0.90/src/main/java/org/apache/hadoop/hbase/security/User.java - hbase - Git at Google

 /*
  * Copyright 2010 The Apache Software Foundation
  *
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.hadoop.hbase.security;

 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;

 import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.lang.reflect.UndeclaredThrowableException;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
 import org.apache.commons.logging.Log;

 /**
  * Wrapper to abstract out usage of user and group information in HBase.
  *
  * <p>
  * This class provides a common interface for interacting with user and group
  * information across changing APIs in different versions of Hadoop.  It only
  * provides access to the common set of functionality in
  * {@link org.apache.hadoop.security.UserGroupInformation} currently needed by
  * HBase, but can be extended as needs change.
  * </p>
  *
  * <p>
  * Note: this class does not attempt to support any of the Kerberos
  * authentication methods exposed in security-enabled Hadoop (for the moment
  * at least), as they're not yet needed.  Properly supporting
  * authentication is left up to implementation in secure HBase.
  * </p>
  */
 public abstract class User {
   private static boolean IS_SECURE_HADOOP = true;
   static {
     try {
       UserGroupInformation.class.getMethod("isSecurityEnabled");
     } catch (NoSuchMethodException nsme) {
       IS_SECURE_HADOOP = false;
     }
   }
   private static Log LOG = LogFactory.getLog(User.class);
   protected UserGroupInformation ugi;

   /**
    * Returns the full user name.  For Kerberos principals this will include
    * the host and realm portions of the principal name.
    * @return User full name.
    */
   public String getName() {
     return ugi.getUserName();
   }

   /**
    * Returns the shortened version of the user name -- the portion that maps
    * to an operating system user name.
    * @return Short name
    */
   public abstract String getShortName();

   /**
    * Executes the given action within the context of this user.
    */
   public abstract <T> T runAs(PrivilegedAction<T> action);

   /**
    * Executes the given action within the context of this user.
    */
   public abstract <T> T runAs(PrivilegedExceptionAction<T> action)
       throws IOException, InterruptedException;

   public String toString() {
     return ugi.toString();
   }

   /**
    * Returns the {@code User} instance within current execution context.
    */
   public static User getCurrent() {
     if (IS_SECURE_HADOOP) {
       return new SecureHadoopUser();
     } else {
       return new HadoopUser();
     }
   }

   /**
    * Generates a new {@code User} instance specifically for use in test code.
    * @param name the full username
    * @param groups the group names to which the test user will belong
    * @return a new <code>User</code> instance
    */
   public static User createUserForTesting(Configuration conf,
       String name, String[] groups) {
     if (IS_SECURE_HADOOP) {
       return SecureHadoopUser.createUserForTesting(conf, name, groups);
     }
     return HadoopUser.createUserForTesting(conf, name, groups);
   }

   /* Concrete implementations */

   /**
    * Bridges {@link User} calls to invocations of the appropriate methods
    * in {@link org.apache.hadoop.security.UserGroupInformation} in regular
    * Hadoop 0.20 (ASF Hadoop and other versions without the backported security
    * features).
    */
   private static class HadoopUser extends User {

     private HadoopUser() {
       ugi = (UserGroupInformation) callStatic("getCurrentUGI");
     }

     private HadoopUser(UserGroupInformation ugi) {
       this.ugi = ugi;
     }

     @Override
     public String getShortName() {
       return ugi.getUserName();
     }

     @Override
     public <T> T runAs(PrivilegedAction<T> action) {
       UserGroupInformation previous =
           (UserGroupInformation) callStatic("getCurrentUGI");
       if (ugi != null) {
         callStatic("setCurrentUser", new Class[]{UserGroupInformation.class},
             new Object[]{ugi});
       }
       T result = action.run();
       callStatic("setCurrentUser", new Class[]{UserGroupInformation.class},
           new Object[]{previous});
       return result;
     }

