View Javadoc

1   /*
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *     http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing, software
14   * distributed under the License is distributed on an "AS IS" BASIS,
15   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16   * See the License for the specific language governing permissions and
17   * limitations under the License.
18   */
19  
20  package org.apache.hadoop.hbase.security;
21  
22  import java.io.IOException;
23  import java.security.PrivilegedAction;
24  import java.security.PrivilegedExceptionAction;
25  import java.util.Collection;
26  
27  import org.apache.hadoop.conf.Configuration;
28  import org.apache.hadoop.hbase.classification.InterfaceAudience;
29  import org.apache.hadoop.hbase.classification.InterfaceStability;
30  import org.apache.hadoop.hbase.util.Methods;
31  import org.apache.hadoop.security.SecurityUtil;
32  import org.apache.hadoop.security.UserGroupInformation;
33  import org.apache.hadoop.security.token.Token;
34  import org.apache.hadoop.security.token.TokenIdentifier;
35  
36  /**
37   * Wrapper to abstract out usage of user and group information in HBase.
38   *
39   * <p>
40   * This class provides a common interface for interacting with user and group
41   * information across changing APIs in different versions of Hadoop.  It only
42   * provides access to the common set of functionality in
43   * {@link org.apache.hadoop.security.UserGroupInformation} currently needed by
44   * HBase, but can be extended as needs change.
45   * </p>
46   */
47  @InterfaceAudience.Public
48  @InterfaceStability.Stable
49  public abstract class User {
50    public static final String HBASE_SECURITY_CONF_KEY =
51        "hbase.security.authentication";
52    public static final String HBASE_SECURITY_AUTHORIZATION_CONF_KEY =
53        "hbase.security.authorization";
54  
55    protected UserGroupInformation ugi;
56  
57    public UserGroupInformation getUGI() {
58      return ugi;
59    }
60  
61    /**
62     * Returns the full user name.  For Kerberos principals this will include
63     * the host and realm portions of the principal name.
64     *
65     * @return User full name.
66     */
67    public String getName() {
68      return ugi.getUserName();
69    }
70  
71    /**
72     * Returns the list of groups of which this user is a member.  On secure
73     * Hadoop this returns the group information for the user as resolved on the
74     * server.  For 0.20 based Hadoop, the group names are passed from the client.
75     */
76    public String[] getGroupNames() {
77      return ugi.getGroupNames();
78    }
79  
80    /**
81     * Returns the shortened version of the user name -- the portion that maps
82     * to an operating system user name.
83     *
84     * @return Short name
85     */
86    public abstract String getShortName();
87  
88    /**
89     * Executes the given action within the context of this user.
90     */
91    public abstract <T> T runAs(PrivilegedAction<T> action);
92  
93    /**
94     * Executes the given action within the context of this user.
95     */
96    public abstract <T> T runAs(PrivilegedExceptionAction<T> action)
97        throws IOException, InterruptedException;
98  
99    /**
100    * Returns the Token of the specified kind associated with this user,
101    * or null if the Token is not present.
102    *
103    * @param kind the kind of token
104    * @param service service on which the token is supposed to be used
105    * @return the token of the specified kind.
106    */
107   public Token<?> getToken(String kind, String service) throws IOException {
108     for (Token<?> token : ugi.getTokens()) {
109       if (token.getKind().toString().equals(kind) &&
110           (service != null && token.getService().toString().equals(service))) {
111         return token;
112       }
113     }
114     return null;
115   }
116 
117   /**
118    * Returns all the tokens stored in the user's credentials.
119    */
120   public Collection<Token<? extends TokenIdentifier>> getTokens() {
121     return ugi.getTokens();
122   }
123 
124   /**
125    * Adds the given Token to the user's credentials.
126    *
127    * @param token the token to add
128    */
129   public void addToken(Token<? extends TokenIdentifier> token) {
130     ugi.addToken(token);
131   }
132 
133   @Override
134   public boolean equals(Object o) {
135     if (this == o) {
136       return true;
137     }
138     if (o == null || getClass() != o.getClass()) {
139       return false;
140     }
141     return ugi.equals(((User) o).ugi);
142   }
143 
144   @Override
145   public int hashCode() {
146     return ugi.hashCode();
147   }
148 
149   @Override
150   public String toString() {
151     return ugi.toString();
152   }
153 
154   /**
155    * Returns the {@code User} instance within current execution context.
156    */
157   public static User getCurrent() throws IOException {
158     User user = new SecureHadoopUser();
159     if (user.getUGI() == null) {
160       return null;
161     }
162     return user;
163   }
164 
165   /**
166    * Executes the given action as the login user
167    * @param action
168    * @return the result of the action
169    * @throws IOException
170    */
171   @SuppressWarnings({ "rawtypes", "unchecked" })
172   public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException {
173     try {
174       Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
175       Class [] types = new Class[]{PrivilegedExceptionAction.class};
176       Object[] args = new Object[]{action};
177       return (T) Methods.call(c, null, "doAsLoginUser", types, args);
178     } catch (Throwable e) {
179       throw new IOException(e);
180     }
181   }
182 
183   /**
184    * Wraps an underlying {@code UserGroupInformation} instance.
