src/org/apache/pig/backend/hadoop/HKerberos.java - pig - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.pig.backend.hadoop;

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;

 import java.io.IOException;

 /**
  * Support for logging in using a kerberos keytab file.
  *
  * <br/>
  * Kerberos is a authentication system that uses tickets with a limited valitity time.<br/>
  * As a consequence running a pig script on a kerberos secured hadoop cluster limits the running time to at most
  * the remaining validity time of these kerberos tickets. When doing really complex analytics this may become a
  * problem as the job may need to run for a longer time than these ticket times allow.<br/>
  * A kerberos keytab file is essentially a Kerberos specific form of the password of a user. <br/>
  * It is possible to enable a Hadoop job to request new tickets when they expire by creating a keytab file and
  * make it part of the job that is running in the cluster.
  * This will extend the maximum job duration beyond the maximum renew time of the kerberos tickets.<br/>
  * <br/>
  * Usage:
  * <ol>
  *      <li>Create a keytab file for the required principal.<br/>
  *      <p>Using the ktutil tool you can create a keytab using roughly these commands:<br/>
  *      <i>addent -password -p niels@EXAMPLE.NL -k 1 -e rc4-hmac<br/>
  *      addent -password -p niels@EXAMPLE.NL -k 1 -e aes256-cts<br/>
  *      wkt niels.keytab</i></p>
  *      </li>
  *      <li>Set the following properties (either via the .pigrc file or on the command line via -P file)<br/>
  *          <ul>
  *          <li><i>java.security.krb5.conf</i><br/>
  *              The path to the local krb5.conf file.<br/>
  *              Usually this is "/etc/krb5.conf"</li>
  *          <li><i>hadoop.security.krb5.principal</i><br/>
  *              The pricipal you want to login with.<br/>
  *              Usually this would look like this "niels@EXAMPLE.NL"</li>
  *          <li><i>hadoop.security.krb5.keytab</i><br/>
  *              The path to the local keytab file that must be used to authenticate with.<br/>
  *              Usually this would look like this "/home/niels/.krb/niels.keytab"</li>
  *          </ul></li>
  * </ol>
  * NOTE: All paths in these variables are local to the client system starting the actual pig script.
  * This can be run without any special access to the cluster nodes.
  */
 public class HKerberos {
     private static final Log LOG = LogFactory.getLog(HKerberos.class);

     public static void tryKerberosKeytabLogin(Configuration conf) {
         // Before we can actually connect we may need to login using the provided credentials.
         if (UserGroupInformation.isSecurityEnabled()) {
             UserGroupInformation loginUser;
             try {
                 loginUser = UserGroupInformation.getLoginUser();
             } catch (IOException e) {
                 LOG.error("Unable to start attempt to login using Kerberos keytab: " + e.getMessage());
                 return;
             }

             // If we are logged in into Kerberos with a keytab we can skip this to avoid needless logins
             if (!loginUser.hasKerberosCredentials() && !loginUser.isFromKeytab()) {
                 String krb5Conf      = conf.get("java.security.krb5.conf");
                 String krb5Principal = conf.get("hadoop.security.krb5.principal");
                 String krb5Keytab    = conf.get("hadoop.security.krb5.keytab");

                 // Only attempt login if we have all the required settings.
                 if (krb5Conf != null && krb5Principal != null && krb5Keytab != null) {
                     LOG.info("Trying login using Kerberos Keytab");
                     LOG.info("krb5: Conf      = " + krb5Conf);
                     LOG.info("krb5: Principal = " + krb5Principal);
                     LOG.info("krb5: Keytab    = " + krb5Keytab);
                     System.setProperty("java.security.krb5.conf", krb5Conf);
                     try {
                         UserGroupInformation.loginUserFromKeytab(krb5Principal, krb5Keytab);
                     } catch (IOException e) {
                         LOG.error("Unable to perform keytab based kerberos authentication: " + e.getMessage());
                     }
                 }
             }
         }
     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.pig.backend.hadoop;