     @Override
     public <T> T runAs(PrivilegedExceptionAction<T> action)
         throws IOException, InterruptedException {
       UserGroupInformation previous =
           (UserGroupInformation) callStatic("getCurrentUGI");
       if (ugi != null) {
         callStatic("setCurrentUGI", new Class[]{UserGroupInformation.class},
             new Object[]{ugi});
       }
       T result = null;
       try {
         result = action.run();
       } catch (Exception e) {
         if (e instanceof IOException) {
           throw (IOException)e;
         } else if (e instanceof InterruptedException) {
           throw (InterruptedException)e;
         } else if (e instanceof RuntimeException) {
           throw (RuntimeException)e;
         } else {
           throw new UndeclaredThrowableException(e, "Unknown exception in runAs()");
         }
       } finally {
         callStatic("setCurrentUGI", new Class[]{UserGroupInformation.class},
             new Object[]{previous});
       }
       return result;
     }

     public static User createUserForTesting(Configuration conf,
         String name, String[] groups) {
       try {
         Class c = Class.forName("org.apache.hadoop.security.UnixUserGroupInformation");
         Constructor constructor = c.getConstructor(String.class, String[].class);
         if (constructor == null) {
           throw new NullPointerException(
              );
         }
         UserGroupInformation newUser =
             (UserGroupInformation)constructor.newInstance(name, groups);
         // set user in configuration -- hack for regular hadoop
         conf.set("hadoop.job.ugi", newUser.toString());
         return new HadoopUser(newUser);
       } catch (ClassNotFoundException cnfe) {
         LOG.error("UnixUserGroupInformation not found, is this secure Hadoop?", cnfe);
       } catch (NoSuchMethodException nsme) {
         LOG.error("No valid constructor found for UnixUserGroupInformation!", nsme);
       } catch (Exception e) {
         LOG.error("Error instantiating new UnixUserGroupInformation", e);
       }

       return null;
     }
   }

   /**
    * Bridges {@code User} invocations to underlying calls to
    * {@link org.apache.hadoop.security.UserGroupInformation} for secure Hadoop
    * 0.20 and versions 0.21 and above.
    */
   private static class SecureHadoopUser extends User {
     private SecureHadoopUser() {
       ugi = (UserGroupInformation) callStatic("getCurrentUser");
     }

     private SecureHadoopUser(UserGroupInformation ugi) {
       this.ugi = ugi;
     }

     @Override
     public String getShortName() {
       return (String)call(ugi, "getShortUserName", null, null);
     }

     @Override
     public <T> T runAs(PrivilegedAction<T> action) {
       return (T) call(ugi, "doAs", new Class[]{PrivilegedAction.class},
           new Object[]{action});
     }

     @Override
     public <T> T runAs(PrivilegedExceptionAction<T> action)
         throws IOException, InterruptedException {
       return (T) call(ugi, "doAs",
           new Class[]{PrivilegedExceptionAction.class},
           new Object[]{action});
     }

     public static User createUserForTesting(Configuration conf,
         String name, String[] groups) {
       return new SecureHadoopUser(
           (UserGroupInformation)callStatic("createUserForTesting",
               new Class[]{String.class, String[].class},
               new Object[]{name, groups})
       );
     }
   }

   /* Reflection helper methods */
   private static Object callStatic(String methodName) {
     return call(null, methodName, null, null);
   }

   private static Object callStatic(String methodName, Class[] types,
       Object[] args) {
     return call(null, methodName, types, args);
   }

   private static Object call(UserGroupInformation instance, String methodName,
       Class[] types, Object[] args) {
     try {
       Method m = UserGroupInformation.class.getMethod(methodName, types);
       return m.invoke(instance, args);
     } catch (NoSuchMethodException nsme) {
       LOG.fatal("Can't find method "+methodName+" in UserGroupInformation!",
           nsme);
     } catch (Exception e) {
       LOG.fatal("Error calling method "+methodName, e);
     }
     return null;
   }
 }
	/*
	* Copyright 2010 The Apache Software Foundation
	*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.hbase.security;

	import org.apache.commons.logging.LogFactory;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.security.UserGroupInformation;

	import java.io.IOException;
	import java.lang.reflect.Constructor;
	import java.lang.reflect.Method;
	import java.lang.reflect.UndeclaredThrowableException;
	import java.security.PrivilegedAction;
	import java.security.PrivilegedExceptionAction;
	import org.apache.commons.logging.Log;

