Google Git
Sign in
apache / hbase-site / 1d2de3e49e6fe05cd3cb04fe49ad09e6c4a7af22 / . / devapidocs / src-html / org / apache / hadoop / hbase / security / User.TestingGroups.html
blob: 389bef0944f224af29804531baaed42c1696b9a9 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase.security, class: User, class: TestingGroups">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.security;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import java.io.IOException;</span>
<span class="source-line-no">021</span><span id="line-21">import java.security.PrivilegedAction;</span>
<span class="source-line-no">022</span><span id="line-22">import java.security.PrivilegedExceptionAction;</span>
<span class="source-line-no">023</span><span id="line-23">import java.util.Arrays;</span>
<span class="source-line-no">024</span><span id="line-24">import java.util.Collection;</span>
<span class="source-line-no">025</span><span id="line-25">import java.util.HashMap;</span>
<span class="source-line-no">026</span><span id="line-26">import java.util.List;</span>
<span class="source-line-no">027</span><span id="line-27">import java.util.Map;</span>
<span class="source-line-no">028</span><span id="line-28">import java.util.Optional;</span>
<span class="source-line-no">029</span><span id="line-29">import java.util.concurrent.ExecutionException;</span>
<span class="source-line-no">030</span><span id="line-30">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">031</span><span id="line-31">import org.apache.hadoop.hbase.AuthUtil;</span>
<span class="source-line-no">032</span><span id="line-32">import org.apache.hadoop.hbase.util.Methods;</span>
<span class="source-line-no">033</span><span id="line-33">import org.apache.hadoop.security.Groups;</span>
<span class="source-line-no">034</span><span id="line-34">import org.apache.hadoop.security.SecurityUtil;</span>
<span class="source-line-no">035</span><span id="line-35">import org.apache.hadoop.security.UserGroupInformation;</span>
<span class="source-line-no">036</span><span id="line-36">import org.apache.hadoop.security.token.Token;</span>
<span class="source-line-no">037</span><span id="line-37">import org.apache.hadoop.security.token.TokenIdentifier;</span>
<span class="source-line-no">038</span><span id="line-38">import org.apache.yetus.audience.InterfaceAudience;</span>
<span class="source-line-no">039</span><span id="line-39"></span>
<span class="source-line-no">040</span><span id="line-40">import org.apache.hbase.thirdparty.com.google.common.cache.LoadingCache;</span>
<span class="source-line-no">041</span><span id="line-41"></span>
<span class="source-line-no">042</span><span id="line-42">/**</span>
<span class="source-line-no">043</span><span id="line-43"> * Wrapper to abstract out usage of user and group information in HBase.</span>
<span class="source-line-no">044</span><span id="line-44"> * &lt;p&gt;</span>
<span class="source-line-no">045</span><span id="line-45"> * This class provides a common interface for interacting with user and group information across</span>
<span class="source-line-no">046</span><span id="line-46"> * changing APIs in different versions of Hadoop. It only provides access to the common set of</span>
<span class="source-line-no">047</span><span id="line-47"> * functionality in {@link org.apache.hadoop.security.UserGroupInformation} currently needed by</span>
<span class="source-line-no">048</span><span id="line-48"> * HBase, but can be extended as needs change.</span>
<span class="source-line-no">049</span><span id="line-49"> * &lt;/p&gt;</span>
<span class="source-line-no">050</span><span id="line-50"> */</span>
<span class="source-line-no">051</span><span id="line-51">@InterfaceAudience.Public</span>
<span class="source-line-no">052</span><span id="line-52">public abstract class User {</span>
<span class="source-line-no">053</span><span id="line-53"> public static final String HBASE_SECURITY_CONF_KEY = "hbase.security.authentication";</span>
<span class="source-line-no">054</span><span id="line-54"> public static final String HBASE_SECURITY_AUTHORIZATION_CONF_KEY = "hbase.security.authorization";</span>
<span class="source-line-no">055</span><span id="line-55"></span>
<span class="source-line-no">056</span><span id="line-56"> protected UserGroupInformation ugi;</span>
<span class="source-line-no">057</span><span id="line-57"></span>
<span class="source-line-no">058</span><span id="line-58"> public UserGroupInformation getUGI() {</span>
<span class="source-line-no">059</span><span id="line-59"> return ugi;</span>
<span class="source-line-no">060</span><span id="line-60"> }</span>
<span class="source-line-no">061</span><span id="line-61"></span>
<span class="source-line-no">062</span><span id="line-62"> /**</span>
<span class="source-line-no">063</span><span id="line-63"> * Returns the full user name. For Kerberos principals this will include the host and realm</span>
