| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.pig.backend.hadoop; |
| |
| import org.apache.commons.logging.Log; |
| import org.apache.commons.logging.LogFactory; |
| import org.apache.hadoop.conf.Configuration; |
| import org.apache.hadoop.security.UserGroupInformation; |
| |
| import java.io.IOException; |
| |
| /** |
| * Support for logging in using a kerberos keytab file. |
| * |
| * <br/> |
| * Kerberos is a authentication system that uses tickets with a limited valitity time.<br/> |
| * As a consequence running a pig script on a kerberos secured hadoop cluster limits the running time to at most |
| * the remaining validity time of these kerberos tickets. When doing really complex analytics this may become a |
| * problem as the job may need to run for a longer time than these ticket times allow.<br/> |
| * A kerberos keytab file is essentially a Kerberos specific form of the password of a user. <br/> |
| * It is possible to enable a Hadoop job to request new tickets when they expire by creating a keytab file and |
| * make it part of the job that is running in the cluster. |
| * This will extend the maximum job duration beyond the maximum renew time of the kerberos tickets.<br/> |
| * <br/> |
| * Usage: |
| * <ol> |
| * <li>Create a keytab file for the required principal.<br/> |
| * <p>Using the ktutil tool you can create a keytab using roughly these commands:<br/> |
| * <i>addent -password -p niels@EXAMPLE.NL -k 1 -e rc4-hmac<br/> |
| * addent -password -p niels@EXAMPLE.NL -k 1 -e aes256-cts<br/> |
| * wkt niels.keytab</i></p> |
| * </li> |
| * <li>Set the following properties (either via the .pigrc file or on the command line via -P file)<br/> |
| * <ul> |
| * <li><i>java.security.krb5.conf</i><br/> |
| * The path to the local krb5.conf file.<br/> |
| * Usually this is "/etc/krb5.conf"</li> |
| * <li><i>hadoop.security.krb5.principal</i><br/> |
| * The pricipal you want to login with.<br/> |
| * Usually this would look like this "niels@EXAMPLE.NL"</li> |
| * <li><i>hadoop.security.krb5.keytab</i><br/> |
| * The path to the local keytab file that must be used to authenticate with.<br/> |
| * Usually this would look like this "/home/niels/.krb/niels.keytab"</li> |
| * </ul></li> |
| * </ol> |
| * NOTE: All paths in these variables are local to the client system starting the actual pig script. |
| * This can be run without any special access to the cluster nodes. |
| */ |
| public class HKerberos { |
| private static final Log LOG = LogFactory.getLog(HKerberos.class); |
| |
| public static void tryKerberosKeytabLogin(Configuration conf) { |
| // Before we can actually connect we may need to login using the provided credentials. |
| if (UserGroupInformation.isSecurityEnabled()) { |
| UserGroupInformation loginUser; |
| try { |
| loginUser = UserGroupInformation.getLoginUser(); |
| } catch (IOException e) { |
| LOG.error("Unable to start attempt to login using Kerberos keytab: " + e.getMessage()); |
| return; |
| } |
| |
| // If we are logged in into Kerberos with a keytab we can skip this to avoid needless logins |
| if (!loginUser.hasKerberosCredentials() && !loginUser.isFromKeytab()) { |
| String krb5Conf = conf.get("java.security.krb5.conf"); |
| String krb5Principal = conf.get("hadoop.security.krb5.principal"); |
| String krb5Keytab = conf.get("hadoop.security.krb5.keytab"); |
| |
| // Only attempt login if we have all the required settings. |
| if (krb5Conf != null && krb5Principal != null && krb5Keytab != null) { |
| LOG.info("Trying login using Kerberos Keytab"); |
| LOG.info("krb5: Conf = " + krb5Conf); |
| LOG.info("krb5: Principal = " + krb5Principal); |
| LOG.info("krb5: Keytab = " + krb5Keytab); |
| System.setProperty("java.security.krb5.conf", krb5Conf); |
| try { |
| UserGroupInformation.loginUserFromKeytab(krb5Principal, krb5Keytab); |
| } catch (IOException e) { |
| LOG.error("Unable to perform keytab based kerberos authentication: " + e.getMessage()); |
| } |
| } |
| } |
| } |
| } |
| |
| } |