	/**
	* Wrapper to abstract out usage of user and group information in HBase.
	*
	* <p>
	* This class provides a common interface for interacting with user and group
	* information across changing APIs in different versions of Hadoop. It only
	* provides access to the common set of functionality in
	* {@link org.apache.hadoop.security.UserGroupInformation} currently needed by
	* HBase, but can be extended as needs change.
	* </p>
	*
	* <p>
	* Note: this class does not attempt to support any of the Kerberos
	* authentication methods exposed in security-enabled Hadoop (for the moment
	* at least), as they're not yet needed. Properly supporting
	* authentication is left up to implementation in secure HBase.
	* </p>
	*/
	public abstract class User {
	private static boolean IS_SECURE_HADOOP = true;
	static {
	try {
	UserGroupInformation.class.getMethod("isSecurityEnabled");
	} catch (NoSuchMethodException nsme) {
	IS_SECURE_HADOOP = false;
	}
	}
	private static Log LOG = LogFactory.getLog(User.class);
	protected UserGroupInformation ugi;

	/**
	* Returns the full user name. For Kerberos principals this will include
	* the host and realm portions of the principal name.
	* @return User full name.
	*/
	public String getName() {
	return ugi.getUserName();
	}

	/**
	* Returns the shortened version of the user name -- the portion that maps
	* to an operating system user name.
	* @return Short name
	*/
	public abstract String getShortName();

	/**
	* Executes the given action within the context of this user.
	*/
	public abstract <T> T runAs(PrivilegedAction<T> action);

	/**
	* Executes the given action within the context of this user.
	*/
	public abstract <T> T runAs(PrivilegedExceptionAction<T> action)
	throws IOException, InterruptedException;

	public String toString() {
	return ugi.toString();
	}

	/**
	* Returns the {@code User} instance within current execution context.
	*/
	public static User getCurrent() {
	if (IS_SECURE_HADOOP) {
	return new SecureHadoopUser();
	} else {
	return new HadoopUser();
	}
	}

	/**
	* Generates a new {@code User} instance specifically for use in test code.
	* @param name the full username
	* @param groups the group names to which the test user will belong
	* @return a new <code>User</code> instance
	*/
	public static User createUserForTesting(Configuration conf,
	String name, String[] groups) {
	if (IS_SECURE_HADOOP) {
	return SecureHadoopUser.createUserForTesting(conf, name, groups);
	}
	return HadoopUser.createUserForTesting(conf, name, groups);
	}

	/* Concrete implementations */

	/**
	* Bridges {@link User} calls to invocations of the appropriate methods
	* in {@link org.apache.hadoop.security.UserGroupInformation} in regular
	* Hadoop 0.20 (ASF Hadoop and other versions without the backported security
	* features).
	*/
	private static class HadoopUser extends User {

	private HadoopUser() {
	ugi = (UserGroupInformation) callStatic("getCurrentUGI");
	}

	private HadoopUser(UserGroupInformation ugi) {
	this.ugi = ugi;
	}

	@Override
	public String getShortName() {
	return ugi.getUserName();
	}

	@Override
	public <T> T runAs(PrivilegedAction<T> action) {
	UserGroupInformation previous =
	(UserGroupInformation) callStatic("getCurrentUGI");
	if (ugi != null) {
	callStatic("setCurrentUser", new Class[]{UserGroupInformation.class},
	new Object[]{ugi});
	}
	T result = action.run();
	callStatic("setCurrentUser", new Class[]{UserGroupInformation.class},
	new Object[]{previous});
	return result;
	}

