Google Git
Sign in
apache / hbase-site / 4c570b3d4d09d704760b5551e114a86453a5340d / . / devapidocs / src-html / org / apache / hadoop / hbase / AuthUtil.html
blob: 9774df4d81dec6bff979a44d62295cbf29a5c34b [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase, class: AuthUtil">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import java.io.IOException;</span>
<span class="source-line-no">021</span><span id="line-21">import java.net.UnknownHostException;</span>
<span class="source-line-no">022</span><span id="line-22">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">023</span><span id="line-23">import org.apache.hadoop.hbase.security.User;</span>
<span class="source-line-no">024</span><span id="line-24">import org.apache.hadoop.hbase.security.UserProvider;</span>
<span class="source-line-no">025</span><span id="line-25">import org.apache.hadoop.hbase.util.DNS;</span>
<span class="source-line-no">026</span><span id="line-26">import org.apache.hadoop.hbase.util.Strings;</span>
<span class="source-line-no">027</span><span id="line-27">import org.apache.hadoop.security.UserGroupInformation;</span>
<span class="source-line-no">028</span><span id="line-28">import org.apache.yetus.audience.InterfaceAudience;</span>
<span class="source-line-no">029</span><span id="line-29">import org.slf4j.Logger;</span>
<span class="source-line-no">030</span><span id="line-30">import org.slf4j.LoggerFactory;</span>
<span class="source-line-no">031</span><span id="line-31"></span>
<span class="source-line-no">032</span><span id="line-32">/**</span>
<span class="source-line-no">033</span><span id="line-33"> * Utility methods for helping with security tasks. Downstream users may rely on this class to</span>
<span class="source-line-no">034</span><span id="line-34"> * handle authenticating via keytab where long running services need access to a secure HBase</span>
<span class="source-line-no">035</span><span id="line-35"> * cluster. Callers must ensure:</span>
<span class="source-line-no">036</span><span id="line-36"> * &lt;ul&gt;</span>
<span class="source-line-no">037</span><span id="line-37"> * &lt;li&gt;HBase configuration files are in the Classpath</span>
<span class="source-line-no">038</span><span id="line-38"> * &lt;li&gt;hbase.client.keytab.file points to a valid keytab on the local filesystem</span>
<span class="source-line-no">039</span><span id="line-39"> * &lt;li&gt;hbase.client.kerberos.principal gives the Kerberos principal to use</span>
<span class="source-line-no">040</span><span id="line-40"> * &lt;/ul&gt;</span>
<span class="source-line-no">041</span><span id="line-41"> *</span>
<span class="source-line-no">042</span><span id="line-42"> * &lt;pre&gt;</span>
<span class="source-line-no">043</span><span id="line-43"> * {</span>
<span class="source-line-no">044</span><span id="line-44"> * &amp;#64;code</span>
<span class="source-line-no">045</span><span id="line-45"> * ChoreService choreService = null;</span>
<span class="source-line-no">046</span><span id="line-46"> * // Presumes HBase configuration files are on the classpath</span>
<span class="source-line-no">047</span><span id="line-47"> * final Configuration conf = HBaseConfiguration.create();</span>
<span class="source-line-no">048</span><span id="line-48"> * final ScheduledChore authChore = AuthUtil.getAuthChore(conf);</span>
<span class="source-line-no">049</span><span id="line-49"> * if (authChore != null) {</span>
<span class="source-line-no">050</span><span id="line-50"> * choreService = new ChoreService("MY_APPLICATION");</span>
<span class="source-line-no">051</span><span id="line-51"> * choreService.scheduleChore(authChore);</span>
<span class="source-line-no">052</span><span id="line-52"> * }</span>
<span class="source-line-no">053</span><span id="line-53"> * try {</span>
<span class="source-line-no">054</span><span id="line-54"> * // do application work</span>
<span class="source-line-no">055</span><span id="line-55"> * } finally {</span>
<span class="source-line-no">056</span><span id="line-56"> * if (choreService != null) {</span>
<span class="source-line-no">057</span><span id="line-57"> * choreService.shutdown();</span>
<span class="source-line-no">058</span><span id="line-58"> * }</span>
<span class="source-line-no">059</span><span id="line-59"> * }</span>
<span class="source-line-no">060</span><span id="line-60"> * }</span>
<span class="source-line-no">061</span><span id="line-61"> * &lt;/pre&gt;</span>
<span class="source-line-no">062</span><span id="line-62"> *</span>
