View Javadoc

1   /*
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *     http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing, software
14   * distributed under the License is distributed on an "AS IS" BASIS,
15   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16   * See the License for the specific language governing permissions and
17   * limitations under the License.
18   */
19  
20  package org.apache.hadoop.hbase.security;
21  
22  import java.io.IOException;
23  import java.lang.reflect.UndeclaredThrowableException;
24  import java.security.PrivilegedAction;
25  import java.security.PrivilegedExceptionAction;
26  import java.util.Arrays;
27  import java.util.Collection;
28  import java.util.HashMap;
29  import java.util.List;
30  import java.util.Map;
31  import java.util.concurrent.ExecutionException;
32  import com.google.common.cache.LoadingCache;
33  import org.apache.hadoop.conf.Configuration;
34  import org.apache.hadoop.hbase.classification.InterfaceAudience;
35  import org.apache.hadoop.hbase.classification.InterfaceStability;
36  import org.apache.hadoop.hbase.util.Methods;
37  import org.apache.hadoop.mapred.JobConf;
38  import org.apache.hadoop.mapreduce.Job;
39  import org.apache.hadoop.security.Groups;
40  import org.apache.hadoop.security.SecurityUtil;
41  import org.apache.hadoop.security.UserGroupInformation;
42  import org.apache.hadoop.security.token.Token;
43  import org.apache.hadoop.security.token.TokenIdentifier;
44  
45  /**
46   * Wrapper to abstract out usage of user and group information in HBase.
47   *
48   * <p>
49   * This class provides a common interface for interacting with user and group
50   * information across changing APIs in different versions of Hadoop.  It only
51   * provides access to the common set of functionality in
52   * {@link org.apache.hadoop.security.UserGroupInformation} currently needed by
53   * HBase, but can be extended as needs change.
54   * </p>
55   */
56  @InterfaceAudience.Public
57  @InterfaceStability.Stable
58  public abstract class User {
59    public static final String HBASE_SECURITY_CONF_KEY =
60        "hbase.security.authentication";
61    public static final String HBASE_SECURITY_AUTHORIZATION_CONF_KEY =
62        "hbase.security.authorization";
63  
64    protected UserGroupInformation ugi;
65  
66    public UserGroupInformation getUGI() {
67      return ugi;
68    }
69  
70    /**
71     * Returns the full user name.  For Kerberos principals this will include
72     * the host and realm portions of the principal name.
73     *
74     * @return User full name.
75     */
76    public String getName() {
77      return ugi.getUserName();
78    }
79  
80    /**
81     * Returns the list of groups of which this user is a member.  On secure
82     * Hadoop this returns the group information for the user as resolved on the
83     * server.  For 0.20 based Hadoop, the group names are passed from the client.
84     */
85    public String[] getGroupNames() {
86      return ugi.getGroupNames();
87    }
88  
89    /**
90     * Returns the shortened version of the user name -- the portion that maps
91     * to an operating system user name.
92     *
93     * @return Short name
94     */
95    public abstract String getShortName();
96  
97    /**
98     * Executes the given action within the context of this user.
99     */
100   public abstract <T> T runAs(PrivilegedAction<T> action);
101 
102   /**
103    * Executes the given action within the context of this user.
104    */
105   public abstract <T> T runAs(PrivilegedExceptionAction<T> action)
106       throws IOException, InterruptedException;
107 
108   /**
109    * Requests an authentication token for this user and stores it in the
110    * user's credentials.
111    *
112    * @throws IOException
113    * @deprecated Use {@code TokenUtil.obtainAuthTokenForJob(Connection,User,Job)}
114    *     instead.
115    */
116   @Deprecated
117   public abstract void obtainAuthTokenForJob(Configuration conf, Job job)
118       throws IOException, InterruptedException;
119 
120   /**
121    * Requests an authentication token for this user and stores it in the
122    * user's credentials.
123    *
124    * @throws IOException
125    * @deprecated Use {@code TokenUtil.obtainAuthTokenForJob(Connection,JobConf,User)}
126    *     instead.
127    */
128   @Deprecated
129   public abstract void obtainAuthTokenForJob(JobConf job)
130       throws IOException, InterruptedException;
131 
132   /**
133    * Returns the Token of the specified kind associated with this user,
134    * or null if the Token is not present.
135    *
136    * @param kind the kind of token
137    * @param service service on which the token is supposed to be used
138    * @return the token of the specified kind.
139    */
140   public Token<?> getToken(String kind, String service) throws IOException {
141     for (Token<?> token : ugi.getTokens()) {
142       if (token.getKind().toString().equals(kind) &&
143           (service != null && token.getService().toString().equals(service))) {
144         return token;
145       }
146     }
147     return null;
148   }
149 
150   /**
151    * Returns all the tokens stored in the user's credentials.
152    */
153   public Collection<Token<? extends TokenIdentifier>> getTokens() {
154     return ugi.getTokens();
155   }
156 
157   /**
158    * Adds the given Token to the user's credentials.