<span class="source-line-no">064</span><span id="line-64"> * portions of the principal name.</span>
<span class="source-line-no">065</span><span id="line-65"> * @return User full name.</span>
<span class="source-line-no">066</span><span id="line-66"> */</span>
<span class="source-line-no">067</span><span id="line-67"> public String getName() {</span>
<span class="source-line-no">068</span><span id="line-68"> return ugi.getUserName();</span>
<span class="source-line-no">069</span><span id="line-69"> }</span>
<span class="source-line-no">070</span><span id="line-70"></span>
<span class="source-line-no">071</span><span id="line-71"> /**</span>
<span class="source-line-no">072</span><span id="line-72"> * Returns the list of groups of which this user is a member. On secure Hadoop this returns the</span>
<span class="source-line-no">073</span><span id="line-73"> * group information for the user as resolved on the server. For 0.20 based Hadoop, the group</span>
<span class="source-line-no">074</span><span id="line-74"> * names are passed from the client.</span>
<span class="source-line-no">075</span><span id="line-75"> */</span>
<span class="source-line-no">076</span><span id="line-76"> public String[] getGroupNames() {</span>
<span class="source-line-no">077</span><span id="line-77"> return ugi.getGroupNames();</span>
<span class="source-line-no">078</span><span id="line-78"> }</span>
<span class="source-line-no">079</span><span id="line-79"></span>
<span class="source-line-no">080</span><span id="line-80"> /**</span>
<span class="source-line-no">081</span><span id="line-81"> * Returns the shortened version of the user name -- the portion that maps to an operating system</span>
<span class="source-line-no">082</span><span id="line-82"> * user name.</span>
<span class="source-line-no">083</span><span id="line-83"> * @return Short name</span>
<span class="source-line-no">084</span><span id="line-84"> */</span>
<span class="source-line-no">085</span><span id="line-85"> public abstract String getShortName();</span>
<span class="source-line-no">086</span><span id="line-86"></span>
<span class="source-line-no">087</span><span id="line-87"> /**</span>
<span class="source-line-no">088</span><span id="line-88"> * Executes the given action within the context of this user.</span>
<span class="source-line-no">089</span><span id="line-89"> */</span>
<span class="source-line-no">090</span><span id="line-90"> public abstract &lt;T&gt; T runAs(PrivilegedAction&lt;T&gt; action);</span>
<span class="source-line-no">091</span><span id="line-91"></span>
<span class="source-line-no">092</span><span id="line-92"> /**</span>
<span class="source-line-no">093</span><span id="line-93"> * Executes the given action within the context of this user.</span>
<span class="source-line-no">094</span><span id="line-94"> */</span>
<span class="source-line-no">095</span><span id="line-95"> public abstract &lt;T&gt; T runAs(PrivilegedExceptionAction&lt;T&gt; action)</span>
<span class="source-line-no">096</span><span id="line-96"> throws IOException, InterruptedException;</span>
<span class="source-line-no">097</span><span id="line-97"></span>
<span class="source-line-no">098</span><span id="line-98"> /**</span>
<span class="source-line-no">099</span><span id="line-99"> * Returns the Token of the specified kind associated with this user, or null if the Token is not</span>
<span class="source-line-no">100</span><span id="line-100"> * present.</span>
<span class="source-line-no">101</span><span id="line-101"> * @param kind the kind of token</span>
<span class="source-line-no">102</span><span id="line-102"> * @param service service on which the token is supposed to be used</span>
<span class="source-line-no">103</span><span id="line-103"> * @return the token of the specified kind.</span>
<span class="source-line-no">104</span><span id="line-104"> */</span>
<span class="source-line-no">105</span><span id="line-105"> public Token&lt;?&gt; getToken(String kind, String service) throws IOException {</span>
<span class="source-line-no">106</span><span id="line-106"> for (Token&lt;?&gt; token : ugi.getTokens()) {</span>
<span class="source-line-no">107</span><span id="line-107"> if (</span>
<span class="source-line-no">108</span><span id="line-108"> token.getKind().toString().equals(kind)</span>
<span class="source-line-no">109</span><span id="line-109"> &amp;&amp; (service != null &amp;&amp; token.getService().toString().equals(service))</span>
<span class="source-line-no">110</span><span id="line-110"> ) {</span>
<span class="source-line-no">111</span><span id="line-111"> return token;</span>
<span class="source-line-no">112</span><span id="line-112"> }</span>
<span class="source-line-no">113</span><span id="line-113"> }</span>
