private void obtainTokenAndAddIntoUGI(UserGroupInformation clientUgi, String tokenSig)
throws Exception {
// obtain a token by directly invoking the metastore operation(without going
// through the thrift interface). Obtaining a token makes the secret manager
// aware of the user and that it gave the token to the user
String tokenStrForm;
if (tokenSig == null) {
tokenStrForm = HiveMetaStore.getDelegationToken(clientUgi.getShortUserName());
} else {
tokenStrForm = HiveMetaStore.getDelegationToken(clientUgi.getShortUserName(), tokenSig);
conf.set("hive.metastore.token.signature", tokenSig);
}
Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>();
t.decodeFromUrlString(tokenStrForm);
// add the token to the clientUgi for securely talking to the metastore
clientUgi.addToken(t);
// Create the metastore client as the clientUgi. Doing so this
// way will give the client access to the token that was added earlier
// in the clientUgi
HiveMetaStoreClient hiveClient =
clientUgi.doAs(
new PrivilegedExceptionAction<HiveMetaStoreClient>() {
public HiveMetaStoreClient run() throws Exception {
HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(conf);
return hiveClient;
}
});
assertTrue("Couldn't connect to metastore", hiveClient != null);
// try out some metastore operations
createDBAndVerifyExistence(hiveClient);
hiveClient.close();
// Now cancel the delegation token
HiveMetaStore.cancelDelegationToken(tokenStrForm);
// now metastore connection should fail
hiveClient =
clientUgi.doAs(
new PrivilegedExceptionAction<HiveMetaStoreClient>() {
public HiveMetaStoreClient run() {
try {
HiveMetaStoreClient hiveClient = new HiveMetaStoreClient(conf);
return hiveClient;
} catch (MetaException e) {
return null;
}
}
});
assertTrue("Expected metastore operations to fail", hiveClient == null);
}
/**
* Service a GET request as described below. Request: {@code GET http://<nn>:<port>/data[/<path>]
* HTTP/1.1 }
*/
@Override
public void doGet(final HttpServletRequest request, final HttpServletResponse response)
throws IOException {
final Configuration conf = NameNodeHttpServer.getConfFromContext(getServletContext());
final UserGroupInformation ugi = getUGI(request, conf);
try {
ugi.doAs(
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws IOException {
ClientProtocol nn = createNameNodeProxy();
final String path = ServletUtil.getDecodedPath(request, "/data");
final String encodedPath = ServletUtil.getRawPath(request, "/data");
String delegationToken = request.getParameter(JspHelper.DELEGATION_PARAMETER_NAME);
HdfsFileStatus info = nn.getFileInfo(path);
if (info != null && !info.isDir()) {
response.sendRedirect(
createRedirectURL(path, encodedPath, info, ugi, nn, request, delegationToken)
.toString());
} else if (info == null) {
response.sendError(400, "File not found " + path);
} else {
response.sendError(400, path + ": is a directory");
}
return null;
}
});
} catch (IOException e) {
response.sendError(400, e.getMessage());
} catch (InterruptedException e) {
response.sendError(400, e.getMessage());
}
}
/**
* write text to a remote file system
*
* @param hdfsPath !null remote path
* @param content !null test content
*/
@Override
public void writeToFileSystem(final String hdfsPath, final String content) {
if (isRunningAsUser()) {
super.writeToFileSystem(hdfsPath, content);
return;
}
UserGroupInformation uig = getCurrentUserGroup();
try {