<span class="source-line-no">063</span><span id="line-63"> * See the "Running Canary in a Kerberos-enabled Cluster" section of the HBase Reference Guide for</span>
<span class="source-line-no">064</span><span id="line-64"> * an example of configuring a user of this Auth Chore to run on a secure cluster.</span>
<span class="source-line-no">065</span><span id="line-65"> *</span>
<span class="source-line-no">066</span><span id="line-66"> * &lt;pre&gt;</span>
<span class="source-line-no">067</span><span id="line-67"> * &lt;/pre&gt;</span>
<span class="source-line-no">068</span><span id="line-68"> *</span>
<span class="source-line-no">069</span><span id="line-69"> * This class will be internal used only from 2.2.0 version, and will transparently work for</span>
<span class="source-line-no">070</span><span id="line-70"> * kerberized applications. For more, please refer</span>
<span class="source-line-no">071</span><span id="line-71"> * &lt;a href="http://hbase.apache.org/book.html#hbase.secure.configuration"&gt;Client-side Configuration</span>
<span class="source-line-no">072</span><span id="line-72"> * for Secure Operation&lt;/a&gt;</span>
<span class="source-line-no">073</span><span id="line-73"> * @deprecated since 2.2.0, to be marked as</span>
<span class="source-line-no">074</span><span id="line-74"> * {@link org.apache.yetus.audience.InterfaceAudience.Private} in 4.0.0.</span>
<span class="source-line-no">075</span><span id="line-75"> * @see &lt;a href="https://issues.apache.org/jira/browse/HBASE-20886"&gt;HBASE-20886&lt;/a&gt;</span>
<span class="source-line-no">076</span><span id="line-76"> */</span>
<span class="source-line-no">077</span><span id="line-77">@Deprecated</span>
<span class="source-line-no">078</span><span id="line-78">@InterfaceAudience.Public</span>
<span class="source-line-no">079</span><span id="line-79">public final class AuthUtil {</span>
<span class="source-line-no">080</span><span id="line-80"> private static final Logger LOG = LoggerFactory.getLogger(AuthUtil.class);</span>
<span class="source-line-no">081</span><span id="line-81"></span>
<span class="source-line-no">082</span><span id="line-82"> /** Prefix character to denote group names */</span>
<span class="source-line-no">083</span><span id="line-83"> private static final String GROUP_PREFIX = "@";</span>
<span class="source-line-no">084</span><span id="line-84"></span>
<span class="source-line-no">085</span><span id="line-85"> /** Client keytab file */</span>
<span class="source-line-no">086</span><span id="line-86"> public static final String HBASE_CLIENT_KEYTAB_FILE = "hbase.client.keytab.file";</span>
<span class="source-line-no">087</span><span id="line-87"></span>
<span class="source-line-no">088</span><span id="line-88"> /** Client principal */</span>
<span class="source-line-no">089</span><span id="line-89"> public static final String HBASE_CLIENT_KERBEROS_PRINCIPAL = "hbase.client.keytab.principal";</span>
<span class="source-line-no">090</span><span id="line-90"></span>
<span class="source-line-no">091</span><span id="line-91"> /** Configuration to automatically try to renew keytab-based logins */</span>
<span class="source-line-no">092</span><span id="line-92"> public static final String HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY =</span>
<span class="source-line-no">093</span><span id="line-93"> "hbase.client.keytab.automatic.renewal";</span>
<span class="source-line-no">094</span><span id="line-94"> public static final boolean HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT = true;</span>
<span class="source-line-no">095</span><span id="line-95"></span>
<span class="source-line-no">096</span><span id="line-96"> private AuthUtil() {</span>
<span class="source-line-no">097</span><span id="line-97"> super();</span>
<span class="source-line-no">098</span><span id="line-98"> }</span>
<span class="source-line-no">099</span><span id="line-99"></span>
<span class="source-line-no">100</span><span id="line-100"> /**</span>
<span class="source-line-no">101</span><span id="line-101"> * For kerberized cluster, return login user (from kinit or from keytab if specified). For</span>
<span class="source-line-no">102</span><span id="line-102"> * non-kerberized cluster, return system user.</span>
<span class="source-line-no">103</span><span id="line-103"> * @param conf configuartion file</span>
<span class="source-line-no">104</span><span id="line-104"> * @throws IOException login exception</span>
<span class="source-line-no">105</span><span id="line-105"> */</span>
