org.apache.hadoop.hbase.security.User Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of hbase-common Show documentation
Show all versions of hbase-common Show documentation
Common functionality for HBase
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.security;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.util.Methods;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.yetus.audience.InterfaceAudience;
import org.apache.hbase.thirdparty.com.google.common.cache.LoadingCache;
/**
* Wrapper to abstract out usage of user and group information in HBase.
*
* This class provides a common interface for interacting with user and group information across
* changing APIs in different versions of Hadoop. It only provides access to the common set of
* functionality in {@link org.apache.hadoop.security.UserGroupInformation} currently needed by
* HBase, but can be extended as needs change.
*
*/
@InterfaceAudience.Public
public abstract class User {
public static final String HBASE_SECURITY_CONF_KEY = "hbase.security.authentication";
public static final String HBASE_SECURITY_AUTHORIZATION_CONF_KEY = "hbase.security.authorization";
protected UserGroupInformation ugi;
public UserGroupInformation getUGI() {
return ugi;
}
/**
* Returns the full user name. For Kerberos principals this will include the host and realm
* portions of the principal name.
* @return User full name.
*/
public String getName() {
return ugi.getUserName();
}
/**
* Returns the list of groups of which this user is a member. On secure Hadoop this returns the
* group information for the user as resolved on the server. For 0.20 based Hadoop, the group
* names are passed from the client.
*/
public String[] getGroupNames() {
return ugi.getGroupNames();
}
/**
* Returns the shortened version of the user name -- the portion that maps to an operating system
* user name.
* @return Short name
*/
public abstract String getShortName();
/**
* Executes the given action within the context of this user.
*/
public abstract T runAs(PrivilegedAction action);
/**
* Executes the given action within the context of this user.
*/
public abstract T runAs(PrivilegedExceptionAction action)
throws IOException, InterruptedException;
/**
* Returns the Token of the specified kind associated with this user, or null if the Token is not
* present.
* @param kind the kind of token
* @param service service on which the token is supposed to be used
* @return the token of the specified kind.
*/
public Token getToken(String kind, String service) throws IOException {
for (Token token : ugi.getTokens()) {
if (
token.getKind().toString().equals(kind)
&& (service != null && token.getService().toString().equals(service))
) {
return token;
}
}
return null;
}
/**
* Returns all the tokens stored in the user's credentials.
*/
public Collection> getTokens() {
return ugi.getTokens();
}
/**
* Adds the given Token to the user's credentials.
* @param token the token to add
*/
public void addToken(Token token) {
ugi.addToken(token);
}
/** Returns true if user credentials are obtained from keytab. */
public boolean isLoginFromKeytab() {
return ugi.isFromKeytab();
}
@Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (!(o instanceof User)) {
return false;
}
return ugi.equals(((User) o).ugi);
}
@Override
public int hashCode() {
return ugi.hashCode();
}
@Override
public String toString() {
return ugi.toString();
}
/** Returns the {@code User} instance within current execution context. */
public static User getCurrent() throws IOException {
User user = new SecureHadoopUser();
if (user.getUGI() == null) {
return null;
}
return user;
}
/** Executes the given action as the login user */
@SuppressWarnings({ "rawtypes", "unchecked" })
public static T runAsLoginUser(PrivilegedExceptionAction action) throws IOException {
try {
Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
Class[] types = new Class[] { PrivilegedExceptionAction.class };
Object[] args = new Object[] { action };
return (T) Methods.call(c, null, "doAsLoginUser", types, args);
} catch (Throwable e) {
throw new IOException(e);
}
}
/**
* Wraps an underlying {@code UserGroupInformation} instance.
* @param ugi The base Hadoop user
*/
public static User create(UserGroupInformation ugi) {
if (ugi == null) {
return null;
}
return new SecureHadoopUser(ugi);
}
/**
* Generates a new {@code User} instance specifically for use in test code.
* @param name the full username
* @param groups the group names to which the test user will belong
* @return a new User instance
*/
public static User createUserForTesting(Configuration conf, String name, String[] groups) {
User userForTesting = SecureHadoopUser.createUserForTesting(conf, name, groups);
return userForTesting;
}
/**
* Log in the current process using the given configuration keys for the credential file and login
* principal.
*
* This is only applicable when running on secure Hadoop -- see
* org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String). On regular
* Hadoop (without security features), this will safely be ignored.
*
* @param conf The configuration data to use
* @param fileConfKey Property key used to configure path to the credential file
* @param principalConfKey Property key used to configure login principal
* @param localhost Current hostname to use in any credentials
* @throws IOException underlying exception from SecurityUtil.login() call
*/
public static void login(Configuration conf, String fileConfKey, String principalConfKey,
String localhost) throws IOException {
SecureHadoopUser.login(conf, fileConfKey, principalConfKey, localhost);
}
/**
* Login with the given keytab and principal.
* @param keytabLocation path of keytab
* @param pricipalName login principal
* @throws IOException underlying exception from UserGroupInformation.loginUserFromKeytab
*/
public static void login(String keytabLocation, String pricipalName) throws IOException {
SecureHadoopUser.login(keytabLocation, pricipalName);
}
/**
* Returns whether or not Kerberos authentication is configured for Hadoop. For non-secure Hadoop,
* this always returns false. For secure Hadoop, it will return the value from
* {@code UserGroupInformation.isSecurityEnabled()}.
