View Javadoc

1   /*
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *     http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing, software
14   * distributed under the License is distributed on an "AS IS" BASIS,
15   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16   * See the License for the specific language governing permissions and
17   * limitations under the License.
18   */
19  
20  package org.apache.hadoop.hbase.security;
21  
22  import java.io.IOException;
23  import java.lang.reflect.UndeclaredThrowableException;
24  import java.security.PrivilegedAction;
25  import java.security.PrivilegedExceptionAction;
26  
27  import org.apache.commons.logging.Log;
28  import org.apache.commons.logging.LogFactory;
29  import org.apache.hadoop.classification.InterfaceAudience;
30  import org.apache.hadoop.conf.Configuration;
31  import org.apache.hadoop.hbase.util.Methods;
32  import org.apache.hadoop.mapred.JobConf;
33  import org.apache.hadoop.mapreduce.Job;
34  import org.apache.hadoop.security.SecurityUtil;
35  import org.apache.hadoop.security.UserGroupInformation;
36  import org.apache.hadoop.security.token.Token;
37  
38  /**
39   * Wrapper to abstract out usage of user and group information in HBase.
40   *
41   * <p>
42   * This class provides a common interface for interacting with user and group
43   * information across changing APIs in different versions of Hadoop.  It only
44   * provides access to the common set of functionality in
45   * {@link org.apache.hadoop.security.UserGroupInformation} currently needed by
46   * HBase, but can be extended as needs change.
47   * </p>
48   */
49  @InterfaceAudience.Private
50  public abstract class User {
51    public static final String HBASE_SECURITY_CONF_KEY =
52        "hbase.security.authentication";
53  
54    private static Log LOG = LogFactory.getLog(User.class);
55  
56    protected UserGroupInformation ugi;
57  
58    public UserGroupInformation getUGI() {
59      return ugi;
60    }
61  
62    /**
63     * Returns the full user name.  For Kerberos principals this will include
64     * the host and realm portions of the principal name.
65     * @return User full name.
66     */
67    public String getName() {
68      return ugi.getUserName();
69    }
70  
71    /**
72     * Returns the list of groups of which this user is a member.  On secure
73     * Hadoop this returns the group information for the user as resolved on the
74     * server.  For 0.20 based Hadoop, the group names are passed from the client.
75     */
76    public String[] getGroupNames() {
77      return ugi.getGroupNames();
78    }
79  
80    /**
81     * Returns the shortened version of the user name -- the portion that maps
82     * to an operating system user name.
83     * @return Short name
84     */
85    public abstract String getShortName();
86  
87    /**
88     * Executes the given action within the context of this user.
89     */
90    public abstract <T> T runAs(PrivilegedAction<T> action);
91  
92    /**
93     * Executes the given action within the context of this user.
94     */
95    public abstract <T> T runAs(PrivilegedExceptionAction<T> action)
96        throws IOException, InterruptedException;
97  
98    /**
99     * Requests an authentication token for this user and stores it in the
100    * user's credentials.
101    *
102    * @throws IOException
103    */
104   public abstract void obtainAuthTokenForJob(Configuration conf, Job job)
105       throws IOException, InterruptedException;
106 
107   /**
108    * Requests an authentication token for this user and stores it in the
109    * user's credentials.
110    *
111    * @throws IOException
112    */
113   public abstract void obtainAuthTokenForJob(JobConf job)
114       throws IOException, InterruptedException;
115 
116   /**
117    * Returns the Token of the specified kind associated with this user,
118    * or null if the Token is not present.
119    *
120    * @param kind the kind of token
121    * @param service service on which the token is supposed to be used
122    * @return the token of the specified kind.