// if(true) throw new UnsupportedOperationException("Uncomment when using version
// 1.0.*");
uig.doAs(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
FileSystem fs = getDFS();
Path src = new Path(hdfsPath);
Path parent = src.getParent();
guaranteeDirectory(parent);
OutputStream os = FileSystem.create(fs, src, FULL_FILE_ACCESS);
FileUtilities.writeFile(os, content);
return null;
}
});
} catch (Exception e) {
throw new RuntimeException(
"Failed to writeToFileSystem because "
+ e.getMessage()
+ " exception of class "
+ e.getClass(),
e);
}
}
public LogWriter(
final Configuration conf, final Path remoteAppLogFile, UserGroupInformation userUgi)
throws IOException {
try {
this.fsDataOStream =
userUgi.doAs(
new PrivilegedExceptionAction<FSDataOutputStream>() {
@Override
public FSDataOutputStream run() throws Exception {
FileContext fc = FileContext.getFileContext(conf);
fc.setUMask(APP_LOG_FILE_UMASK);
return fc.create(
remoteAppLogFile,
EnumSet.of(CreateFlag.CREATE, CreateFlag.OVERWRITE),
new Options.CreateOpts[] {});
}
});
} catch (InterruptedException e) {
throw new IOException(e);
}
// Keys are not sorted: null arg
// 256KB minBlockSize : Expected log size for each container too
this.writer =
new TFile.Writer(
this.fsDataOStream,
256 * 1024,
conf.get(
YarnConfiguration.NM_LOG_AGG_COMPRESSION_TYPE,
YarnConfiguration.DEFAULT_NM_LOG_AGG_COMPRESSION_TYPE),
null,
conf);
// Write the version string
writeVersion();
}
public FsPermission getPermissions(final Path src) {
UserGroupInformation uig = getCurrentUserGroup();
try {
// if(true) throw new UnsupportedOperationException("Uncomment when using version
// 1.0.*");
return uig.doAs(
new PrivilegedExceptionAction<FsPermission>() {
public FsPermission run() throws Exception {
FileSystem fs = getDFS();
if (fs.exists(src)) {
FileStatus fileStatus = fs.getFileStatus(src);
return fileStatus.getPermission();
}
return null;
}
});
} catch (Exception e) {
throw new RuntimeException(
"Failed to getPermissions because "
+ e.getMessage()
+ " exception of class "
+ e.getClass(),
e);
}
// return FsPermission.getDefault();
}
@Override
public byte[] read(final String uri) {
try {
return ugi.doAs(
new PrivilegedExceptionAction<byte[]>() {
@Override
public byte[] run() throws IOException {
byte[] result;
Path path = new Path(uri);
SequenceFile.Reader reader =
new SequenceFile.Reader(hdfsConfiguration, SequenceFile.Reader.file(path));
// SequenceFile.Reader reader = new SequenceFile.Reader(hdfsConfiguration);
HDFSByteChunk chunk = new HDFSByteChunk();
// reader.getCurrentValue(chunk);
IntWritable key = new IntWritable();
reader.next(key, chunk);
result = chunk.getData();
return result;
}
});
} catch (IOException e) {
e.printStackTrace();
return new byte[0];
} catch (InterruptedException e) {
e.printStackTrace();
}
return new byte[0];
}
@Test
public void testUGIAuthMethodInRealUser() throws Exception {
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser("proxy", ugi);
final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
ugi.setAuthenticationMethod(am);
Assert.assertEquals(am, ugi.getAuthenticationMethod());
Assert.assertEquals(AuthenticationMethod.PROXY, proxyUgi.getAuthenticationMethod());
proxyUgi.doAs(
new PrivilegedExceptionAction<Object>() {
public Object run() throws IOException {
Assert.assertEquals(
AuthenticationMethod.PROXY,
UserGroupInformation.getCurrentUser().getAuthenticationMethod());
Assert.assertEquals(