<span class="source-line-no">114</span><span id="line-114"> return null;</span>
<span class="source-line-no">115</span><span id="line-115"> }</span>
<span class="source-line-no">116</span><span id="line-116"></span>
<span class="source-line-no">117</span><span id="line-117"> /**</span>
<span class="source-line-no">118</span><span id="line-118"> * Returns all the tokens stored in the user's credentials.</span>
<span class="source-line-no">119</span><span id="line-119"> */</span>
<span class="source-line-no">120</span><span id="line-120"> public Collection&lt;Token&lt;? extends TokenIdentifier&gt;&gt; getTokens() {</span>
<span class="source-line-no">121</span><span id="line-121"> return ugi.getTokens();</span>
<span class="source-line-no">122</span><span id="line-122"> }</span>
<span class="source-line-no">123</span><span id="line-123"></span>
<span class="source-line-no">124</span><span id="line-124"> /**</span>
<span class="source-line-no">125</span><span id="line-125"> * Adds the given Token to the user's credentials.</span>
<span class="source-line-no">126</span><span id="line-126"> * @param token the token to add</span>
<span class="source-line-no">127</span><span id="line-127"> */</span>
<span class="source-line-no">128</span><span id="line-128"> public void addToken(Token&lt;? extends TokenIdentifier&gt; token) {</span>
<span class="source-line-no">129</span><span id="line-129"> ugi.addToken(token);</span>
<span class="source-line-no">130</span><span id="line-130"> }</span>
<span class="source-line-no">131</span><span id="line-131"></span>
<span class="source-line-no">132</span><span id="line-132"> /** Returns true if user credentials are obtained from keytab. */</span>
<span class="source-line-no">133</span><span id="line-133"> public boolean isLoginFromKeytab() {</span>
<span class="source-line-no">134</span><span id="line-134"> return ugi.isFromKeytab();</span>
<span class="source-line-no">135</span><span id="line-135"> }</span>
<span class="source-line-no">136</span><span id="line-136"></span>
<span class="source-line-no">137</span><span id="line-137"> @Override</span>
<span class="source-line-no">138</span><span id="line-138"> public boolean equals(Object o) {</span>
<span class="source-line-no">139</span><span id="line-139"> if (this == o) {</span>
<span class="source-line-no">140</span><span id="line-140"> return true;</span>
<span class="source-line-no">141</span><span id="line-141"> }</span>
<span class="source-line-no">142</span><span id="line-142"> if (!(o instanceof User)) {</span>
<span class="source-line-no">143</span><span id="line-143"> return false;</span>
<span class="source-line-no">144</span><span id="line-144"> }</span>
<span class="source-line-no">145</span><span id="line-145"> return ugi.equals(((User) o).ugi);</span>
<span class="source-line-no">146</span><span id="line-146"> }</span>
<span class="source-line-no">147</span><span id="line-147"></span>
<span class="source-line-no">148</span><span id="line-148"> @Override</span>
<span class="source-line-no">149</span><span id="line-149"> public int hashCode() {</span>
<span class="source-line-no">150</span><span id="line-150"> return ugi.hashCode();</span>
<span class="source-line-no">151</span><span id="line-151"> }</span>
<span class="source-line-no">152</span><span id="line-152"></span>
<span class="source-line-no">153</span><span id="line-153"> @Override</span>
<span class="source-line-no">154</span><span id="line-154"> public String toString() {</span>
<span class="source-line-no">155</span><span id="line-155"> return ugi.toString();</span>
<span class="source-line-no">156</span><span id="line-156"> }</span>
<span class="source-line-no">157</span><span id="line-157"></span>
<span class="source-line-no">158</span><span id="line-158"> /** Returns the {@code User} instance within current execution context. */</span>
<span class="source-line-no">159</span><span id="line-159"> public static User getCurrent() throws IOException {</span>
<span class="source-line-no">160</span><span id="line-160"> User user = new SecureHadoopUser();</span>
<span class="source-line-no">161</span><span id="line-161"> if (user.getUGI() == null) {</span>
<span class="source-line-no">162</span><span id="line-162"> return null;</span>
<span class="source-line-no">163</span><span id="line-163"> }</span>
<span class="source-line-no">164</span><span id="line-164"> return user;</span>
<span class="source-line-no">165</span><span id="line-165"> }</span>
<span class="source-line-no">166</span><span id="line-166"></span>
<span class="source-line-no">167</span><span id="line-167"> /** Executes the given action as the login user */</span>
<span class="source-line-no">168</span><span id="line-168"> @SuppressWarnings({ "rawtypes", "unchecked" })</span>