159    *
160    * @param token the token to add
161    */
162   public void addToken(Token<? extends TokenIdentifier> token) {
163     ugi.addToken(token);
164   }
165 
166   @Override
167   public boolean equals(Object o) {
168     if (this == o) {
169       return true;
170     }
171     if (o == null || getClass() != o.getClass()) {
172       return false;
173     }
174     return ugi.equals(((User) o).ugi);
175   }
176 
177   @Override
178   public int hashCode() {
179     return ugi.hashCode();
180   }
181 
182   @Override
183   public String toString() {
184     return ugi.toString();
185   }
186 
187   /**
188    * Returns the {@code User} instance within current execution context.
189    */
190   public static User getCurrent() throws IOException {
191     User user = new SecureHadoopUser();
192     if (user.getUGI() == null) {
193       return null;
194     }
195     return user;
196   }
197 
198   /**
199    * Executes the given action as the login user
200    * @param action
201    * @return the result of the action
202    * @throws IOException
203    */
204   @SuppressWarnings({ "rawtypes", "unchecked" })
205   public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException {
206     try {
207       Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
208       Class [] types = new Class[]{PrivilegedExceptionAction.class};
209       Object[] args = new Object[]{action};
210       return (T) Methods.call(c, null, "doAsLoginUser", types, args);
211     } catch (Throwable e) {
212       throw new IOException(e);
213     }
214   }
215 
216   /**
217    * Wraps an underlying {@code UserGroupInformation} instance.
218    * @param ugi The base Hadoop user
219    * @return User
220    */
221   public static User create(UserGroupInformation ugi) {
222     if (ugi == null) {
223       return null;
224     }
225     return new SecureHadoopUser(ugi);
226   }
227 
228   /**
229    * Generates a new {@code User} instance specifically for use in test code.
230    * @param name the full username
231    * @param groups the group names to which the test user will belong
232    * @return a new <code>User</code> instance
233    */
234   public static User createUserForTesting(Configuration conf,
235       String name, String[] groups) {
236     User userForTesting = SecureHadoopUser.createUserForTesting(conf, name, groups);
237     return userForTesting;
238   }
239 
240   /**
241    * Log in the current process using the given configuration keys for the
242    * credential file and login principal.
243    *
244    * <p><strong>This is only applicable when
245    * running on secure Hadoop</strong> -- see
246    * org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String).
247    * On regular Hadoop (without security features), this will safely be ignored.
248    * </p>
249    *
250    * @param conf The configuration data to use
251    * @param fileConfKey Property key used to configure path to the credential file
252    * @param principalConfKey Property key used to configure login principal
253    * @param localhost Current hostname to use in any credentials
254    * @throws IOException underlying exception from SecurityUtil.login() call
255    */
256   public static void login(Configuration conf, String fileConfKey,
257       String principalConfKey, String localhost) throws IOException {
258     SecureHadoopUser.login(conf, fileConfKey, principalConfKey, localhost);
259   }
260 
261   /**
262    * Returns whether or not Kerberos authentication is configured for Hadoop.
263    * For non-secure Hadoop, this always returns <code>false</code>.
264    * For secure Hadoop, it will return the value from
265    * {@code UserGroupInformation.isSecurityEnabled()}.
266    */
267   public static boolean isSecurityEnabled() {
268     return SecureHadoopUser.isSecurityEnabled();
269   }
270 
271   /**
272    * Returns whether or not secure authentication is enabled for HBase. Note that
273    * HBase security requires HDFS security to provide any guarantees, so it is
274    * recommended that secure HBase should run on secure HDFS.
275    */
276   public static boolean isHBaseSecurityEnabled(Configuration conf) {
277     return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY));
278   }
279 
280   /* Concrete implementations */
281 
282   /**
283    * Bridges {@code User} invocations to underlying calls to
284    * {@link org.apache.hadoop.security.UserGroupInformation} for secure Hadoop
285    * 0.20 and versions 0.21 and above.