<span class="source-line-no">106</span><span id="line-106"> @InterfaceAudience.Private</span>
<span class="source-line-no">107</span><span id="line-107"> public static User loginClient(Configuration conf) throws IOException {</span>
<span class="source-line-no">108</span><span id="line-108"> UserProvider provider = UserProvider.instantiate(conf);</span>
<span class="source-line-no">109</span><span id="line-109"> User user = provider.getCurrent();</span>
<span class="source-line-no">110</span><span id="line-110"> boolean securityOn = provider.isHBaseSecurityEnabled() &amp;&amp; provider.isHadoopSecurityEnabled();</span>
<span class="source-line-no">111</span><span id="line-111"></span>
<span class="source-line-no">112</span><span id="line-112"> if (securityOn) {</span>
<span class="source-line-no">113</span><span id="line-113"> boolean fromKeytab = provider.shouldLoginFromKeytab();</span>
<span class="source-line-no">114</span><span id="line-114"> if (user.getUGI().hasKerberosCredentials()) {</span>
<span class="source-line-no">115</span><span id="line-115"> // There's already a login user.</span>
<span class="source-line-no">116</span><span id="line-116"> // But we should avoid misuse credentials which is a dangerous security issue,</span>
<span class="source-line-no">117</span><span id="line-117"> // so here check whether user specified a keytab and a principal:</span>
<span class="source-line-no">118</span><span id="line-118"> // 1. Yes, check if user principal match.</span>
<span class="source-line-no">119</span><span id="line-119"> // a. match, just return.</span>
<span class="source-line-no">120</span><span id="line-120"> // b. mismatch, login using keytab.</span>
<span class="source-line-no">121</span><span id="line-121"> // 2. No, user may login through kinit, this is the old way, also just return.</span>
<span class="source-line-no">122</span><span id="line-122"> if (fromKeytab) {</span>
<span class="source-line-no">123</span><span id="line-123"> return checkPrincipalMatch(conf, user.getUGI().getUserName())</span>
<span class="source-line-no">124</span><span id="line-124"> ? user</span>
<span class="source-line-no">125</span><span id="line-125"> : loginFromKeytabAndReturnUser(provider);</span>
<span class="source-line-no">126</span><span id="line-126"> }</span>
<span class="source-line-no">127</span><span id="line-127"> return user;</span>
<span class="source-line-no">128</span><span id="line-128"> } else if (fromKeytab) {</span>
<span class="source-line-no">129</span><span id="line-129"> // Kerberos is on and client specify a keytab and principal, but client doesn't login yet.</span>
<span class="source-line-no">130</span><span id="line-130"> return loginFromKeytabAndReturnUser(provider);</span>
<span class="source-line-no">131</span><span id="line-131"> }</span>
<span class="source-line-no">132</span><span id="line-132"> }</span>
<span class="source-line-no">133</span><span id="line-133"> return user;</span>
<span class="source-line-no">134</span><span id="line-134"> }</span>
<span class="source-line-no">135</span><span id="line-135"></span>
<span class="source-line-no">136</span><span id="line-136"> private static boolean checkPrincipalMatch(Configuration conf, String loginUserName) {</span>
<span class="source-line-no">137</span><span id="line-137"> String configuredUserName = conf.get(HBASE_CLIENT_KERBEROS_PRINCIPAL);</span>
<span class="source-line-no">138</span><span id="line-138"> boolean match = configuredUserName.equals(loginUserName);</span>
<span class="source-line-no">139</span><span id="line-139"> if (!match) {</span>
<span class="source-line-no">140</span><span id="line-140"> LOG.warn("Trying to login with a different user: {}, existed user is {}.", configuredUserName,</span>
<span class="source-line-no">141</span><span id="line-141"> loginUserName);</span>
<span class="source-line-no">142</span><span id="line-142"> }</span>
<span class="source-line-no">143</span><span id="line-143"> return match;</span>
<span class="source-line-no">144</span><span id="line-144"> }</span>
<span class="source-line-no">145</span><span id="line-145"></span>
<span class="source-line-no">146</span><span id="line-146"> private static User loginFromKeytabAndReturnUser(UserProvider provider) throws IOException {</span>
<span class="source-line-no">147</span><span id="line-147"> try {</span>
<span class="source-line-no">148</span><span id="line-148"> provider.login(HBASE_CLIENT_KEYTAB_FILE, HBASE_CLIENT_KERBEROS_PRINCIPAL);</span>