<span class="source-line-no">169</span><span id="line-169"> public static &lt;T&gt; T runAsLoginUser(PrivilegedExceptionAction&lt;T&gt; action) throws IOException {</span>
<span class="source-line-no">170</span><span id="line-170"> try {</span>
<span class="source-line-no">171</span><span id="line-171"> Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");</span>
<span class="source-line-no">172</span><span id="line-172"> Class[] types = new Class[] { PrivilegedExceptionAction.class };</span>
<span class="source-line-no">173</span><span id="line-173"> Object[] args = new Object[] { action };</span>
<span class="source-line-no">174</span><span id="line-174"> return (T) Methods.call(c, null, "doAsLoginUser", types, args);</span>
<span class="source-line-no">175</span><span id="line-175"> } catch (Throwable e) {</span>
<span class="source-line-no">176</span><span id="line-176"> throw new IOException(e);</span>
<span class="source-line-no">177</span><span id="line-177"> }</span>
<span class="source-line-no">178</span><span id="line-178"> }</span>
<span class="source-line-no">179</span><span id="line-179"></span>
<span class="source-line-no">180</span><span id="line-180"> /**</span>
<span class="source-line-no">181</span><span id="line-181"> * Wraps an underlying {@code UserGroupInformation} instance.</span>
<span class="source-line-no">182</span><span id="line-182"> * @param ugi The base Hadoop user</span>
<span class="source-line-no">183</span><span id="line-183"> */</span>
<span class="source-line-no">184</span><span id="line-184"> public static User create(UserGroupInformation ugi) {</span>
<span class="source-line-no">185</span><span id="line-185"> if (ugi == null) {</span>
<span class="source-line-no">186</span><span id="line-186"> return null;</span>
<span class="source-line-no">187</span><span id="line-187"> }</span>
<span class="source-line-no">188</span><span id="line-188"> return new SecureHadoopUser(ugi);</span>
<span class="source-line-no">189</span><span id="line-189"> }</span>
<span class="source-line-no">190</span><span id="line-190"></span>
<span class="source-line-no">191</span><span id="line-191"> /**</span>
<span class="source-line-no">192</span><span id="line-192"> * Generates a new {@code User} instance specifically for use in test code.</span>
<span class="source-line-no">193</span><span id="line-193"> * @param name the full username</span>
<span class="source-line-no">194</span><span id="line-194"> * @param groups the group names to which the test user will belong</span>
<span class="source-line-no">195</span><span id="line-195"> * @return a new &lt;code&gt;User&lt;/code&gt; instance</span>
<span class="source-line-no">196</span><span id="line-196"> */</span>
<span class="source-line-no">197</span><span id="line-197"> public static User createUserForTesting(Configuration conf, String name, String[] groups) {</span>
<span class="source-line-no">198</span><span id="line-198"> User userForTesting = SecureHadoopUser.createUserForTesting(conf, name, groups);</span>
<span class="source-line-no">199</span><span id="line-199"> return userForTesting;</span>
<span class="source-line-no">200</span><span id="line-200"> }</span>
<span class="source-line-no">201</span><span id="line-201"></span>
<span class="source-line-no">202</span><span id="line-202"> /**</span>
<span class="source-line-no">203</span><span id="line-203"> * Log in the current process using the given configuration keys for the credential file and login</span>
<span class="source-line-no">204</span><span id="line-204"> * principal.</span>
<span class="source-line-no">205</span><span id="line-205"> * &lt;p&gt;</span>
<span class="source-line-no">206</span><span id="line-206"> * &lt;strong&gt;This is only applicable when running on secure Hadoop&lt;/strong&gt; -- see</span>
<span class="source-line-no">207</span><span id="line-207"> * org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String). On regular</span>
<span class="source-line-no">208</span><span id="line-208"> * Hadoop (without security features), this will safely be ignored.</span>
<span class="source-line-no">209</span><span id="line-209"> * &lt;/p&gt;</span>
<span class="source-line-no">210</span><span id="line-210"> * @param conf The configuration data to use</span>
<span class="source-line-no">211</span><span id="line-211"> * @param fileConfKey Property key used to configure path to the credential file</span>
<span class="source-line-no">212</span><span id="line-212"> * @param principalConfKey Property key used to configure login principal</span>
<span class="source-line-no">213</span><span id="line-213"> * @param localhost Current hostname to use in any credentials</span>
<span class="source-line-no">214</span><span id="line-214"> * @throws IOException underlying exception from SecurityUtil.login() call</span>
<span class="source-line-no">215</span><span id="line-215"> */</span>
