Examples with UserGroupInformation - org.apache.hadoop.security.UserGroupInformation

Example 86 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestClientToAMTokens method verifyValidToken.

private void verifyValidToken(final Configuration conf, final CustomAM am, Token<ClientToAMTokenIdentifier> token) throws IOException, InterruptedException {
    UserGroupInformation ugi;
    ugi = UserGroupInformation.createRemoteUser("me");
    ugi.addToken(token);
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            CustomProtocol client = RPC.getProxy(CustomProtocol.class, 1L, am.address, conf);
            client.ping(null, TestRpcBase.newEmptyRequest());
            Assert.assertTrue(am.pinged);
            return null;
        }
    });
}

Also used : ServiceException(com.google.protobuf.ServiceException) SaslException(javax.security.sasl.SaslException) IOException(java.io.IOException) RemoteException(org.apache.hadoop.ipc.RemoteException) YarnRuntimeException(org.apache.hadoop.yarn.exceptions.YarnRuntimeException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 87 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestClientToAMTokens method verifyNewVersionToken.

private void verifyNewVersionToken(final Configuration conf, final CustomAM am, Token<ClientToAMTokenIdentifier> token, MockRM rm) throws IOException, InterruptedException {
    UserGroupInformation ugi;
    ugi = UserGroupInformation.createRemoteUser("me");
    Token<ClientToAMTokenIdentifier> newToken = new Token<ClientToAMTokenIdentifier>(new ClientToAMTokenIdentifierForTest(token.decodeIdentifier(), "message"), am.getClientToAMTokenSecretManager());
    newToken.setService(token.getService());
    ugi.addToken(newToken);
    ugi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            CustomProtocol client = RPC.getProxy(CustomProtocol.class, 1L, am.address, conf);
            client.ping(null, TestRpcBase.newEmptyRequest());
            Assert.assertTrue(am.pinged);
            return null;
        }
    });
}

Also used : ClientToAMTokenIdentifier(org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier) Token(org.apache.hadoop.security.token.Token) ServiceException(com.google.protobuf.ServiceException) SaslException(javax.security.sasl.SaslException) IOException(java.io.IOException) RemoteException(org.apache.hadoop.ipc.RemoteException) YarnRuntimeException(org.apache.hadoop.yarn.exceptions.YarnRuntimeException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 88 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hbase by apache.

the class NettyRpcConnection method saslNegotiate.

private void saslNegotiate(final Channel ch) {
    UserGroupInformation ticket = getUGI();
    if (ticket == null) {
        failInit(ch, new FatalConnectionException("ticket/user is null"));
        return;
    }
    Promise<Boolean> saslPromise = ch.eventLoop().newPromise();
    final NettyHBaseSaslRpcClientHandler saslHandler;
    try {
        saslHandler = new NettyHBaseSaslRpcClientHandler(saslPromise, ticket, authMethod, token, serverPrincipal, rpcClient.fallbackAllowed, this.rpcClient.conf);
    } catch (IOException e) {
        failInit(ch, e);
        return;
    }
    ch.pipeline().addFirst(new SaslChallengeDecoder(), saslHandler);
    saslPromise.addListener(new FutureListener<Boolean>() {

        @Override
        public void operationComplete(Future<Boolean> future) throws Exception {
            if (future.isSuccess()) {
                ChannelPipeline p = ch.pipeline();
                p.remove(SaslChallengeDecoder.class);
                p.remove(NettyHBaseSaslRpcClientHandler.class);
                // check if negotiate with server for connection header is necessary
                if (saslHandler.isNeedProcessConnectionHeader()) {
                    Promise<Boolean> connectionHeaderPromise = ch.eventLoop().newPromise();
                    // create the handler to handle the connection header
                    ChannelHandler chHandler = new NettyHBaseRpcConnectionHeaderHandler(connectionHeaderPromise, conf, connectionHeaderWithLength);
                    // add ReadTimeoutHandler to deal with server doesn't response connection header
                    // because of the different configuration in client side and server side
                    p.addFirst(new ReadTimeoutHandler(RpcClient.DEFAULT_SOCKET_TIMEOUT_READ, TimeUnit.MILLISECONDS));
                    p.addLast(chHandler);
                    connectionHeaderPromise.addListener(new FutureListener<Boolean>() {

