/** * The function will verify the token with NameNode if available and will create a * UserGroupInformation. * * <p>Code in this function is copied from JspHelper.getTokenUGI * * @param identifier Delegation token identifier * @param password Delegation token password * @param kind the kind of token * @param service the service for this token * @param servletContext Jetty servlet context which contains the NN address * @throws SecurityException Thrown when authentication fails */ private static void verifyToken( byte[] identifier, byte[] password, Text kind, Text service, ServletContext servletContext) { try { Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(identifier, password, kind, service); ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier()); DataInputStream in = new DataInputStream(buf); DelegationTokenIdentifier id = new DelegationTokenIdentifier(); id.readFields(in); final NameNode nn = NameNodeHttpServer.getNameNodeFromContext(servletContext); if (nn != null) { nn.getNamesystem().verifyToken(id, token.getPassword()); } UserGroupInformation userGroupInformation = id.getUser(); userGroupInformation.addToken(token); LOG.debug( "user " + userGroupInformation.getUserName() + " (" + userGroupInformation.getShortUserName() + ") authenticated"); // re-login if necessary userGroupInformation.checkTGTAndReloginFromKeytab(); } catch (IOException e) { throw new SecurityException("Failed to verify delegation token " + e, e); } }
public HBaseUtils( String quorum, boolean useKerberos, String keyTabUsername, String kerberosEnv, String keyTabFileLocation, int regions) throws IOException { this.regions = regions; conf.set("hbase.zookeeper.quorum", quorum); if (useKerberos) { conf.set("hadoop.security.authentication", "Kerberos"); conf.set("hbase.security.authentication", "Kerberos"); conf.set("hbase.master.kerberos.principal", "hbase/_HOST@" + kerberosEnv + ".YOURDOMAIN.COM"); conf.set( "hbase.regionserver.kerberos.principal", "hbase/_HOST@" + kerberosEnv + ".YOURDOMAIN.COM"); conf.set("hbase.client.keyvalue.maxsize", "-1"); UserGroupInformation.setConfiguration(conf); try { UserGroupInformation.loginUserFromKeytab( keyTabUsername + "@" + kerberosEnv + ".YOURDOMAIN.COM", keyTabFileLocation); valid = true; } catch (IOException e) { e.printStackTrace(); valid = false; } kerberosRefresher.scheduleAtFixedRate( () -> { try { UserGroupInformation ugi = UserGroupInformation.getLoginUser(); if (ugi == null) { Logger.error("KERBEROS GOT LOGGED OUT"); UserGroupInformation.loginUserFromKeytab( keyTabUsername + "@" + kerberosEnv + ".YOURDOMAIN.COM", keyTabFileLocation); } else { ugi.checkTGTAndReloginFromKeytab(); } } catch (IOException e) { e.printStackTrace(); } }, KERBEROS_EXPIRATION_HOURS, KERBEROS_EXPIRATION_HOURS, TimeUnit.HOURS); } else { valid = true; conf.set(HConstants.ZOOKEEPER_ZNODE_PARENT, "/hbase-unsecure"); } connection = ConnectionFactory.createConnection(conf); }