<span class="source-line-no">216</span><span id="line-216"> public static void login(Configuration conf, String fileConfKey, String principalConfKey,</span>
<span class="source-line-no">217</span><span id="line-217"> String localhost) throws IOException {</span>
<span class="source-line-no">218</span><span id="line-218"> SecureHadoopUser.login(conf, fileConfKey, principalConfKey, localhost);</span>
<span class="source-line-no">219</span><span id="line-219"> }</span>
<span class="source-line-no">220</span><span id="line-220"></span>
<span class="source-line-no">221</span><span id="line-221"> /**</span>
<span class="source-line-no">222</span><span id="line-222"> * Login with the given keytab and principal.</span>
<span class="source-line-no">223</span><span id="line-223"> * @param keytabLocation path of keytab</span>
<span class="source-line-no">224</span><span id="line-224"> * @param pricipalName login principal</span>
<span class="source-line-no">225</span><span id="line-225"> * @throws IOException underlying exception from UserGroupInformation.loginUserFromKeytab</span>
<span class="source-line-no">226</span><span id="line-226"> */</span>
<span class="source-line-no">227</span><span id="line-227"> public static void login(String keytabLocation, String pricipalName) throws IOException {</span>
<span class="source-line-no">228</span><span id="line-228"> SecureHadoopUser.login(keytabLocation, pricipalName);</span>
<span class="source-line-no">229</span><span id="line-229"> }</span>
<span class="source-line-no">230</span><span id="line-230"></span>
<span class="source-line-no">231</span><span id="line-231"> /**</span>
<span class="source-line-no">232</span><span id="line-232"> * Returns whether or not Kerberos authentication is configured for Hadoop. For non-secure Hadoop,</span>
<span class="source-line-no">233</span><span id="line-233"> * this always returns &lt;code&gt;false&lt;/code&gt;. For secure Hadoop, it will return the value from</span>
<span class="source-line-no">234</span><span id="line-234"> * {@code UserGroupInformation.isSecurityEnabled()}.</span>
<span class="source-line-no">235</span><span id="line-235"> */</span>
<span class="source-line-no">236</span><span id="line-236"> public static boolean isSecurityEnabled() {</span>
<span class="source-line-no">237</span><span id="line-237"> return SecureHadoopUser.isSecurityEnabled();</span>
<span class="source-line-no">238</span><span id="line-238"> }</span>
<span class="source-line-no">239</span><span id="line-239"></span>
<span class="source-line-no">240</span><span id="line-240"> /**</span>
<span class="source-line-no">241</span><span id="line-241"> * Returns whether or not secure authentication is enabled for HBase. Note that HBase security</span>
<span class="source-line-no">242</span><span id="line-242"> * requires HDFS security to provide any guarantees, so it is recommended that secure HBase should</span>
<span class="source-line-no">243</span><span id="line-243"> * run on secure HDFS.</span>
<span class="source-line-no">244</span><span id="line-244"> */</span>
<span class="source-line-no">245</span><span id="line-245"> public static boolean isHBaseSecurityEnabled(Configuration conf) {</span>
<span class="source-line-no">246</span><span id="line-246"> return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY));</span>
<span class="source-line-no">247</span><span id="line-247"> }</span>
<span class="source-line-no">248</span><span id="line-248"></span>
<span class="source-line-no">249</span><span id="line-249"> /**</span>
<span class="source-line-no">250</span><span id="line-250"> * In secure environment, if a user specified his keytab and principal, a hbase client will try to</span>
<span class="source-line-no">251</span><span id="line-251"> * login with them. Otherwise, hbase client will try to obtain ticket(through kinit) from system.</span>
<span class="source-line-no">252</span><span id="line-252"> * @param conf configuration file</span>
<span class="source-line-no">253</span><span id="line-253"> * @return true if keytab and principal are configured</span>
<span class="source-line-no">254</span><span id="line-254"> */</span>
<span class="source-line-no">255</span><span id="line-255"> public static boolean shouldLoginFromKeytab(Configuration conf) {</span>
<span class="source-line-no">256</span><span id="line-256"> Optional&lt;String&gt; keytab = Optional.ofNullable(conf.get(AuthUtil.HBASE_CLIENT_KEYTAB_FILE));</span>
<span class="source-line-no">257</span><span id="line-257"> Optional&lt;String&gt; principal =</span>
<span class="source-line-no">258</span><span id="line-258"> Optional.ofNullable(conf.get(AuthUtil.HBASE_CLIENT_KERBEROS_PRINCIPAL));</span>
<span class="source-line-no">259</span><span id="line-259"> return keytab.isPresent() &amp;&amp; principal.isPresent();</span>