<span class="source-line-no">149</span><span id="line-149"> } catch (IOException ioe) {</span>
<span class="source-line-no">150</span><span id="line-150"> LOG.error("Error while trying to login as user {} through {}, with message: {}.",</span>
<span class="source-line-no">151</span><span id="line-151"> HBASE_CLIENT_KERBEROS_PRINCIPAL, HBASE_CLIENT_KEYTAB_FILE, ioe.getMessage());</span>
<span class="source-line-no">152</span><span id="line-152"> throw ioe;</span>
<span class="source-line-no">153</span><span id="line-153"> }</span>
<span class="source-line-no">154</span><span id="line-154"> return provider.getCurrent();</span>
<span class="source-line-no">155</span><span id="line-155"> }</span>
<span class="source-line-no">156</span><span id="line-156"></span>
<span class="source-line-no">157</span><span id="line-157"> /**</span>
<span class="source-line-no">158</span><span id="line-158"> * For kerberized cluster, return login user (from kinit or from keytab). Principal should be the</span>
<span class="source-line-no">159</span><span id="line-159"> * following format: name/fully.qualified.domain.name@REALM. For non-kerberized cluster, return</span>
<span class="source-line-no">160</span><span id="line-160"> * system user.</span>
<span class="source-line-no">161</span><span id="line-161"> * &lt;p&gt;</span>
<span class="source-line-no">162</span><span id="line-162"> * NOT recommend to use to method unless you're sure what you're doing, it is for canary only.</span>
<span class="source-line-no">163</span><span id="line-163"> * Please use User#loginClient.</span>
<span class="source-line-no">164</span><span id="line-164"> * @param conf configuration file</span>
<span class="source-line-no">165</span><span id="line-165"> * @throws IOException login exception</span>
<span class="source-line-no">166</span><span id="line-166"> */</span>
<span class="source-line-no">167</span><span id="line-167"> private static User loginClientAsService(Configuration conf) throws IOException {</span>
<span class="source-line-no">168</span><span id="line-168"> UserProvider provider = UserProvider.instantiate(conf);</span>
<span class="source-line-no">169</span><span id="line-169"> if (provider.isHBaseSecurityEnabled() &amp;&amp; provider.isHadoopSecurityEnabled()) {</span>
<span class="source-line-no">170</span><span id="line-170"> try {</span>
<span class="source-line-no">171</span><span id="line-171"> if (provider.shouldLoginFromKeytab()) {</span>
<span class="source-line-no">172</span><span id="line-172"> String host = Strings.domainNamePointerToHostName(</span>
<span class="source-line-no">173</span><span id="line-173"> DNS.getDefaultHost(conf.get("hbase.client.dns.interface", "default"),</span>
<span class="source-line-no">174</span><span id="line-174"> conf.get("hbase.client.dns.nameserver", "default")));</span>
<span class="source-line-no">175</span><span id="line-175"> provider.login(HBASE_CLIENT_KEYTAB_FILE, HBASE_CLIENT_KERBEROS_PRINCIPAL, host);</span>
<span class="source-line-no">176</span><span id="line-176"> }</span>
<span class="source-line-no">177</span><span id="line-177"> } catch (UnknownHostException e) {</span>
<span class="source-line-no">178</span><span id="line-178"> LOG.error("Error resolving host name: " + e.getMessage(), e);</span>
<span class="source-line-no">179</span><span id="line-179"> throw e;</span>
<span class="source-line-no">180</span><span id="line-180"> } catch (IOException e) {</span>
<span class="source-line-no">181</span><span id="line-181"> LOG.error("Error while trying to perform the initial login: " + e.getMessage(), e);</span>
<span class="source-line-no">182</span><span id="line-182"> throw e;</span>
<span class="source-line-no">183</span><span id="line-183"> }</span>
<span class="source-line-no">184</span><span id="line-184"> }</span>
<span class="source-line-no">185</span><span id="line-185"> return provider.getCurrent();</span>
<span class="source-line-no">186</span><span id="line-186"> }</span>
<span class="source-line-no">187</span><span id="line-187"></span>
<span class="source-line-no">188</span><span id="line-188"> /**</span>
<span class="source-line-no">189</span><span id="line-189"> * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.</span>
<span class="source-line-no">190</span><span id="line-190"> * @return a ScheduledChore for renewals.</span>
<span class="source-line-no">191</span><span id="line-191"> */</span>
<span class="source-line-no">192</span><span id="line-192"> @InterfaceAudience.Private</span>