123    */
124   public Token<?> getToken(String kind, String service) throws IOException {
125     for (Token<?> token: ugi.getTokens()) {
126       if (token.getKind().toString().equals(kind) &&
127           (service != null && token.getService().toString().equals(service)))
128       {
129         return token;
130       }
131     }
132     return null;
133   }
134 
135   @Override
136   public boolean equals(Object o) {
137     if (this == o) {
138       return true;
139     }
140     if (o == null || getClass() != o.getClass()) {
141       return false;
142     }
143     return ugi.equals(((User) o).ugi);
144   }
145 
146   @Override
147   public int hashCode() {
148     return ugi.hashCode();
149   }
150 
151   @Override
152   public String toString() {
153     return ugi.toString();
154   }
155 
156   /**
157    * Returns the {@code User} instance within current execution context.
158    */
159   public static User getCurrent() throws IOException {
160     User user = new SecureHadoopUser();
161     if (user.getUGI() == null) {
162       return null;
163     }
164     return user;
165   }
166 
167   /**
168    * Executes the given action as the login user
169    * @param action
170    * @return
171    * @throws IOException
172    * @throws InterruptedException
173    */
174   @SuppressWarnings({ "rawtypes", "unchecked" })
175   public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException {
176     try {
177       Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
178       Class [] types = new Class[]{PrivilegedExceptionAction.class};
179       Object[] args = new Object[]{action};
180       return (T) Methods.call(c, null, "doAsLoginUser", types, args);
181     } catch (Throwable e) {
182       throw new IOException(e);
183     }
184   }
185 
186   /**
187    * Wraps an underlying {@code UserGroupInformation} instance.
188    * @param ugi The base Hadoop user
189    * @return User
190    */
191   public static User create(UserGroupInformation ugi) {
192     if (ugi == null) {
193       return null;
194     }
195     return new SecureHadoopUser(ugi);
196   }
197 
198   /**
199    * Generates a new {@code User} instance specifically for use in test code.
200    * @param name the full username
201    * @param groups the group names to which the test user will belong
202    * @return a new <code>User</code> instance
203    */
204   public static User createUserForTesting(Configuration conf,
205       String name, String[] groups) {
206     return SecureHadoopUser.createUserForTesting(conf, name, groups);
207   }
208 
209   /**
210    * Log in the current process using the given configuration keys for the
211    * credential file and login principal.
212    *
213    * <p><strong>This is only applicable when
214    * running on secure Hadoop</strong> -- see
215    * org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String).
216    * On regular Hadoop (without security features), this will safely be ignored.
217    * </p>
218    *
219    * @param conf The configuration data to use
220    * @param fileConfKey Property key used to configure path to the credential file
221    * @param principalConfKey Property key used to configure login principal
222    * @param localhost Current hostname to use in any credentials
223    * @throws IOException underlying exception from SecurityUtil.login() call
224    */
225   public static void login(Configuration conf, String fileConfKey,
226       String principalConfKey, String localhost) throws IOException {
227     SecureHadoopUser.login(conf, fileConfKey, principalConfKey, localhost);
228   }
229 
230   /**
231    * Returns whether or not Kerberos authentication is configured for Hadoop.
232    * For non-secure Hadoop, this always returns <code>false</code>.
233    * For secure Hadoop, it will return the value from
234    * {@code UserGroupInformation.isSecurityEnabled()}.
235    */
236   public static boolean isSecurityEnabled() {
237     return SecureHadoopUser.isSecurityEnabled();
238   }
239 
240   /**
241    * Returns whether or not secure authentication is enabled for HBase. Note that
242    * HBase security requires HDFS security to provide any guarantees, so it is
243    * recommended that secure HBase should run on secure HDFS.
244    */
245   public static boolean isHBaseSecurityEnabled(Configuration conf) {
246     return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY));
247   }
248 
249   /* Concrete implementations */
250 
251   /**
252    * Bridges {@code User} invocations to underlying calls to
253    * {@link org.apache.hadoop.security.UserGroupInformation} for secure Hadoop
254    * 0.20 and versions 0.21 and above.