<span class="source-line-no">260</span><span id="line-260"> }</span>
<span class="source-line-no">261</span><span id="line-261"></span>
<span class="source-line-no">262</span><span id="line-262"> /* Concrete implementations */</span>
<span class="source-line-no">263</span><span id="line-263"></span>
<span class="source-line-no">264</span><span id="line-264"> /**</span>
<span class="source-line-no">265</span><span id="line-265"> * Bridges {@code User} invocations to underlying calls to</span>
<span class="source-line-no">266</span><span id="line-266"> * {@link org.apache.hadoop.security.UserGroupInformation} for secure Hadoop 0.20 and versions</span>
<span class="source-line-no">267</span><span id="line-267"> * 0.21 and above.</span>
<span class="source-line-no">268</span><span id="line-268"> */</span>
<span class="source-line-no">269</span><span id="line-269"> @InterfaceAudience.Private</span>
<span class="source-line-no">270</span><span id="line-270"> public static final class SecureHadoopUser extends User {</span>
<span class="source-line-no">271</span><span id="line-271"> private String shortName;</span>
<span class="source-line-no">272</span><span id="line-272"> private LoadingCache&lt;String, String[]&gt; cache;</span>
<span class="source-line-no">273</span><span id="line-273"> /**</span>
<span class="source-line-no">274</span><span id="line-274"> * Cache value of this instance's {@link #toString()} value. Computing this value is expensive.</span>
<span class="source-line-no">275</span><span id="line-275"> * Assumes the UGI is never updated. See HBASE-27708.</span>
<span class="source-line-no">276</span><span id="line-276"> */</span>
<span class="source-line-no">277</span><span id="line-277"> private final String toString;</span>
<span class="source-line-no">278</span><span id="line-278"></span>
<span class="source-line-no">279</span><span id="line-279"> public SecureHadoopUser() throws IOException {</span>
<span class="source-line-no">280</span><span id="line-280"> ugi = UserGroupInformation.getCurrentUser();</span>
<span class="source-line-no">281</span><span id="line-281"> this.cache = null;</span>
<span class="source-line-no">282</span><span id="line-282"> this.toString = ugi.toString();</span>
<span class="source-line-no">283</span><span id="line-283"> }</span>
<span class="source-line-no">284</span><span id="line-284"></span>
<span class="source-line-no">285</span><span id="line-285"> public SecureHadoopUser(UserGroupInformation ugi) {</span>
<span class="source-line-no">286</span><span id="line-286"> this.ugi = ugi;</span>
<span class="source-line-no">287</span><span id="line-287"> this.cache = null;</span>
<span class="source-line-no">288</span><span id="line-288"> this.toString = ugi.toString();</span>
<span class="source-line-no">289</span><span id="line-289"> }</span>
<span class="source-line-no">290</span><span id="line-290"></span>
<span class="source-line-no">291</span><span id="line-291"> public SecureHadoopUser(UserGroupInformation ugi, LoadingCache&lt;String, String[]&gt; cache) {</span>
<span class="source-line-no">292</span><span id="line-292"> this.ugi = ugi;</span>
<span class="source-line-no">293</span><span id="line-293"> this.cache = cache;</span>
<span class="source-line-no">294</span><span id="line-294"> this.toString = ugi.toString();</span>
<span class="source-line-no">295</span><span id="line-295"> }</span>
<span class="source-line-no">296</span><span id="line-296"></span>
<span class="source-line-no">297</span><span id="line-297"> @Override</span>
<span class="source-line-no">298</span><span id="line-298"> public String getShortName() {</span>
<span class="source-line-no">299</span><span id="line-299"> if (shortName != null) return shortName;</span>
<span class="source-line-no">300</span><span id="line-300"> try {</span>
<span class="source-line-no">301</span><span id="line-301"> shortName = ugi.getShortUserName();</span>
<span class="source-line-no">302</span><span id="line-302"> return shortName;</span>
<span class="source-line-no">303</span><span id="line-303"> } catch (Exception e) {</span>
<span class="source-line-no">304</span><span id="line-304"> throw new RuntimeException("Unexpected error getting user short name", e);</span>
<span class="source-line-no">305</span><span id="line-305"> }</span>
<span class="source-line-no">306</span><span id="line-306"> }</span>
<span class="source-line-no">307</span><span id="line-307"></span>
<span class="source-line-no">308</span><span id="line-308"> @Override</span>
<span class="source-line-no">309</span><span id="line-309"> public String[] getGroupNames() {</span>
<span class="source-line-no">310</span><span id="line-310"> if (cache != null) {</span>
<span class="source-line-no">311</span><span id="line-311"> try {</span>
<span class="source-line-no">312</span><span id="line-312"> return this.cache.get(getShortName());</span>
