Example 31 with UserGroupInformation
use of org.apache.hadoop.security.UserGroupInformation in project druid by druid-io.
the class KerberosJettyHttpClientProvider method get.
@Override
public HttpClient get() {
final HttpClient httpClient = delegateProvider.get();
httpClient.getAuthenticationStore().addAuthentication(new Authentication() {
@Override
public boolean matches(String type, URI uri, String realm) {
return true;
}
@Override
public Result authenticate(final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context) {
return new Result() {
@Override
public URI getURI() {
return request.getURI();
}
@Override
public void apply(Request request) {
try {
// No need to set cookies as they are handled by Jetty Http Client itself.
URI uri = request.getURI();
if (DruidKerberosUtil.needToSendCredentials(httpClient.getCookieStore(), uri)) {
log.debug("No Auth Cookie found for URI[%s]. Existing Cookies[%s] Authenticating... ", uri, httpClient.getCookieStore().getCookies());
final String host = request.getHost();
DruidKerberosUtil.authenticateIfRequired(config);
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
String challenge = currentUser.doAs(new PrivilegedExceptionAction<String>() {
@Override
public String run() throws Exception {
return DruidKerberosUtil.kerberosChallenge(host);
}
});
request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Negotiate " + challenge);
} else {
log.debug("Found Auth Cookie found for URI[%s].", uri);
}
} catch (Throwable e) {
Throwables.propagate(e);
}
}
};
}
});
return httpClient;
}
Also used :
ContentResponse(org.eclipse.jetty.client.api.ContentResponse)
Request(org.eclipse.jetty.client.api.Request)
Attributes(org.eclipse.jetty.util.Attributes)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
URI(java.net.URI)
Authentication(org.eclipse.jetty.client.api.Authentication)
HttpClient(org.eclipse.jetty.client.HttpClient)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 32 with UserGroupInformation
use of org.apache.hadoop.security.UserGroupInformation in project hive by apache.
the class LlapProtocolServerImpl method serviceStart.
@Override
public void serviceStart() {
final Configuration conf = getConfig();
isSigningRequiredConfig = getSigningConfig(conf);
final BlockingService daemonImpl = LlapDaemonProtocolProtos.LlapDaemonProtocol.newReflectiveBlockingService(this);
final BlockingService managementImpl = LlapDaemonProtocolProtos.LlapManagementProtocol.newReflectiveBlockingService(this);
if (!UserGroupInformation.isSecurityEnabled()) {
startProtocolServers(conf, daemonImpl, managementImpl);
return;
}
try {
this.clusterUser = UserGroupInformation.getCurrentUser().getShortUserName();
} catch (IOException e) {
throw new RuntimeException(e);
}
if (isPermissiveManagementAcl(conf)) {
LOG.warn("Management protocol has a '*' ACL.");
isRestrictedToClusterUser = true;
}
String llapPrincipal = HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_PRINCIPAL), llapKeytab = HiveConf.getVar(conf, ConfVars.LLAP_KERBEROS_KEYTAB_FILE);
// Start the protocol server after properly authenticating with daemon keytab.
UserGroupInformation daemonUgi = null;
try {
daemonUgi = LlapUtil.loginWithKerberos(llapPrincipal, llapKeytab);
} catch (IOException e) {
throw new RuntimeException(e);
}
daemonUgi.doAs(new PrivilegedAction<Void>() {
@Override
public Void run() {
startProtocolServers(conf, daemonImpl, managementImpl);
return null;
}
});
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
BlockingService(com.google.protobuf.BlockingService)
IOException(java.io.IOException)
ByteString(com.google.protobuf.ByteString)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 33 with UserGroupInformation
use of org.apache.hadoop.security.UserGroupInformation in project hive by apache.
the class TUGIBasedProcessor method handleSetUGI.
private void handleSetUGI(TUGIContainingTransport ugiTrans, set_ugi<Iface> fn, TMessage msg, TProtocol iprot, TProtocol oprot) throws TException, SecurityException, NoSuchMethodException, IllegalArgumentException, IllegalAccessException, InvocationTargetException {
UserGroupInformation clientUgi = ugiTrans.getClientUGI();
if (null != clientUgi) {
throw new TException(new IllegalStateException("UGI is already set. Resetting is not " + "allowed. Current ugi is: " + clientUgi.getUserName()));
}
set_ugi_args args = fn.getEmptyArgsInstance();
try {
args.read(iprot);
} catch (TProtocolException e) {
iprot.readMessageEnd();
TApplicationException x = new TApplicationException(TApplicationException.PROTOCOL_ERROR, e.getMessage());
oprot.writeMessageBegin(new TMessage(msg.name, TMessageType.EXCEPTION, msg.seqid));
x.write(oprot);
oprot.writeMessageEnd();
oprot.getTransport().flush();
return;
}
iprot.readMessageEnd();
set_ugi_result result = fn.getResult(iface, args);
List<String> principals = result.getSuccess();
// Store the ugi in transport and then continue as usual.
