.kerberos.principal"));
    }
    boolean nonblocking = cmd.hasOption("nonblocking");
    boolean hsha = cmd.hasOption("hsha");
    boolean selector = cmd.hasOption("selector");
    ThriftMetrics metrics = new ThriftMetrics(conf, ThriftMetrics.ThriftServerType.TWO);
    final JvmPauseMonitor pauseMonitor = new JvmPauseMonitor(conf, metrics.getSource());
    String implType = "threadpool";
    if (nonblocking) {
        implType = "nonblocking";
    } else if (hsha) {
        implType = "hsha";
    } else if (selector) {
        implType = "selector";
    }
    conf.set("hbase.regionserver.thrift.server.type", implType);
    conf.setInt("hbase.regionserver.thrift.port", listenPort);
    registerFilters(conf);
    // Construct correct ProtocolFactory
    boolean compact = cmd.hasOption("compact") || conf.getBoolean("hbase.regionserver.thrift.compact", false);
    TProtocolFactory protocolFactory = getTProtocolFactory(compact);
    final ThriftHBaseServiceHandler hbaseHandler = new ThriftHBaseServiceHandler(conf, userProvider);
    THBaseService.Iface handler = ThriftHBaseServiceHandler.newInstance(hbaseHandler, metrics);
    final THBaseService.Processor p = new THBaseService.Processor(handler);
    conf.setBoolean("hbase.regionserver.thrift.compact", compact);
    TProcessor processor = p;
    boolean framed = cmd.hasOption("framed") || conf.getBoolean("hbase.regionserver.thrift.framed", false) || nonblocking || hsha;
    TTransportFactory transportFactory = getTTransportFactory(qop, name, host, framed, conf.getInt("hbase.regionserver.thrift.framed.max_frame_size_in_mb", 2) * 1024 * 1024);
    InetSocketAddress inetSocketAddress = bindToPort(bindAddress, listenPort);
    conf.setBoolean("hbase.regionserver.thrift.framed", framed);
    if (qop != null) {
        // Create a processor wrapper, to get the caller
        processor = new TProcessor() {

            @Override
            public boolean process(TProtocol inProt, TProtocol outProt) throws TException {
                TSaslServerTransport saslServerTransport = (TSaslServerTransport) inProt.getTransport();
                SaslServer saslServer = saslServerTransport.getSaslServer();
                String principal = saslServer.getAuthorizationID();
                hbaseHandler.setEffectiveUser(principal);
                return p.process(inProt, outProt);
            }
        };
    }
    if (cmd.hasOption("w")) {
        workerThreads = Integer.parseInt(cmd.getOptionValue("w"));
    }
    if (cmd.hasOption("s")) {
        selectorThreads = Integer.parseInt(cmd.getOptionValue("s"));
    }
    if (cmd.hasOption("q")) {
        maxCallQueueSize = Integer.parseInt(cmd.getOptionValue("q"));
    }
    // check for user-defined info server port setting, if so override the conf
    try {
        if (cmd.hasOption("infoport")) {
            String val = cmd.getOptionValue("infoport");
            conf.setInt("hbase.thrift.info.port", Integer.parseInt(val));
            log.debug("Web UI port set to " + val);
        }
    } catch (NumberFormatException e) {
        log.error("Could not parse the value provided for the infoport option", e);
        printUsage();
        System.exit(1);
    }
    // Put up info server.
    int port = conf.getInt("hbase.thrift.info.port", 9095);
    if (port >= 0) {
        conf.setLong("startcode", System.currentTimeMillis());
        String a = conf.get("hbase.thrift.info.bindAddress", "0.0.0.0");
        InfoServer infoServer = new InfoServer("thrift", a, port, false, conf);
        infoServer.setAttribute("hbase.conf", conf);
        infoServer.start();
    }
    if (nonblocking) {
        server = getTNonBlockingServer(protocolFactory, processor, transportFactory, inetSocketAddress);
    } else if (hsha) {
        server = getTHsHaServer(protocolFactory, processor, transportFactory, workerThreads, maxCallQueueSize, inetSocketAddress, metrics);
    } else if (selector) {
        server = getTThreadedSelectorServer(protocolFactory, processor, transportFactory, workerThreads, selectorThreads, maxCallQueueSize, inetSocketAddress, metrics);
    } else {
        server = getTThreadPoolServer(protocolFactory, processor, transportFactory, workerThreads, inetSocketAddress, backlog, readTimeout, metrics);
    }
    final TServer tserver = server;
    realUser.doAs(new PrivilegedAction<Object>() {