am, UserGroupInformation.getCurrentUser().getRealUser().getAuthenticationMethod());
return null;
}
});
UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.getSubject());
proxyUgi2.setAuthenticationMethod(AuthenticationMethod.PROXY);
Assert.assertEquals(proxyUgi, proxyUgi2);
// Equality should work if authMethod is null
UserGroupInformation realugi = UserGroupInformation.getCurrentUser();
UserGroupInformation proxyUgi3 = UserGroupInformation.createProxyUser("proxyAnother", realugi);
UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.getSubject());
Assert.assertEquals(proxyUgi3, proxyUgi4);
}
@Test
public void testTokenIdentifiers() throws Exception {
UserGroupInformation ugi =
UserGroupInformation.createUserForTesting("TheDoctor", new String[] {"TheTARDIS"});
TokenIdentifier t1 = mock(TokenIdentifier.class);
TokenIdentifier t2 = mock(TokenIdentifier.class);
ugi.addTokenIdentifier(t1);
ugi.addTokenIdentifier(t2);
Collection<TokenIdentifier> z = ugi.getTokenIdentifiers();
assertTrue(z.contains(t1));
assertTrue(z.contains(t2));
assertEquals(2, z.size());
// ensure that the token identifiers are passed through doAs
Collection<TokenIdentifier> otherSet =
ugi.doAs(
new PrivilegedExceptionAction<Collection<TokenIdentifier>>() {
public Collection<TokenIdentifier> run() throws IOException {
return UserGroupInformation.getCurrentUser().getTokenIdentifiers();
}
});
assertTrue(otherSet.contains(t1));
assertTrue(otherSet.contains(t2));
assertEquals(2, otherSet.size());
}
private <T> T doWithState(RunningQueryState state, PrivilegedExceptionAction<T> action)
throws BeeswaxException {
try {
UserGroupInformation ugi;
if (UserGroupInformation.isSecurityEnabled())
ugi =
UserGroupInformation.createProxyUser(
state.query.hadoop_user, UserGroupInformation.getLoginUser());
else {
ugi = UserGroupInformation.createRemoteUser(state.query.hadoop_user);
}
return ugi.doAs(action);
} catch (UndeclaredThrowableException e) {
if (e.getUndeclaredThrowable() instanceof PrivilegedActionException) {
Throwable bwe = e.getUndeclaredThrowable().getCause();
if (bwe instanceof BeeswaxException) {
LOG.error("Caught BeeswaxException", (BeeswaxException) bwe);
throw (BeeswaxException) bwe;
}
}
LOG.error("Caught unexpected exception.", e);
throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle);
} catch (IOException e) {
LOG.error("Caught IOException", e);
throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle);
} catch (InterruptedException e) {
LOG.error("Caught InterruptedException", e);
throw new BeeswaxException(e.getMessage(), state.handle.log_context, state.handle);
}
}
/**
* Initiate a copy operation using a command-line style (arguments are specified as {@link
* String}s).
*
* @param arguments the copy arguments
*/
public void copy(String... arguments) {
Assert.notEmpty(arguments, "invalid number of arguments");
// sanitize the arguments
final List<String> parsedArguments = new ArrayList<String>();
for (String arg : arguments) {
parsedArguments.addAll(Arrays.asList(StringUtils.tokenizeToStringArray(arg, " ")));
}
try {
if (StringUtils.hasText(user)) {
UserGroupInformation ugi =
UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser());
ugi.doAs(
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
invokeCopy(
configuration, parsedArguments.toArray(new String[parsedArguments.size()]));
return null;
}
});
} else {
invokeCopy(configuration, parsedArguments.toArray(new String[parsedArguments.size()]));
