View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase;
20  
21  import java.io.IOException;
22  import java.net.UnknownHostException;
23  
24  import org.apache.commons.logging.Log;
25  import org.apache.commons.logging.LogFactory;
26  import org.apache.hadoop.conf.Configuration;
27  import org.apache.hadoop.hbase.classification.InterfaceAudience;
28  import org.apache.hadoop.hbase.classification.InterfaceStability;
29  import org.apache.hadoop.hbase.security.UserProvider;
30  import org.apache.hadoop.hbase.util.DNS;
31  import org.apache.hadoop.hbase.util.Strings;
32  import org.apache.hadoop.security.UserGroupInformation;
33  
34  /**
35   * Utility methods for helping with security tasks.
36   */
37  @InterfaceAudience.Private
38  @InterfaceStability.Evolving
39  public class AuthUtil {
40    private static final Log LOG = LogFactory.getLog(AuthUtil.class);
41  
42    /** Prefix character to denote group names */
43    public static final String GROUP_PREFIX = "@";
44  
45    private AuthUtil() {
46      super();
47    }
48  
49    /**
50     * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
51     */
52    public static ScheduledChore getAuthChore(Configuration conf) throws IOException {
53      UserProvider userProvider = UserProvider.instantiate(conf);
54      // login the principal (if using secure Hadoop)
55      boolean securityEnabled =
56          userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled();
57      if (!securityEnabled) return null;
58      String host = null;
59      try {
60        host = Strings.domainNamePointerToHostName(DNS.getDefaultHost(
61            conf.get("hbase.client.dns.interface", "default"),
62            conf.get("hbase.client.dns.nameserver", "default")));
63        userProvider.login("hbase.client.keytab.file", "hbase.client.kerberos.principal", host);
64      } catch (UnknownHostException e) {
65        LOG.error("Error resolving host name: " + e.getMessage(), e);
66        throw e;
67      } catch (IOException e) {
68        LOG.error("Error while trying to perform the initial login: " + e.getMessage(), e);
69        throw e;
70      }
71  
72      final UserGroupInformation ugi = userProvider.getCurrent().getUGI();
73      Stoppable stoppable = new Stoppable() {
74        private volatile boolean isStopped = false;
75  
76        @Override
77        public void stop(String why) {
78          isStopped = true;
79        }
80  
81        @Override
82        public boolean isStopped() {
83          return isStopped;
84        }
85      };
86  
87      // if you're in debug mode this is useful to avoid getting spammed by the getTGT()
88      // you can increase this, keeping in mind that the default refresh window is 0.8
89      // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min
90      final int CHECK_TGT_INTERVAL = 30 * 1000; // 30sec
91  
92      ScheduledChore refreshCredentials =
93          new ScheduledChore("RefreshCredentials", stoppable, CHECK_TGT_INTERVAL) {
94        @Override
95        protected void chore() {
96          try {
97            ugi.checkTGTAndReloginFromKeytab();
98          } catch (IOException e) {
99            LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e);
100         }
101       }
102     };
103 
104     return refreshCredentials;
105   }
106 
107   /**
108    * Returns whether or not the given name should be interpreted as a group
109    * principal.  Currently this simply checks if the name starts with the
110    * special group prefix character ("@").
111    */
112   public static boolean isGroupPrincipal(String name) {
113     return name != null && name.startsWith(GROUP_PREFIX);
114   }
115 
116   /**
117    * Returns the actual name for a group principal (stripped of the
118    * group prefix).
119    */
120   public static String getGroupName(String aclKey) {
121     if (!isGroupPrincipal(aclKey)) {
122       return aclKey;
123     }
124 
125     return aclKey.substring(GROUP_PREFIX.length());
126   }
127 
128   /**
129    * Returns the group entry with the group prefix for a group principal.
130    */
131   public static String toGroupEntry(String name) {
132     return GROUP_PREFIX + name;
133   }
134 }