255    */
256   private static class SecureHadoopUser extends User {
257     private String shortName;
258 
259     private SecureHadoopUser() throws IOException {
260       ugi = UserGroupInformation.getCurrentUser();
261     }
262 
263     private SecureHadoopUser(UserGroupInformation ugi) {
264       this.ugi = ugi;
265     }
266 
267     @Override
268     public String getShortName() {
269       if (shortName != null) return shortName;
270       try {
271         shortName = ugi.getShortUserName();
272         return shortName;
273       } catch (Exception e) {
274         throw new RuntimeException("Unexpected error getting user short name",
275           e);
276       }
277     }
278 
279     @Override
280     public <T> T runAs(PrivilegedAction<T> action) {
281       return ugi.doAs(action);
282     }
283 
284     @Override
285     public <T> T runAs(PrivilegedExceptionAction<T> action)
286         throws IOException, InterruptedException {
287       return ugi.doAs(action);
288     }
289 
290     @Override
291     public void obtainAuthTokenForJob(Configuration conf, Job job)
292         throws IOException, InterruptedException {
293       try {
294         Class<?> c = Class.forName(
295             "org.apache.hadoop.hbase.security.token.TokenUtil");
296         Methods.call(c, null, "obtainTokenForJob",
297             new Class[]{Configuration.class, UserGroupInformation.class,
298                 Job.class},
299             new Object[]{conf, ugi, job});
300       } catch (ClassNotFoundException cnfe) {
301         throw new RuntimeException("Failure loading TokenUtil class, "
302             +"is secure RPC available?", cnfe);
303       } catch (IOException ioe) {
304         throw ioe;
305       } catch (InterruptedException ie) {
306         throw ie;
307       } catch (RuntimeException re) {
308         throw re;
309       } catch (Exception e) {
310         throw new UndeclaredThrowableException(e,
311             "Unexpected error calling TokenUtil.obtainAndCacheToken()");
312       }
313     }
314 
315     @Override
316     public void obtainAuthTokenForJob(JobConf job)
317         throws IOException, InterruptedException {
318       try {
319         Class<?> c = Class.forName(
320             "org.apache.hadoop.hbase.security.token.TokenUtil");
321         Methods.call(c, null, "obtainTokenForJob",
322             new Class[]{JobConf.class, UserGroupInformation.class},
323             new Object[]{job, ugi});
324       } catch (ClassNotFoundException cnfe) {
325         throw new RuntimeException("Failure loading TokenUtil class, "
326             +"is secure RPC available?", cnfe);
327       } catch (IOException ioe) {
328         throw ioe;
329       } catch (InterruptedException ie) {
330         throw ie;
331       } catch (RuntimeException re) {
332         throw re;
333       } catch (Exception e) {
334         throw new UndeclaredThrowableException(e,
335             "Unexpected error calling TokenUtil.obtainAndCacheToken()");
336       }
337     }
338 
339     /** @see User#createUserForTesting(org.apache.hadoop.conf.Configuration, String, String[]) */
340     public static User createUserForTesting(Configuration conf,
341         String name, String[] groups) {
342       return new SecureHadoopUser(UserGroupInformation.createUserForTesting(name, groups));
343     }
344 
345     /**
346      * Obtain credentials for the current process using the configured
347      * Kerberos keytab file and principal.
348      * @see User#login(org.apache.hadoop.conf.Configuration, String, String, String)
349      *
350      * @param conf the Configuration to use
351      * @param fileConfKey Configuration property key used to store the path
352      * to the keytab file
353      * @param principalConfKey Configuration property key used to store the
354      * principal name to login as
355      * @param localhost the local hostname
356      */
357     public static void login(Configuration conf, String fileConfKey,
358         String principalConfKey, String localhost) throws IOException {
359       if (isSecurityEnabled()) {
360         SecurityUtil.login(conf, fileConfKey, principalConfKey, localhost);
361       }
362     }
363 
364     /**
365      * Returns the result of {@code UserGroupInformation.isSecurityEnabled()}.
366      */
367     public static boolean isSecurityEnabled() {
368       return UserGroupInformation.isSecurityEnabled();
369     }
370   }
371 }