*/
public static boolean isSecurityEnabled() {
return SecureHadoopUser.isSecurityEnabled();
}
/**
* Returns whether or not secure authentication is enabled for HBase. Note that HBase security
* requires HDFS security to provide any guarantees, so it is recommended that secure HBase should
* run on secure HDFS.
*/
public static boolean isHBaseSecurityEnabled(Configuration conf) {
return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY));
}
/**
* In secure environment, if a user specified his keytab and principal, a hbase client will try to
* login with them. Otherwise, hbase client will try to obtain ticket(through kinit) from system.
* @param conf configuration file
* @return true if keytab and principal are configured
*/
public static boolean shouldLoginFromKeytab(Configuration conf) {
Optional keytab = Optional.ofNullable(conf.get(AuthUtil.HBASE_CLIENT_KEYTAB_FILE));
Optional principal =
Optional.ofNullable(conf.get(AuthUtil.HBASE_CLIENT_KERBEROS_PRINCIPAL));
return keytab.isPresent() && principal.isPresent();
}
/* Concrete implementations */
/**
* Bridges {@code User} invocations to underlying calls to
* {@link org.apache.hadoop.security.UserGroupInformation} for secure Hadoop 0.20 and versions
* 0.21 and above.
*/
@InterfaceAudience.Private
public static final class SecureHadoopUser extends User {
private String shortName;
private LoadingCache cache;
/**
* Cache value of this instance's {@link #toString()} value. Computing this value is expensive.
* Assumes the UGI is never updated. See HBASE-27708.
*/
private final String toString;
public SecureHadoopUser() throws IOException {
ugi = UserGroupInformation.getCurrentUser();
this.cache = null;
this.toString = ugi.toString();
}
public SecureHadoopUser(UserGroupInformation ugi) {
this.ugi = ugi;
this.cache = null;
this.toString = ugi.toString();
}
public SecureHadoopUser(UserGroupInformation ugi, LoadingCache cache) {
this.ugi = ugi;
this.cache = cache;
this.toString = ugi.toString();
}
@Override
public String getShortName() {
if (shortName != null) return shortName;
try {
shortName = ugi.getShortUserName();
return shortName;
} catch (Exception e) {
throw new RuntimeException("Unexpected error getting user short name", e);
}
}
@Override
public String[] getGroupNames() {
if (cache != null) {
try {
return this.cache.get(getShortName());
} catch (ExecutionException e) {
return new String[0];
}
}
return ugi.getGroupNames();
}
@Override
public T runAs(PrivilegedAction action) {
return ugi.doAs(action);
}
@Override
public T runAs(PrivilegedExceptionAction action)
throws IOException, InterruptedException {
return ugi.doAs(action);
}
@Override
public String toString() {
return toString;
}
/**
* Create a user for testing.
* @see User#createUserForTesting(org.apache.hadoop.conf.Configuration, String, String[])
*/
public static User createUserForTesting(Configuration conf, String name, String[] groups) {
synchronized (UserProvider.class) {
if (!(UserProvider.groups instanceof TestingGroups)) {
UserProvider.groups = new TestingGroups(UserProvider.groups);
}
}
((TestingGroups) UserProvider.groups).setUserGroups(name, groups);
return new SecureHadoopUser(UserGroupInformation.createUserForTesting(name, groups));
}
/**
* Obtain credentials for the current process using the configured Kerberos keytab file and
* principal.
* @see User#login(org.apache.hadoop.conf.Configuration, String, String, String)
* @param conf the Configuration to use
* @param fileConfKey Configuration property key used to store the path to the keytab file
* @param principalConfKey Configuration property key used to store the principal name to login
* as
* @param localhost the local hostname
*/
public static void login(Configuration conf, String fileConfKey, String principalConfKey,
String localhost) throws IOException {
if (isSecurityEnabled()) {
SecurityUtil.login(conf, fileConfKey, principalConfKey, localhost);
}
}
/**
* Login through configured keytab and pricipal.
* @param keytabLocation location of keytab
* @param principalName principal in keytab
* @throws IOException exception from UserGroupInformation.loginUserFromKeytab
*/
public static void login(String keytabLocation, String principalName) throws IOException {
if (isSecurityEnabled()) {
UserGroupInformation.loginUserFromKeytab(principalName, keytabLocation);
}
}
/** Returns the result of {@code UserGroupInformation.isSecurityEnabled()}. */
public static boolean isSecurityEnabled() {
return UserGroupInformation.isSecurityEnabled();
}
}
public static class TestingGroups extends Groups {
public static final String TEST_CONF = "hbase.group.service.for.test.only";
private final Map> userToGroupsMapping = new HashMap<>();
private Groups underlyingImplementation;
public TestingGroups(Groups underlyingImplementation) {
super(new Configuration());
this.underlyingImplementation = underlyingImplementation;
}
@Override
public List getGroups(String user) throws IOException {
List result = userToGroupsMapping.get(user);
if (result == null) {
result = underlyingImplementation.getGroups(user);
}
return result;
}
private void setUserGroups(String user, String[] groups) {
userToGroupsMapping.put(user, Arrays.asList(groups));
}
}
}