<span class="source-line-no">313</span><span id="line-313"> } catch (ExecutionException e) {</span>
<span class="source-line-no">314</span><span id="line-314"> return new String[0];</span>
<span class="source-line-no">315</span><span id="line-315"> }</span>
<span class="source-line-no">316</span><span id="line-316"> }</span>
<span class="source-line-no">317</span><span id="line-317"> return ugi.getGroupNames();</span>
<span class="source-line-no">318</span><span id="line-318"> }</span>
<span class="source-line-no">319</span><span id="line-319"></span>
<span class="source-line-no">320</span><span id="line-320"> @Override</span>
<span class="source-line-no">321</span><span id="line-321"> public &lt;T&gt; T runAs(PrivilegedAction&lt;T&gt; action) {</span>
<span class="source-line-no">322</span><span id="line-322"> return ugi.doAs(action);</span>
<span class="source-line-no">323</span><span id="line-323"> }</span>
<span class="source-line-no">324</span><span id="line-324"></span>
<span class="source-line-no">325</span><span id="line-325"> @Override</span>
<span class="source-line-no">326</span><span id="line-326"> public &lt;T&gt; T runAs(PrivilegedExceptionAction&lt;T&gt; action)</span>
<span class="source-line-no">327</span><span id="line-327"> throws IOException, InterruptedException {</span>
<span class="source-line-no">328</span><span id="line-328"> return ugi.doAs(action);</span>
<span class="source-line-no">329</span><span id="line-329"> }</span>
<span class="source-line-no">330</span><span id="line-330"></span>
<span class="source-line-no">331</span><span id="line-331"> @Override</span>
<span class="source-line-no">332</span><span id="line-332"> public String toString() {</span>
<span class="source-line-no">333</span><span id="line-333"> return toString;</span>
<span class="source-line-no">334</span><span id="line-334"> }</span>
<span class="source-line-no">335</span><span id="line-335"></span>
<span class="source-line-no">336</span><span id="line-336"> /**</span>
<span class="source-line-no">337</span><span id="line-337"> * Create a user for testing.</span>
<span class="source-line-no">338</span><span id="line-338"> * @see User#createUserForTesting(org.apache.hadoop.conf.Configuration, String, String[])</span>
<span class="source-line-no">339</span><span id="line-339"> */</span>
<span class="source-line-no">340</span><span id="line-340"> public static User createUserForTesting(Configuration conf, String name, String[] groups) {</span>
<span class="source-line-no">341</span><span id="line-341"> synchronized (UserProvider.class) {</span>
<span class="source-line-no">342</span><span id="line-342"> if (!(UserProvider.groups instanceof TestingGroups)) {</span>
<span class="source-line-no">343</span><span id="line-343"> UserProvider.groups = new TestingGroups(UserProvider.groups);</span>
<span class="source-line-no">344</span><span id="line-344"> }</span>
<span class="source-line-no">345</span><span id="line-345"> }</span>
<span class="source-line-no">346</span><span id="line-346"></span>
<span class="source-line-no">347</span><span id="line-347"> ((TestingGroups) UserProvider.groups).setUserGroups(name, groups);</span>
<span class="source-line-no">348</span><span id="line-348"> return new SecureHadoopUser(UserGroupInformation.createUserForTesting(name, groups));</span>
<span class="source-line-no">349</span><span id="line-349"> }</span>
<span class="source-line-no">350</span><span id="line-350"></span>
<span class="source-line-no">351</span><span id="line-351"> /**</span>
<span class="source-line-no">352</span><span id="line-352"> * Obtain credentials for the current process using the configured Kerberos keytab file and</span>
<span class="source-line-no">353</span><span id="line-353"> * principal.</span>
<span class="source-line-no">354</span><span id="line-354"> * @see User#login(org.apache.hadoop.conf.Configuration, String, String, String)</span>
<span class="source-line-no">355</span><span id="line-355"> * @param conf the Configuration to use</span>
<span class="source-line-no">356</span><span id="line-356"> * @param fileConfKey Configuration property key used to store the path to the keytab file</span>
<span class="source-line-no">357</span><span id="line-357"> * @param principalConfKey Configuration property key used to store the principal name to login</span>
<span class="source-line-no">358</span><span id="line-358"> * as</span>
<span class="source-line-no">359</span><span id="line-359"> * @param localhost the local hostname</span>
<span class="source-line-no">360</span><span id="line-360"> */</span>
<span class="source-line-no">361</span><span id="line-361"> public static void login(Configuration conf, String fileConfKey, String principalConfKey,</span>
<span class="source-line-no">362</span><span id="line-362"> String localhost) throws IOException {</span>