                        @Override
                        public void operationComplete(Future<Boolean> future) throws Exception {
                            if (future.isSuccess()) {
                                ChannelPipeline p = ch.pipeline();
                                p.remove(ReadTimeoutHandler.class);
                                p.remove(NettyHBaseRpcConnectionHeaderHandler.class);
                                // don't send connection header, NettyHbaseRpcConnectionHeaderHandler
                                // sent it already
                                established(ch);
                            } else {
                                final Throwable error = future.cause();
                                scheduleRelogin(error);
                                failInit(ch, toIOE(error));
                            }
                        }
                    });
                } else {
                    // send the connection header to server
                    ch.write(connectionHeaderWithLength.retainedDuplicate());
                    established(ch);
                }
            } else {
                final Throwable error = future.cause();
                scheduleRelogin(error);
                failInit(ch, toIOE(error));
            }
        }
    });
}

Also used : ChannelFutureListener(io.netty.channel.ChannelFutureListener) FutureListener(io.netty.util.concurrent.FutureListener) IOException(java.io.IOException) ChannelHandler(io.netty.channel.ChannelHandler) IOException(java.io.IOException) ChannelPipeline(io.netty.channel.ChannelPipeline) Promise(io.netty.util.concurrent.Promise) NettyHBaseRpcConnectionHeaderHandler(org.apache.hadoop.hbase.security.NettyHBaseRpcConnectionHeaderHandler) SaslChallengeDecoder(org.apache.hadoop.hbase.security.SaslChallengeDecoder) NettyHBaseSaslRpcClientHandler(org.apache.hadoop.hbase.security.NettyHBaseSaslRpcClientHandler) ReadTimeoutHandler(io.netty.handler.timeout.ReadTimeoutHandler) ChannelFuture(io.netty.channel.ChannelFuture) Future(io.netty.util.concurrent.Future) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 89 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hbase by apache.

the class RpcConnection method shouldAuthenticateOverKrb.

protected boolean shouldAuthenticateOverKrb() throws IOException {
    UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
    UserGroupInformation realUser = currentUser.getRealUser();
    return authMethod == AuthMethod.KERBEROS && loginUser != null && // Make sure user logged in using Kerberos either keytab or TGT
    loginUser.hasKerberosCredentials() && // or superuser (like oozie).
    (loginUser.equals(currentUser) || loginUser.equals(realUser));
}

Also used : UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 90 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hbase by apache.

the class MasterProcedureUtil method toUserInfo.

public static User toUserInfo(UserInformation userInfoProto) {
    if (userInfoProto.hasEffectiveUser()) {
        String effectiveUser = userInfoProto.getEffectiveUser();
        if (userInfoProto.hasRealUser()) {
            String realUser = userInfoProto.getRealUser();
            UserGroupInformation realUserUgi = UserGroupInformation.createRemoteUser(realUser);
            return User.create(UserGroupInformation.createProxyUser(effectiveUser, realUserUgi));
        }
        return User.create(UserGroupInformation.createRemoteUser(effectiveUser));
    }
    return null;
}

Also used : UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)664 IOException (java.io.IOException)281 Test (org.junit.Test)242 Configuration (org.apache.hadoop.conf.Configuration)142 Path (org.apache.hadoop.fs.Path)105 FileSystem (org.apache.hadoop.fs.FileSystem)73 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)57 AccessControlException (org.apache.hadoop.security.AccessControlException)54 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)51 FsPermission (org.apache.hadoop.fs.permission.FsPermission)49 Path (javax.ws.rs.Path)47 Token (org.apache.hadoop.security.token.Token)46 Produces (javax.ws.rs.Produces)45 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)45 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)43 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)40 ArrayList (java.util.ArrayList)38 Text (org.apache.hadoop.io.Text)38 ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)36 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)35