ugiTrans.setClientUGI(UserGroupInformation.createRemoteUser(principals.remove(principals.size() - 1)));
oprot.writeMessageBegin(new TMessage(msg.name, TMessageType.REPLY, msg.seqid));
result.write(oprot);
oprot.writeMessageEnd();
oprot.getTransport().flush();
}
Also used :
TException(org.apache.thrift.TException)
ThriftHiveMetastore.set_ugi_result(org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore.set_ugi_result)
TMessage(org.apache.thrift.protocol.TMessage)
ThriftHiveMetastore.set_ugi_args(org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore.set_ugi_args)
TProtocolException(org.apache.thrift.protocol.TProtocolException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
TApplicationException(org.apache.thrift.TApplicationException)
Example 34 with UserGroupInformation
use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.
the class ClientProtocolService method use.
@Override
public UseSharedCacheResourceResponse use(UseSharedCacheResourceRequest request) throws YarnException, IOException {
UseSharedCacheResourceResponse response = recordFactory.newRecordInstance(UseSharedCacheResourceResponse.class);
UserGroupInformation callerUGI;
try {
callerUGI = UserGroupInformation.getCurrentUser();
} catch (IOException ie) {
LOG.info("Error getting UGI ", ie);
throw RPCUtil.getRemoteException(ie);
}
String fileName = this.store.addResourceReference(request.getResourceKey(), new SharedCacheResourceReference(request.getAppId(), callerUGI.getShortUserName()));
if (fileName != null) {
response.setPath(getCacheEntryFilePath(request.getResourceKey(), fileName));
this.metrics.incCacheHitCount();
} else {
this.metrics.incCacheMissCount();
}
return response;
}
Also used :
SharedCacheResourceReference(org.apache.hadoop.yarn.server.sharedcachemanager.store.SharedCacheResourceReference)
UseSharedCacheResourceResponse(org.apache.hadoop.yarn.api.protocolrecords.UseSharedCacheResourceResponse)
IOException(java.io.IOException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 35 with UserGroupInformation
use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.
the class ClientProtocolService method release.
@Override
public ReleaseSharedCacheResourceResponse release(ReleaseSharedCacheResourceRequest request) throws YarnException, IOException {
ReleaseSharedCacheResourceResponse response = recordFactory.newRecordInstance(ReleaseSharedCacheResourceResponse.class);
UserGroupInformation callerUGI;
try {
callerUGI = UserGroupInformation.getCurrentUser();
} catch (IOException ie) {
LOG.info("Error getting UGI ", ie);
throw RPCUtil.getRemoteException(ie);
}
boolean removed = this.store.removeResourceReference(request.getResourceKey(), new SharedCacheResourceReference(request.getAppId(), callerUGI.getShortUserName()), true);
if (removed) {
this.metrics.incCacheRelease();
}
return response;
}
Also used :
ReleaseSharedCacheResourceResponse(org.apache.hadoop.yarn.api.protocolrecords.ReleaseSharedCacheResourceResponse)
SharedCacheResourceReference(org.apache.hadoop.yarn.server.sharedcachemanager.store.SharedCacheResourceReference)
IOException(java.io.IOException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Aggregations
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)664
IOException (java.io.IOException)281
Test (org.junit.Test)242
Configuration (org.apache.hadoop.conf.Configuration)142
Path (org.apache.hadoop.fs.Path)105
FileSystem (org.apache.hadoop.fs.FileSystem)73
YarnException (org.apache.hadoop.yarn.exceptions.YarnException)57
AccessControlException (org.apache.hadoop.security.AccessControlException)54
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)51
FsPermission (org.apache.hadoop.fs.permission.FsPermission)49
Path (javax.ws.rs.Path)47
Token (org.apache.hadoop.security.token.Token)46
Produces (javax.ws.rs.Produces)45
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)45
RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)43
AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)40
ArrayList (java.util.ArrayList)38
Text (org.apache.hadoop.io.Text)38
ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)36
YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)35