}
} catch (Exception ex) {
throw new IllegalStateException("Cannot run distCp impersonated as '" + user + "'", ex);
}
}
@SuppressWarnings("unchecked") // from Mockito mocks
@Test
public <T extends TokenIdentifier> void testUGITokens() throws Exception {
UserGroupInformation ugi =
UserGroupInformation.createUserForTesting("TheDoctor", new String[] {"TheTARDIS"});
Token<T> t1 = mock(Token.class);
Token<T> t2 = mock(Token.class);
ugi.addToken(t1);
ugi.addToken(t2);
Collection<Token<? extends TokenIdentifier>> z = ugi.getTokens();
assertTrue(z.contains(t1));
assertTrue(z.contains(t2));
assertEquals(2, z.size());
try {
z.remove(t1);
fail("Shouldn't be able to modify token collection from UGI");
} catch (UnsupportedOperationException uoe) {
// Can't modify tokens
}
// ensure that the tokens are passed through doAs
Collection<Token<? extends TokenIdentifier>> otherSet =
ugi.doAs(
new PrivilegedExceptionAction<Collection<Token<?>>>() {
public Collection<Token<?>> run() throws IOException {
return UserGroupInformation.getCurrentUser().getTokens();
}
});
assertTrue(otherSet.contains(t1));
assertTrue(otherSet.contains(t2));
}
// @Test
public void testFileStatus() throws Exception {
UserGroupInformation ugi =
UserGroupInformation.createRemoteUser(cluster.getJTClient().getProxy().getDaemonUser());
ugi.doAs(
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
MRCluster myCluster = null;
try {
myCluster = MRCluster.createCluster(cluster.getConf());
myCluster.connect();
JTClient jt = myCluster.getJTClient();
String dir = ".";
checkFileStatus(jt.getFileStatus(dir, true));
checkFileStatus(jt.listStatus(dir, false, true), dir);
for (TTClient tt : myCluster.getTTClients()) {
String[] localDirs = tt.getMapredLocalDirs();
for (String localDir : localDirs) {
checkFileStatus(tt.listStatus(localDir, true, false), localDir);
checkFileStatus(tt.listStatus(localDir, true, true), localDir);
}
}
String systemDir = jt.getClient().getSystemDir().toString();
checkFileStatus(jt.listStatus(systemDir, false, true), systemDir);
checkFileStatus(jt.listStatus(jt.getLogDir(), true, true), jt.getLogDir());
} finally {
if (myCluster != null) {
myCluster.disconnect();
}
}
return null;
}
});
}
/**
* read a remote file as text
*
* @param hdfsPath !null remote path to an existing file
* @return content as text
*/
@Override
public String readFromFileSystem(final String hdfsPath) {
if (isRunningAsUser()) {
return super.readFromFileSystem(hdfsPath);
}
UserGroupInformation uig = getCurrentUserGroup();
try {
// if(true) throw new UnsupportedOperationException("Uncomment when using version
// 1.0.*");
return uig.doAs(
new PrivilegedExceptionAction<String>() {
public String run() throws Exception {
FileSystem fs = getDFS();
Path src = new Path(hdfsPath);
InputStream is = fs.open(src);
String ret = FileUtilities.readInFile(is);
return ret;
}
});
} catch (Exception e) {
throw new RuntimeException(
"Failed to readFromFileSystem because "
+ e.getMessage()
+ " exception of class "
+ e.getClass(),
e);
}
// return null;
}
private void guaranteeDirectory(final Path src) {
UserGroupInformation uig = getCurrentUserGroup();
try {
// if(true) throw new UnsupportedOperationException("Uncomment when using version
// 1.0.*");
uig.doAs(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
FileSystem fs = getDFS();
if (fs.exists(src)) return null;
if (!fs.isFile(src)) {
return null;