	@Override
	public <T> T runAs(PrivilegedExceptionAction<T> action)
	throws IOException, InterruptedException {
	UserGroupInformation previous =
	(UserGroupInformation) callStatic("getCurrentUGI");
	if (ugi != null) {
	callStatic("setCurrentUGI", new Class[]{UserGroupInformation.class},
	new Object[]{ugi});
	}
	T result = null;
	try {
	result = action.run();
	} catch (Exception e) {
	if (e instanceof IOException) {
	throw (IOException)e;
	} else if (e instanceof InterruptedException) {
	throw (InterruptedException)e;
	} else if (e instanceof RuntimeException) {
	throw (RuntimeException)e;
	} else {
	throw new UndeclaredThrowableException(e, "Unknown exception in runAs()");
	}
	} finally {
	callStatic("setCurrentUGI", new Class[]{UserGroupInformation.class},
	new Object[]{previous});
	}
	return result;
	}

	public static User createUserForTesting(Configuration conf,
	String name, String[] groups) {
	try {
	Class c = Class.forName("org.apache.hadoop.security.UnixUserGroupInformation");
	Constructor constructor = c.getConstructor(String.class, String[].class);
	if (constructor == null) {
	throw new NullPointerException(
	);
	}
	UserGroupInformation newUser =
	(UserGroupInformation)constructor.newInstance(name, groups);
	// set user in configuration -- hack for regular hadoop
	conf.set("hadoop.job.ugi", newUser.toString());
	return new HadoopUser(newUser);
	} catch (ClassNotFoundException cnfe) {
	LOG.error("UnixUserGroupInformation not found, is this secure Hadoop?", cnfe);
	} catch (NoSuchMethodException nsme) {
	LOG.error("No valid constructor found for UnixUserGroupInformation!", nsme);
	} catch (Exception e) {
	LOG.error("Error instantiating new UnixUserGroupInformation", e);
	}

	return null;
	}
	}

	/**
	* Bridges {@code User} invocations to underlying calls to
	* {@link org.apache.hadoop.security.UserGroupInformation} for secure Hadoop
	* 0.20 and versions 0.21 and above.
	*/
	private static class SecureHadoopUser extends User {
	private SecureHadoopUser() {
	ugi = (UserGroupInformation) callStatic("getCurrentUser");
	}

	private SecureHadoopUser(UserGroupInformation ugi) {
	this.ugi = ugi;
	}

	@Override
	public String getShortName() {
	return (String)call(ugi, "getShortUserName", null, null);
	}

	@Override
	public <T> T runAs(PrivilegedAction<T> action) {
	return (T) call(ugi, "doAs", new Class[]{PrivilegedAction.class},
	new Object[]{action});
	}

	@Override
	public <T> T runAs(PrivilegedExceptionAction<T> action)
	throws IOException, InterruptedException {
	return (T) call(ugi, "doAs",
	new Class[]{PrivilegedExceptionAction.class},
	new Object[]{action});
	}

	public static User createUserForTesting(Configuration conf,
	String name, String[] groups) {
	return new SecureHadoopUser(
	(UserGroupInformation)callStatic("createUserForTesting",
	new Class[]{String.class, String[].class},
	new Object[]{name, groups})
	);
	}
	}

	/* Reflection helper methods */
	private static Object callStatic(String methodName) {
	return call(null, methodName, null, null);
	}

	private static Object callStatic(String methodName, Class[] types,
	Object[] args) {
	return call(null, methodName, types, args);
	}

	private static Object call(UserGroupInformation instance, String methodName,
	Class[] types, Object[] args) {
	try {
	Method m = UserGroupInformation.class.getMethod(methodName, types);
	return m.invoke(instance, args);
	} catch (NoSuchMethodException nsme) {
	LOG.fatal("Can't find method "+methodName+" in UserGroupInformation!",
	nsme);
	} catch (Exception e) {
	LOG.fatal("Error calling method "+methodName, e);
	}
	return null;
	}
	}