        @Override
        public Object run() {
            pauseMonitor.start();
            try {
                tserver.serve();
                return null;
            } finally {
                pauseMonitor.stop();
            }
        }
    });
    // when tserver.stop eventually happens we'll get here.
    return 0;
}
Also used : TException(org.apache.thrift.TException) Options(org.apache.commons.cli.Options) TProtocolFactory(org.apache.thrift.protocol.TProtocolFactory) TProcessor(org.apache.thrift.TProcessor) Configuration(org.apache.hadoop.conf.Configuration) HBaseConfiguration(org.apache.hadoop.hbase.HBaseConfiguration) TServer(org.apache.thrift.server.TServer) InetSocketAddress(java.net.InetSocketAddress) SaslServer(javax.security.sasl.SaslServer) JvmPauseMonitor(org.apache.hadoop.hbase.util.JvmPauseMonitor) TProcessor(org.apache.thrift.TProcessor) UserProvider(org.apache.hadoop.hbase.security.UserProvider) TProtocol(org.apache.thrift.protocol.TProtocol) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) THBaseService(org.apache.hadoop.hbase.thrift2.generated.THBaseService) IOException(java.io.IOException) TTransportFactory(org.apache.thrift.transport.TTransportFactory) TSaslServerTransport(org.apache.thrift.transport.TSaslServerTransport) CommandLine(org.apache.commons.cli.CommandLine) ThriftMetrics(org.apache.hadoop.hbase.thrift.ThriftMetrics) InfoServer(org.apache.hadoop.hbase.http.InfoServer) SaslUtil(org.apache.hadoop.hbase.security.SaslUtil)

Example 10 with UserProvider

use of org.apache.hadoop.hbase.security.UserProvider in project storm by apache.

the class AutoHBase method getHadoopCredentials.

@SuppressWarnings("unchecked")
protected byte[] getHadoopCredentials(Map conf) {
    try {
        final Configuration hbaseConf = HBaseConfiguration.create();
        if (UserGroupInformation.isSecurityEnabled()) {
            final String topologySubmitterUser = (String) conf.get(Config.TOPOLOGY_SUBMITTER_PRINCIPAL);
            UserProvider provider = UserProvider.instantiate(hbaseConf);
            hbaseConf.set(HBASE_KEYTAB_FILE_KEY, hbaseKeytab);
            hbaseConf.set(HBASE_PRINCIPAL_KEY, hbasePrincipal);
            provider.login(HBASE_KEYTAB_FILE_KEY, HBASE_PRINCIPAL_KEY, InetAddress.getLocalHost().getCanonicalHostName());
            LOG.info("Logged into Hbase as principal = " + conf.get(HBASE_PRINCIPAL_KEY));
            UserGroupInformation.setConfiguration(hbaseConf);
            UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
            final UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(topologySubmitterUser, ugi);
            User user = User.create(ugi);
            if (user.isHBaseSecurityEnabled(hbaseConf)) {
                TokenUtil.obtainAndCacheToken(hbaseConf, proxyUser);
                LOG.info("Obtained HBase tokens, adding to user credentials.");
                Credentials credential = proxyUser.getCredentials();
                ByteArrayOutputStream bao = new ByteArrayOutputStream();
                ObjectOutputStream out = new ObjectOutputStream(bao);
                credential.write(out);
                out.flush();
                out.close();
                return bao.toByteArray();
            } else {
                throw new RuntimeException("Security is not enabled for HBase.");
            }
        } else {
            throw new RuntimeException("Security is not enabled for Hadoop");
        }
    } catch (Exception ex) {
        throw new RuntimeException("Failed to get delegation tokens.", ex);
    }
}
Also used : User(org.apache.hadoop.hbase.security.User) HBaseConfiguration(org.apache.hadoop.hbase.HBaseConfiguration) Configuration(org.apache.hadoop.conf.Configuration) UserProvider(org.apache.hadoop.hbase.security.UserProvider) IAutoCredentials(org.apache.storm.security.auth.IAutoCredentials) Credentials(org.apache.hadoop.security.Credentials) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

UserProvider (org.apache.hadoop.hbase.security.UserProvider)10 IOException (java.io.IOException)4 Configuration (org.apache.hadoop.conf.Configuration)4 HBaseConfiguration (org.apache.hadoop.hbase.HBaseConfiguration)4 User (org.apache.hadoop.hbase.security.User)4 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)4 Connection (org.apache.hadoop.hbase.client.Connection)2 InfoServer (org.apache.hadoop.hbase.http.InfoServer)2 InetSocketAddress (java.net.InetSocketAddress)1 UnknownHostException (java.net.UnknownHostException)1 ArrayBlockingQueue (java.util.concurrent.ArrayBlockingQueue)1 SaslServer (javax.security.sasl.SaslServer)1 CommandLine (org.apache.commons.cli.CommandLine)1 Options (org.apache.commons.cli.Options)1 FileStatus (org.apache.hadoop.fs.FileStatus)1 FileSystem (org.apache.hadoop.fs.FileSystem)1 Path (org.apache.hadoop.fs.Path)1 MasterFileSystem (org.apache.hadoop.hbase.master.MasterFileSystem)1 HRegionFileSystem (org.apache.hadoop.hbase.regionserver.HRegionFileSystem)1 Response (org.apache.hadoop.hbase.rest.client.Response)1