} else {
fs.delete(src, false); // drop a file we want a directory
}
fs.setPermission(src, FULL_ACCESS);
fs.mkdirs(src, FULL_ACCESS);
return null;
}
});
} catch (Exception e) {
throw new RuntimeException(
"Failed to guaranteeDirectory because "
+ e.getMessage()
+ " exception of class "
+ e.getClass(),
e);
}
}
private SequenceFile.Writer getWriterFor(final String uri) {
try {
return ugi.doAs(
new PrivilegedExceptionAction<SequenceFile.Writer>() {
@Override
public SequenceFile.Writer run() throws IOException {
SequenceFile.Writer.Option keyClass = SequenceFile.Writer.keyClass(IntWritable.class);
SequenceFile.Writer.Option valueClass =
SequenceFile.Writer.valueClass(HDFSByteChunk.class);
SequenceFile.Writer.Option fileName =
SequenceFile.Writer.file(new Path(basePath.toUri().toString() + "/" + uri));
SequenceFile.Writer writer = null;
writer = SequenceFile.createWriter(hdfsConfiguration, keyClass, valueClass, fileName);
return writer;
}
});
} catch (IOException e) {
e.printStackTrace();
} catch (InterruptedException e) {
e.printStackTrace();
}
return null;
}
/**
* true if the file esists
*
* @param hdfsPath
* @return
*/
@Override
public boolean exists(final String hdfsPath) {
if (isRunningAsUser()) {
return super.exists(hdfsPath);
}
UserGroupInformation uig = getCurrentUserGroup();
try {
// if(true) throw new UnsupportedOperationException("Uncomment when using version
// 1.0.*");
return uig.doAs(
new PrivilegedExceptionAction<Boolean>() {
public Boolean run() throws Exception {
FileSystem fileSystem = getDFS();
Path dst = new Path(hdfsPath);
boolean directory = fileSystem.exists(dst);
return directory;
}
});
} catch (Exception e) {
throw new RuntimeException(
"Failed to copyFromFileSystem because "
+ e.getMessage()
+ " exception of class "
+ e.getClass(),
e);
}
// return false;
}
/**
* true if the file exists
*
* @param hdfsPath !null path - probably of an existing file
* @return
*/
@Override
public long fileLength(final String hdfsPath) {
if (isRunningAsUser()) {
return super.fileLength(hdfsPath);
}
UserGroupInformation uig = getCurrentUserGroup();
try {
// if(true) throw new UnsupportedOperationException("Uncomment when using version
// 1.0.*");
return uig.doAs(
new PrivilegedExceptionAction<Long>() {
public Long run() throws Exception {
FileSystem fs = getDFS();
if (!exists(hdfsPath)) return null;
Path src = new Path(hdfsPath);
ContentSummary contentSummary = fs.getContentSummary(src);
if (contentSummary == null) return null;
return contentSummary.getLength();
}
});
} catch (Exception e) {
throw new RuntimeException(
"Failed to get fileLength because "
+ e.getMessage()
+ " exception of class "
+ e.getClass(),
e);
}
}
@Override
public void writeToFileSystem(final String hdfsPath, final File localPath) {
if (isRunningAsUser()) {
super.writeToFileSystem(hdfsPath, localPath);
return;
}
UserGroupInformation uig = getCurrentUserGroup();
try {
// if(true) throw new UnsupportedOperationException("Uncomment when using version
// 1.0.*");
uig.doAs(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
FileSystem fileSystem = getDFS();
Path dst = new Path(hdfsPath);
Path src = new Path(localPath.getAbsolutePath());
fileSystem.copyFromLocalFile(src, dst);
fileSystem.setPermission(dst, FULL_FILE_ACCESS);
return null;
}
});
} catch (Exception e) {
throw new RuntimeException(
"Failed to writeToFileSystem because "
+ e.getMessage()
+ " exception of class "
