/**
* The function will verify the token with NameNode if available and will create a
* UserGroupInformation.
*
* <p>Code in this function is copied from JspHelper.getTokenUGI
*
* @param identifier Delegation token identifier
* @param password Delegation token password
* @param kind the kind of token
* @param service the service for this token
* @param servletContext Jetty servlet context which contains the NN address
* @throws SecurityException Thrown when authentication fails
*/
private static void verifyToken(
byte[] identifier, byte[] password, Text kind, Text service, ServletContext servletContext) {
try {
Token<DelegationTokenIdentifier> token =
new Token<DelegationTokenIdentifier>(identifier, password, kind, service);
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in);
final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(servletContext);
if (nn != null) {
nn.getNamesystem().verifyToken(id, token.getPassword());
}
UserGroupInformation userGroupInformation = id.getUser();
userGroupInformation.addToken(token);
LOG.debug(
"user "
+ userGroupInformation.getUserName()
+ " ("
+ userGroupInformation.getShortUserName()
+ ") authenticated");
// re-login if necessary
userGroupInformation.checkTGTAndReloginFromKeytab();
} catch (IOException e) {
throw new SecurityException("Failed to verify delegation token " + e, e);
}
}
public HBaseUtils(
String quorum,
boolean useKerberos,
String keyTabUsername,
String kerberosEnv,
String keyTabFileLocation,
int regions)
throws IOException {
this.regions = regions;
conf.set("hbase.zookeeper.quorum", quorum);
if (useKerberos) {
conf.set("hadoop.security.authentication", "Kerberos");
conf.set("hbase.security.authentication", "Kerberos");
conf.set("hbase.master.kerberos.principal", "hbase/_HOST@" + kerberosEnv + ".YOURDOMAIN.COM");
conf.set(
"hbase.regionserver.kerberos.principal",
"hbase/_HOST@" + kerberosEnv + ".YOURDOMAIN.COM");
conf.set("hbase.client.keyvalue.maxsize", "-1");
UserGroupInformation.setConfiguration(conf);
try {
UserGroupInformation.loginUserFromKeytab(
keyTabUsername + "@" + kerberosEnv + ".YOURDOMAIN.COM", keyTabFileLocation);
valid = true;
} catch (IOException e) {
e.printStackTrace();
valid = false;
}
kerberosRefresher.scheduleAtFixedRate(
() -> {
try {
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
if (ugi == null) {
Logger.error("KERBEROS GOT LOGGED OUT");
UserGroupInformation.loginUserFromKeytab(
keyTabUsername + "@" + kerberosEnv + ".YOURDOMAIN.COM", keyTabFileLocation);
} else {
ugi.checkTGTAndReloginFromKeytab();
}
} catch (IOException e) {
e.printStackTrace();
}
},
KERBEROS_EXPIRATION_HOURS,
KERBEROS_EXPIRATION_HOURS,
TimeUnit.HOURS);
} else {
valid = true;
conf.set(HConstants.ZOOKEEPER_ZNODE_PARENT, "/hbase-unsecure");
}
connection = ConnectionFactory.createConnection(conf);
}