286    */
287   @InterfaceAudience.Private
288    public static final class SecureHadoopUser extends User {
289     private String shortName;
290     private LoadingCache<String, String[]> cache;
291 
292     public SecureHadoopUser() throws IOException {
293       ugi = UserGroupInformation.getCurrentUser();
294       this.cache = null;
295     }
296 
297     public SecureHadoopUser(UserGroupInformation ugi) {
298       this.ugi = ugi;
299       this.cache = null;
300     }
301 
302     public SecureHadoopUser(UserGroupInformation ugi,
303                             LoadingCache<String, String[]> cache) {
304       this.ugi = ugi;
305       this.cache = cache;
306     }
307 
308     @Override
309     public String getShortName() {
310       if (shortName != null) return shortName;
311       try {
312         shortName = ugi.getShortUserName();
313         return shortName;
314       } catch (Exception e) {
315         throw new RuntimeException("Unexpected error getting user short name",
316           e);
317       }
318     }
319 
320     @Override
321     public String[] getGroupNames() {
322       if (cache != null) {
323         try {
324           return this.cache.get(getShortName());
325         } catch (ExecutionException e) {
326           return new String[0];
327         }
328       }
329       return ugi.getGroupNames();
330     }
331 
332     @Override
333     public <T> T runAs(PrivilegedAction<T> action) {
334       return ugi.doAs(action);
335     }
336 
337     @Override
338     public <T> T runAs(PrivilegedExceptionAction<T> action)
339         throws IOException, InterruptedException {
340       return ugi.doAs(action);
341     }
342 
343     @Override
344     public void obtainAuthTokenForJob(Configuration conf, Job job)
345         throws IOException, InterruptedException {
346       try {
347         Class<?> c = Class.forName(
348             "org.apache.hadoop.hbase.security.token.TokenUtil");
349         Methods.call(c, null, "obtainTokenForJob",
350             new Class[]{Configuration.class, UserGroupInformation.class,
351                 Job.class},
352             new Object[]{conf, ugi, job});
353       } catch (ClassNotFoundException cnfe) {
354         throw new RuntimeException("Failure loading TokenUtil class, "
355             +"is secure RPC available?", cnfe);
356       } catch (IOException ioe) {
357         throw ioe;
358       } catch (InterruptedException ie) {
359         throw ie;
360       } catch (RuntimeException re) {
361         throw re;
362       } catch (Exception e) {
363         throw new UndeclaredThrowableException(e,
364             "Unexpected error calling TokenUtil.obtainAndCacheToken()");
365       }
366     }
367 
368     @Override
369     public void obtainAuthTokenForJob(JobConf job)
370         throws IOException, InterruptedException {
371       try {
372         Class<?> c = Class.forName(
373             "org.apache.hadoop.hbase.security.token.TokenUtil");
374         Methods.call(c, null, "obtainTokenForJob",
375             new Class[]{JobConf.class, UserGroupInformation.class},
376             new Object[]{job, ugi});
377       } catch (ClassNotFoundException cnfe) {
378         throw new RuntimeException("Failure loading TokenUtil class, "
379             +"is secure RPC available?", cnfe);
380       } catch (IOException ioe) {
381         throw ioe;
382       } catch (InterruptedException ie) {
383         throw ie;
384       } catch (RuntimeException re) {
385         throw re;
386       } catch (Exception e) {
387         throw new UndeclaredThrowableException(e,
388             "Unexpected error calling TokenUtil.obtainAndCacheToken()");
389       }
390     }
391 
392     /** @see User#createUserForTesting(org.apache.hadoop.conf.Configuration, String, String[]) */
393     public static User createUserForTesting(Configuration conf,
394         String name, String[] groups) {
395       synchronized (UserProvider.class) {
396         if (!(UserProvider.groups instanceof TestingGroups)) {
397           UserProvider.groups = new TestingGroups(UserProvider.groups);
398         }
399       }
400 
401       ((TestingGroups)UserProvider.groups).setUserGroups(name, groups);
402       return new SecureHadoopUser(UserGroupInformation.createUserForTesting(name, groups));
403     }
404 
405     /**
406      * Obtain credentials for the current process using the configured
407      * Kerberos keytab file and principal.
408      * @see User#login(org.apache.hadoop.conf.Configuration, String, String, String)
409      *
410      * @param conf the Configuration to use
411      * @param fileConfKey Configuration property key used to store the path
412      * to the keytab file
413      * @param principalConfKey Configuration property key used to store the
414      * principal name to login as
415      * @param localhost the local hostname
416      */
417     public static void login(Configuration conf, String fileConfKey,
418         String principalConfKey, String localhost) throws IOException {
419       if (isSecurityEnabled()) {
420         SecurityUtil.login(conf, fileConfKey, principalConfKey, localhost);
421       }
422     }
423 
424     /**
425      * Returns the result of {@code UserGroupInformation.isSecurityEnabled()}.
426      */
427     public static boolean isSecurityEnabled() {
428       return UserGroupInformation.isSecurityEnabled();
429     }
430   }
431 
432   static class TestingGroups extends Groups {
433     private final Map<String, List<String>> userToGroupsMapping =
434         new HashMap<String,List<String>>();
435     private Groups underlyingImplementation;
436 
437     TestingGroups(Groups underlyingImplementation) {
438       super(new Configuration());
439       this.underlyingImplementation = underlyingImplementation;
440     }
441 
442     @Override
443     public List<String> getGroups(String user) throws IOException {
444       List<String> result = userToGroupsMapping.get(user);
445 
446       if (result == null) {
447         result = underlyingImplementation.getGroups(user);
448       }
449 
450       return result;
451     }
452 
453     private void setUserGroups(String user, String[] groups) {
454       userToGroupsMapping.put(user, Arrays.asList(groups));
455     }
456   }
457 }