+ e.getClass(),
e);
}
}
protected HDFWithNameAccessor(final String host, final int port, final String user) {
super(host, port, user);
if (port <= 0) throw new IllegalArgumentException("bad port " + port);
String connectString = "hdfs://" + host + ":" + port + "/";
final String userDir = "/user/" + user;
UserGroupInformation uig = getCurrentUserGroup();
try {
// if(true) throw new UnsupportedOperationException("Uncomment when using version
// 1.0.*");
uig.doAs(
new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
getDFS();
return null;
}
});
} catch (Exception e) {
throw new RuntimeException(
"Failed to connect on "
+ connectString
+ " because "
+ e.getMessage()
+ " exception of class "
+ e.getClass(),
e);
}
}
/** Handle HTTP DELETE request. */
@DELETE
@Path("{" + UriFsPathParam.NAME + ":.*}")
@Produces(MediaType.APPLICATION_JSON)
public Response delete(
@Context final UserGroupInformation ugi,
@QueryParam(DelegationParam.NAME) @DefaultValue(DelegationParam.DEFAULT)
final DelegationParam delegation,
@QueryParam(UserParam.NAME) @DefaultValue(UserParam.DEFAULT) final UserParam username,
@QueryParam(DoAsParam.NAME) @DefaultValue(DoAsParam.DEFAULT) final DoAsParam doAsUser,
@PathParam(UriFsPathParam.NAME) final UriFsPathParam path,
@QueryParam(DeleteOpParam.NAME) @DefaultValue(DeleteOpParam.DEFAULT) final DeleteOpParam op,
@QueryParam(RecursiveParam.NAME) @DefaultValue(RecursiveParam.DEFAULT)
final RecursiveParam recursive)
throws IOException, InterruptedException {
init(ugi, delegation, username, doAsUser, path, op, recursive);
return ugi.doAs(
new PrivilegedExceptionAction<Response>() {
@Override
public Response run() throws IOException {
REMOTE_ADDRESS.set(request.getRemoteAddr());
try {
return delete(
ugi, delegation, username, doAsUser, path.getAbsolutePath(), op, recursive);
} finally {
REMOTE_ADDRESS.set(null);
}
}
});
}
/**
* Getter for proxiedFs, using the passed parameters to create an instance of a proxiedFs.
*
* @param properties
* @param authType is either TOKEN or KEYTAB.
* @param authPath is the KEYTAB location if the authType is KEYTAB; otherwise, it is the token
* file.
* @param uri File system URI.
* @throws IOException
* @throws InterruptedException
* @throws URISyntaxException
* @return proxiedFs
*/
public FileSystem getProxiedFileSystem(
State properties, AuthType authType, String authPath, String uri)
throws IOException, InterruptedException, URISyntaxException {
Preconditions.checkArgument(
StringUtils.isNotBlank(properties.getProp(ConfigurationKeys.FS_PROXY_AS_USER_NAME)),
"State does not contain a proper proxy user name");
String proxyUserName = properties.getProp(ConfigurationKeys.FS_PROXY_AS_USER_NAME);
UserGroupInformation proxyUser;
switch (authType) {
case KEYTAB: // If the authentication type is KEYTAB, log in a super user first before
// creating a proxy user.
Preconditions.checkArgument(
StringUtils.isNotBlank(
properties.getProp(ConfigurationKeys.SUPER_USER_NAME_TO_PROXY_AS_OTHERS)),
"State does not contain a proper proxy token file name");
String superUser = properties.getProp(ConfigurationKeys.SUPER_USER_NAME_TO_PROXY_AS_OTHERS);
UserGroupInformation.loginUserFromKeytab(superUser, authPath);
proxyUser =
UserGroupInformation.createProxyUser(
proxyUserName, UserGroupInformation.getLoginUser());
break;
case TOKEN: // If the authentication type is TOKEN, create a proxy user and then add the token
// to the user.