185    * @param ugi The base Hadoop user
186    * @return User
187    */
188   public static User create(UserGroupInformation ugi) {
189     if (ugi == null) {
190       return null;
191     }
192     return new SecureHadoopUser(ugi);
193   }
194 
195   /**
196    * Generates a new {@code User} instance specifically for use in test code.
197    * @param name the full username
198    * @param groups the group names to which the test user will belong
199    * @return a new <code>User</code> instance
200    */
201   public static User createUserForTesting(Configuration conf,
202       String name, String[] groups) {
203     User userForTesting = SecureHadoopUser.createUserForTesting(conf, name, groups);
204     return userForTesting;
205   }
206 
207   /**
208    * Log in the current process using the given configuration keys for the
209    * credential file and login principal.
210    *
211    * <p><strong>This is only applicable when
212    * running on secure Hadoop</strong> -- see
213    * org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String).
214    * On regular Hadoop (without security features), this will safely be ignored.
215    * </p>
216    *
217    * @param conf The configuration data to use
218    * @param fileConfKey Property key used to configure path to the credential file
219    * @param principalConfKey Property key used to configure login principal
220    * @param localhost Current hostname to use in any credentials
221    * @throws IOException underlying exception from SecurityUtil.login() call
222    */
223   public static void login(Configuration conf, String fileConfKey,
224       String principalConfKey, String localhost) throws IOException {
225     SecureHadoopUser.login(conf, fileConfKey, principalConfKey, localhost);
226   }
227 
228   /**
229    * Returns whether or not Kerberos authentication is configured for Hadoop.
230    * For non-secure Hadoop, this always returns <code>false</code>.
231    * For secure Hadoop, it will return the value from
232    * {@code UserGroupInformation.isSecurityEnabled()}.
233    */
234   public static boolean isSecurityEnabled() {
235     return SecureHadoopUser.isSecurityEnabled();
236   }
237 
238   /**
239    * Returns whether or not secure authentication is enabled for HBase. Note that
240    * HBase security requires HDFS security to provide any guarantees, so it is
241    * recommended that secure HBase should run on secure HDFS.
242    */
243   public static boolean isHBaseSecurityEnabled(Configuration conf) {
244     return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY));
245   }
246 
247   /* Concrete implementations */
248 
249   /**
250    * Bridges {@code User} invocations to underlying calls to
251    * {@link org.apache.hadoop.security.UserGroupInformation} for secure Hadoop
252    * 0.20 and versions 0.21 and above.
253    */
254   private static final class SecureHadoopUser extends User {
255     private String shortName;
256 
257     private SecureHadoopUser() throws IOException {
258       ugi = UserGroupInformation.getCurrentUser();
259     }
260 
261     private SecureHadoopUser(UserGroupInformation ugi) {
262       this.ugi = ugi;
263     }
264 
265     @Override
266     public String getShortName() {
267       if (shortName != null) return shortName;
268       try {
269         shortName = ugi.getShortUserName();
270         return shortName;
271       } catch (Exception e) {
272         throw new RuntimeException("Unexpected error getting user short name",
273           e);
274       }
275     }
276 
277     @Override
278     public <T> T runAs(PrivilegedAction<T> action) {
279       return ugi.doAs(action);
280     }
281 
282     @Override
283     public <T> T runAs(PrivilegedExceptionAction<T> action)
284         throws IOException, InterruptedException {
285       return ugi.doAs(action);
286     }
287 
288     /** @see User#createUserForTesting(org.apache.hadoop.conf.Configuration, String, String[]) */
289     public static User createUserForTesting(Configuration conf,
290         String name, String[] groups) {
291       return new SecureHadoopUser(UserGroupInformation.createUserForTesting(name, groups));
292     }
293 
294     /**
295      * Obtain credentials for the current process using the configured
296      * Kerberos keytab file and principal.
297      * @see User#login(org.apache.hadoop.conf.Configuration, String, String, String)
298      *
299      * @param conf the Configuration to use
300      * @param fileConfKey Configuration property key used to store the path
301      * to the keytab file
302      * @param principalConfKey Configuration property key used to store the
303      * principal name to login as
304      * @param localhost the local hostname
305      */
306     public static void login(Configuration conf, String fileConfKey,
307         String principalConfKey, String localhost) throws IOException {
308       if (isSecurityEnabled()) {
309         SecurityUtil.login(conf, fileConfKey, principalConfKey, localhost);
310       }
311     }
312 
313     /**
314      * Returns the result of {@code UserGroupInformation.isSecurityEnabled()}.
315      */
316     public static boolean isSecurityEnabled() {
317       return UserGroupInformation.isSecurityEnabled();
318     }
319   }
320 }