<span class="source-line-no">193</span><span id="line-193"> public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user,</span>
<span class="source-line-no">194</span><span id="line-194"> Configuration conf) {</span>
<span class="source-line-no">195</span><span id="line-195"> if (!user.hasKerberosCredentials() || !isAuthRenewalChoreEnabled(conf)) {</span>
<span class="source-line-no">196</span><span id="line-196"> return null;</span>
<span class="source-line-no">197</span><span id="line-197"> }</span>
<span class="source-line-no">198</span><span id="line-198"></span>
<span class="source-line-no">199</span><span id="line-199"> Stoppable stoppable = createDummyStoppable();</span>
<span class="source-line-no">200</span><span id="line-200"> // if you're in debug mode this is useful to avoid getting spammed by the getTGT()</span>
<span class="source-line-no">201</span><span id="line-201"> // you can increase this, keeping in mind that the default refresh window is 0.8</span>
<span class="source-line-no">202</span><span id="line-202"> // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min</span>
<span class="source-line-no">203</span><span id="line-203"> final int CHECK_TGT_INTERVAL = 30 * 1000; // 30sec</span>
<span class="source-line-no">204</span><span id="line-204"> return new ScheduledChore("RefreshCredentials", stoppable, CHECK_TGT_INTERVAL) {</span>
<span class="source-line-no">205</span><span id="line-205"> @Override</span>
<span class="source-line-no">206</span><span id="line-206"> protected void chore() {</span>
<span class="source-line-no">207</span><span id="line-207"> try {</span>
<span class="source-line-no">208</span><span id="line-208"> user.checkTGTAndReloginFromKeytab();</span>
<span class="source-line-no">209</span><span id="line-209"> } catch (IOException e) {</span>
<span class="source-line-no">210</span><span id="line-210"> LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e);</span>
<span class="source-line-no">211</span><span id="line-211"> }</span>
<span class="source-line-no">212</span><span id="line-212"> }</span>
<span class="source-line-no">213</span><span id="line-213"> };</span>
<span class="source-line-no">214</span><span id="line-214"> }</span>
<span class="source-line-no">215</span><span id="line-215"></span>
<span class="source-line-no">216</span><span id="line-216"> /**</span>
<span class="source-line-no">217</span><span id="line-217"> * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.</span>
<span class="source-line-no">218</span><span id="line-218"> * @param conf the hbase service configuration</span>
<span class="source-line-no">219</span><span id="line-219"> * @return a ScheduledChore for renewals, if needed, and null otherwise.</span>
<span class="source-line-no">220</span><span id="line-220"> * @deprecated Deprecated since 2.2.0, this method will be</span>
<span class="source-line-no">221</span><span id="line-221"> * {@link org.apache.yetus.audience.InterfaceAudience.Private} use only after 4.0.0.</span>
<span class="source-line-no">222</span><span id="line-222"> * @see &lt;a href="https://issues.apache.org/jira/browse/HBASE-20886"&gt;HBASE-20886&lt;/a&gt;</span>
<span class="source-line-no">223</span><span id="line-223"> */</span>
<span class="source-line-no">224</span><span id="line-224"> @Deprecated</span>
<span class="source-line-no">225</span><span id="line-225"> public static ScheduledChore getAuthChore(Configuration conf) throws IOException {</span>
<span class="source-line-no">226</span><span id="line-226"> if (!isAuthRenewalChoreEnabled(conf)) {</span>
<span class="source-line-no">227</span><span id="line-227"> return null;</span>
<span class="source-line-no">228</span><span id="line-228"> }</span>
<span class="source-line-no">229</span><span id="line-229"> User user = loginClientAsService(conf);</span>
<span class="source-line-no">230</span><span id="line-230"> return getAuthRenewalChore(user.getUGI(), conf);</span>
<span class="source-line-no">231</span><span id="line-231"> }</span>
<span class="source-line-no">232</span><span id="line-232"></span>
<span class="source-line-no">233</span><span id="line-233"> private static Stoppable createDummyStoppable() {</span>
<span class="source-line-no">234</span><span id="line-234"> return new Stoppable() {</span>
<span class="source-line-no">235</span><span id="line-235"> private volatile boolean isStopped = false;</span>
<span class="source-line-no">236</span><span id="line-236"></span>
<span class="source-line-no">237</span><span id="line-237"> @Override</span>