proxyUser =
UserGroupInformation.createProxyUser(
proxyUserName, UserGroupInformation.getLoginUser());
Optional<Token> proxyToken = this.getTokenFromSeqFile(authPath, proxyUserName);
if (proxyToken.isPresent()) {
proxyUser.addToken(proxyToken.get());
} else {
LOG.warn("No delegation token found for the current proxy user.");
}
break;
default:
LOG.warn(
"Creating a proxy user without authentication, which could not perform File system operations.");
proxyUser =
UserGroupInformation.createProxyUser(
proxyUserName, UserGroupInformation.getLoginUser());
break;
}
final Configuration conf = new Configuration();
JobConfigurationUtils.putStateIntoConfiguration(properties, conf);
final URI fsURI = URI.create(uri);
proxyUser.doAs(
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws IOException {
LOG.debug(
"Now performing file system operations as :"
+ UserGroupInformation.getCurrentUser());
proxiedFs = FileSystem.get(fsURI, conf);
return null;
}
});
return this.proxiedFs;
}
private static DFSClient getDFSClient(
final UserGroupInformation user, final String addr, final Configuration conf)
throws IOException, InterruptedException {
return user.doAs(
new PrivilegedExceptionAction<DFSClient>() {
public DFSClient run() throws IOException {
return new DFSClient(NetUtils.createSocketAddr(addr), conf);
}
});
}
public static DFSClient getDFSClient(
final UserGroupInformation user, final InetSocketAddress addr, final Configuration conf)
throws IOException, InterruptedException {
return user.doAs(
new PrivilegedExceptionAction<DFSClient>() {
public DFSClient run() throws IOException {
return new DFSClient(addr, conf);
}
});
}
@Override
protected Void callInternal() throws IOException, InterruptedException {
return ugi.doAs(
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
return performDataRead();
}
});
}
/**
* Do the GSS-API kerberos authentication. We already have a logged in subject in the form of
* serviceUGI, which GSS-API will extract information from. In case of a SPNego request we use the
* httpUGI, for the authenticating service tickets.
*
* @param request
* @return
* @throws HttpAuthenticationException
*/
private String doKerberosAuth(HttpServletRequest request) throws HttpAuthenticationException {
// Try authenticating with the http/_HOST principal
if (httpUGI != null) {
try {
return httpUGI.doAs(new HttpKerberosServerAction(request, httpUGI));
} catch (Exception e) {
LOG.info(
"Failed to authenticate with http/_HOST kerberos principal, "
+ "trying with hive/_HOST kerberos principal");
}
}
// Now try with hive/_HOST principal
try {
return serviceUGI.doAs(new HttpKerberosServerAction(request, serviceUGI));
} catch (Exception e) {
LOG.error("Failed to authenticate with hive/_HOST kerberos principal");
throw new HttpAuthenticationException(e);
}
}
/** Get a FileSystem instance as specified user in a doAs block. */
public static FileSystem getFileSystemAs(UserGroupInformation ugi, final Configuration conf)
throws IOException, InterruptedException {
return ugi.doAs(
new PrivilegedExceptionAction<FileSystem>() {
@Override
public FileSystem run() throws Exception {
return FileSystem.get(conf);
}
});
}
private ApplicationClientProtocol getRMClientForUser(String user)
throws IOException, InterruptedException {
UserGroupInformation userUGI = UserGroupInformation.createRemoteUser(user);
ApplicationClientProtocol userClient =
userUGI.doAs(
new PrivilegedExceptionAction<ApplicationClientProtocol>() {
@Override
public ApplicationClientProtocol run() throws Exception {
return (ApplicationClientProtocol)
rpc.getProxy(ApplicationClientProtocol.class, rmAddress, conf);
}
});
return userClient;
}
private void postTruncate(final MasterProcedureEnv env) throws IOException, InterruptedException {
final MasterCoprocessorHost cpHost = env.getMasterCoprocessorHost();
if (cpHost != null) {
final TableName tableName = getTableName();
user.doAs(
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
cpHost.postTruncateTableHandler(tableName);
return null;
}
});
}
}
@Test
public void testUGIAuthMethod() throws Exception {
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
ugi.setAuthenticationMethod(am);
Assert.assertEquals(am, ugi.getAuthenticationMethod());
ugi.doAs(
new PrivilegedExceptionAction<Object>() {
public Object run() throws IOException {
Assert.assertEquals(
am, UserGroupInformation.getCurrentUser().getAuthenticationMethod());
return null;
}
});
}
protected static void initAndStartAppMaster(
final DragonAppMaster appMaster, final Configuration conf, String jobUserName)
throws IOException, InterruptedException {
UserGroupInformation.setConfiguration(conf);
UserGroupInformation appMasterUgi = UserGroupInformation.createRemoteUser(jobUserName);
appMasterUgi.doAs(
new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
appMaster.init(conf);
appMaster.start();
return null;
}
});
}