<span class="source-line-no">363</span><span id="line-363"> if (isSecurityEnabled()) {</span>
<span class="source-line-no">364</span><span id="line-364"> SecurityUtil.login(conf, fileConfKey, principalConfKey, localhost);</span>
<span class="source-line-no">365</span><span id="line-365"> }</span>
<span class="source-line-no">366</span><span id="line-366"> }</span>
<span class="source-line-no">367</span><span id="line-367"></span>
<span class="source-line-no">368</span><span id="line-368"> /**</span>
<span class="source-line-no">369</span><span id="line-369"> * Login through configured keytab and pricipal.</span>
<span class="source-line-no">370</span><span id="line-370"> * @param keytabLocation location of keytab</span>
<span class="source-line-no">371</span><span id="line-371"> * @param principalName principal in keytab</span>
<span class="source-line-no">372</span><span id="line-372"> * @throws IOException exception from UserGroupInformation.loginUserFromKeytab</span>
<span class="source-line-no">373</span><span id="line-373"> */</span>
<span class="source-line-no">374</span><span id="line-374"> public static void login(String keytabLocation, String principalName) throws IOException {</span>
<span class="source-line-no">375</span><span id="line-375"> if (isSecurityEnabled()) {</span>
<span class="source-line-no">376</span><span id="line-376"> UserGroupInformation.loginUserFromKeytab(principalName, keytabLocation);</span>
<span class="source-line-no">377</span><span id="line-377"> }</span>
<span class="source-line-no">378</span><span id="line-378"> }</span>
<span class="source-line-no">379</span><span id="line-379"></span>
<span class="source-line-no">380</span><span id="line-380"> /** Returns the result of {@code UserGroupInformation.isSecurityEnabled()}. */</span>
<span class="source-line-no">381</span><span id="line-381"> public static boolean isSecurityEnabled() {</span>
<span class="source-line-no">382</span><span id="line-382"> return UserGroupInformation.isSecurityEnabled();</span>
<span class="source-line-no">383</span><span id="line-383"> }</span>
<span class="source-line-no">384</span><span id="line-384"> }</span>
<span class="source-line-no">385</span><span id="line-385"></span>
<span class="source-line-no">386</span><span id="line-386"> public static class TestingGroups extends Groups {</span>
<span class="source-line-no">387</span><span id="line-387"> public static final String TEST_CONF = "hbase.group.service.for.test.only";</span>
<span class="source-line-no">388</span><span id="line-388"></span>
<span class="source-line-no">389</span><span id="line-389"> private final Map&lt;String, List&lt;String&gt;&gt; userToGroupsMapping = new HashMap&lt;&gt;();</span>
<span class="source-line-no">390</span><span id="line-390"> private Groups underlyingImplementation;</span>
<span class="source-line-no">391</span><span id="line-391"></span>
<span class="source-line-no">392</span><span id="line-392"> public TestingGroups(Groups underlyingImplementation) {</span>
<span class="source-line-no">393</span><span id="line-393"> super(new Configuration());</span>
<span class="source-line-no">394</span><span id="line-394"> this.underlyingImplementation = underlyingImplementation;</span>
<span class="source-line-no">395</span><span id="line-395"> }</span>
<span class="source-line-no">396</span><span id="line-396"></span>
<span class="source-line-no">397</span><span id="line-397"> @Override</span>
<span class="source-line-no">398</span><span id="line-398"> public List&lt;String&gt; getGroups(String user) throws IOException {</span>
<span class="source-line-no">399</span><span id="line-399"> List&lt;String&gt; result = userToGroupsMapping.get(user);</span>
<span class="source-line-no">400</span><span id="line-400"></span>
<span class="source-line-no">401</span><span id="line-401"> if (result == null) {</span>
<span class="source-line-no">402</span><span id="line-402"> result = underlyingImplementation.getGroups(user);</span>
<span class="source-line-no">403</span><span id="line-403"> }</span>
<span class="source-line-no">404</span><span id="line-404"></span>
<span class="source-line-no">405</span><span id="line-405"> return result;</span>
<span class="source-line-no">406</span><span id="line-406"> }</span>
<span class="source-line-no">407</span><span id="line-407"></span>
<span class="source-line-no">408</span><span id="line-408"> private void setUserGroups(String user, String[] groups) {</span>
<span class="source-line-no">409</span><span id="line-409"> userToGroupsMapping.put(user, Arrays.asList(groups));</span>
<span class="source-line-no">410</span><span id="line-410"> }</span>
<span class="source-line-no">411</span><span id="line-411"> }</span>
<span class="source-line-no">412</span><span id="line-412">}</span>
</pre>
</div>
</main>
</body>
</html>