	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.security.UserGroupInformation;

	import java.io.IOException;

	/**
	* Support for logging in using a kerberos keytab file.
	*
	* <br/>
	* Kerberos is a authentication system that uses tickets with a limited valitity time.<br/>
	* As a consequence running a pig script on a kerberos secured hadoop cluster limits the running time to at most
	* the remaining validity time of these kerberos tickets. When doing really complex analytics this may become a
	* problem as the job may need to run for a longer time than these ticket times allow.<br/>
	* A kerberos keytab file is essentially a Kerberos specific form of the password of a user. <br/>
	* It is possible to enable a Hadoop job to request new tickets when they expire by creating a keytab file and
	* make it part of the job that is running in the cluster.
	* This will extend the maximum job duration beyond the maximum renew time of the kerberos tickets.<br/>
	* <br/>
	* Usage:
	* <ol>
	* <li>Create a keytab file for the required principal.<br/>
	* <p>Using the ktutil tool you can create a keytab using roughly these commands:<br/>
	* <i>addent -password -p niels@EXAMPLE.NL -k 1 -e rc4-hmac<br/>
	* addent -password -p niels@EXAMPLE.NL -k 1 -e aes256-cts<br/>
	* wkt niels.keytab</i></p>
	* </li>
	* <li>Set the following properties (either via the .pigrc file or on the command line via -P file)<br/>
	* <ul>
	* <li><i>java.security.krb5.conf</i><br/>
	* The path to the local krb5.conf file.<br/>
	* Usually this is "/etc/krb5.conf"</li>
	* <li><i>hadoop.security.krb5.principal</i><br/>
	* The pricipal you want to login with.<br/>
	* Usually this would look like this "niels@EXAMPLE.NL"</li>
	* <li><i>hadoop.security.krb5.keytab</i><br/>
	* The path to the local keytab file that must be used to authenticate with.<br/>
	* Usually this would look like this "/home/niels/.krb/niels.keytab"</li>
	* </ul></li>
	* </ol>
	* NOTE: All paths in these variables are local to the client system starting the actual pig script.
	* This can be run without any special access to the cluster nodes.
	*/
	public class HKerberos {
	private static final Log LOG = LogFactory.getLog(HKerberos.class);

	public static void tryKerberosKeytabLogin(Configuration conf) {
	// Before we can actually connect we may need to login using the provided credentials.
	if (UserGroupInformation.isSecurityEnabled()) {
	UserGroupInformation loginUser;
	try {
	loginUser = UserGroupInformation.getLoginUser();
	} catch (IOException e) {
	LOG.error("Unable to start attempt to login using Kerberos keytab: " + e.getMessage());
	return;
	}

	// If we are logged in into Kerberos with a keytab we can skip this to avoid needless logins
	if (!loginUser.hasKerberosCredentials() && !loginUser.isFromKeytab()) {
	String krb5Conf = conf.get("java.security.krb5.conf");
	String krb5Principal = conf.get("hadoop.security.krb5.principal");
	String krb5Keytab = conf.get("hadoop.security.krb5.keytab");

	// Only attempt login if we have all the required settings.
	if (krb5Conf != null && krb5Principal != null && krb5Keytab != null) {
	LOG.info("Trying login using Kerberos Keytab");
	LOG.info("krb5: Conf = " + krb5Conf);
	LOG.info("krb5: Principal = " + krb5Principal);
	LOG.info("krb5: Keytab = " + krb5Keytab);
	System.setProperty("java.security.krb5.conf", krb5Conf);
	try {
	UserGroupInformation.loginUserFromKeytab(krb5Principal, krb5Keytab);
	} catch (IOException e) {
	LOG.error("Unable to perform keytab based kerberos authentication: " + e.getMessage());
	}
	}
	}
	}
	}

	}