<span class="source-line-no">238</span><span id="line-238"> public void stop(String why) {</span>
<span class="source-line-no">239</span><span id="line-239"> isStopped = true;</span>
<span class="source-line-no">240</span><span id="line-240"> }</span>
<span class="source-line-no">241</span><span id="line-241"></span>
<span class="source-line-no">242</span><span id="line-242"> @Override</span>
<span class="source-line-no">243</span><span id="line-243"> public boolean isStopped() {</span>
<span class="source-line-no">244</span><span id="line-244"> return isStopped;</span>
<span class="source-line-no">245</span><span id="line-245"> }</span>
<span class="source-line-no">246</span><span id="line-246"> };</span>
<span class="source-line-no">247</span><span id="line-247"> }</span>
<span class="source-line-no">248</span><span id="line-248"></span>
<span class="source-line-no">249</span><span id="line-249"> /**</span>
<span class="source-line-no">250</span><span id="line-250"> * Returns whether or not the given name should be interpreted as a group principal. Currently</span>
<span class="source-line-no">251</span><span id="line-251"> * this simply checks if the name starts with the special group prefix character ("@").</span>
<span class="source-line-no">252</span><span id="line-252"> */</span>
<span class="source-line-no">253</span><span id="line-253"> @InterfaceAudience.Private</span>
<span class="source-line-no">254</span><span id="line-254"> public static boolean isGroupPrincipal(String name) {</span>
<span class="source-line-no">255</span><span id="line-255"> return name != null &amp;&amp; name.startsWith(GROUP_PREFIX);</span>
<span class="source-line-no">256</span><span id="line-256"> }</span>
<span class="source-line-no">257</span><span id="line-257"></span>
<span class="source-line-no">258</span><span id="line-258"> /**</span>
<span class="source-line-no">259</span><span id="line-259"> * Returns the actual name for a group principal (stripped of the group prefix).</span>
<span class="source-line-no">260</span><span id="line-260"> */</span>
<span class="source-line-no">261</span><span id="line-261"> @InterfaceAudience.Private</span>
<span class="source-line-no">262</span><span id="line-262"> public static String getGroupName(String aclKey) {</span>
<span class="source-line-no">263</span><span id="line-263"> if (!isGroupPrincipal(aclKey)) {</span>
<span class="source-line-no">264</span><span id="line-264"> return aclKey;</span>
<span class="source-line-no">265</span><span id="line-265"> }</span>
<span class="source-line-no">266</span><span id="line-266"></span>
<span class="source-line-no">267</span><span id="line-267"> return aclKey.substring(GROUP_PREFIX.length());</span>
<span class="source-line-no">268</span><span id="line-268"> }</span>
<span class="source-line-no">269</span><span id="line-269"></span>
<span class="source-line-no">270</span><span id="line-270"> /**</span>
<span class="source-line-no">271</span><span id="line-271"> * Returns the group entry with the group prefix for a group principal.</span>
<span class="source-line-no">272</span><span id="line-272"> */</span>
<span class="source-line-no">273</span><span id="line-273"> @InterfaceAudience.Private</span>
<span class="source-line-no">274</span><span id="line-274"> public static String toGroupEntry(String name) {</span>
<span class="source-line-no">275</span><span id="line-275"> return GROUP_PREFIX + name;</span>
<span class="source-line-no">276</span><span id="line-276"> }</span>
<span class="source-line-no">277</span><span id="line-277"></span>
<span class="source-line-no">278</span><span id="line-278"> /**</span>
<span class="source-line-no">279</span><span id="line-279"> * Returns true if the chore to automatically renew Kerberos tickets (from keytabs) should be</span>
<span class="source-line-no">280</span><span id="line-280"> * started. The default is true.</span>
<span class="source-line-no">281</span><span id="line-281"> */</span>
<span class="source-line-no">282</span><span id="line-282"> static boolean isAuthRenewalChoreEnabled(Configuration conf) {</span>
<span class="source-line-no">283</span><span id="line-283"> return conf.getBoolean(HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY,</span>
<span class="source-line-no">284</span><span id="line-284"> HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT);</span>
<span class="source-line-no">285</span><span id="line-285"> }</span>
<span class="source-line-no">286</span><span id="line-286">}</span>
</pre>
</div>
</main>
</body>
</html>