org.apache.hadoop.hbase

Class AuthUtil

java.lang.Object

org.apache.hadoop.hbase.AuthUtil

Deprecated.

since 2.2.0, to be marked as InterfaceAudience.Private in 4.0.0.

@Deprecated
 @InterfaceAudience.Public
public final class AuthUtil
extends Object

Utility methods for helping with security tasks. Downstream users may rely on this class to handle authenticating via keytab where long running services need access to a secure HBase cluster. Callers must ensure:

• HBase configuration files are in the Classpath
• hbase.client.keytab.file points to a valid keytab on the local filesystem
• hbase.client.kerberos.principal gives the Kerberos principal to use

 
   ChoreService choreService = null;
   // Presumes HBase configuration files are on the classpath
   final Configuration conf = HBaseConfiguration.create();
   final ScheduledChore authChore = AuthUtil.getAuthChore(conf);
   if (authChore != null) {
     choreService = new ChoreService("MY_APPLICATION");
     choreService.scheduleChore(authChore);
   }
   try {
     // do application work
   } finally {
     if (choreService != null) {
       choreService.shutdown();
     }
   }
 
 

See the "Running Canary in a Kerberos-enabled Cluster" section of the HBase Reference Guide for an example of configuring a user of this Auth Chore to run on a secure cluster.

This class will be internal used only from 2.2.0 version, and will transparently work for kerberized applications. For more, please refer Client-side Configuration for Secure Operation

See Also:

HBASE-20886

Field Summary

Fields

Modifier and Type	Field and Description
private static String	GROUP_PREFIX Deprecated. Prefix character to denote group names
static String	HBASE_CLIENT_KERBEROS_PRINCIPAL Deprecated. Client principal
static String	HBASE_CLIENT_KEYTAB_FILE Deprecated. Client keytab file
private static org.slf4j.Logger	LOG Deprecated.

Constructor Summary

Constructors

Modifier	Constructor and Description
private	AuthUtil() Deprecated.

Method Summary

Modifier and Type	Method and Description
private static boolean	checkPrincipalMatch(org.apache.hadoop.conf.Configuration conf, String loginUserName) Deprecated.
private static Stoppable	createDummyStoppable() Deprecated.
static ScheduledChore	getAuthChore(org.apache.hadoop.conf.Configuration conf) Deprecated. Deprecated since 2.2.0, this method will be InterfaceAudience.Private use only after 4.0.0.
static ScheduledChore	getAuthRenewalChore(org.apache.hadoop.security.UserGroupInformation user) Deprecated. Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
static String	getGroupName(String aclKey) Deprecated. Returns the actual name for a group principal (stripped of the group prefix).
static boolean	isGroupPrincipal(String name) Deprecated. Returns whether or not the given name should be interpreted as a group principal.
static User	loginClient(org.apache.hadoop.conf.Configuration conf) Deprecated. For kerberized cluster, return login user (from kinit or from keytab if specified).
private static User	loginClientAsService(org.apache.hadoop.conf.Configuration conf) Deprecated. For kerberized cluster, return login user (from kinit or from keytab).
private static User	loginFromKeytabAndReturnUser(UserProvider provider) Deprecated.
static String	toGroupEntry(String name) Deprecated. Returns the group entry with the group prefix for a group principal.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

private static final org.slf4j.Logger LOG

Deprecated.

GROUP_PREFIX

private static final String GROUP_PREFIX

Deprecated.

Prefix character to denote group names

See Also:

Constant Field Values

HBASE_CLIENT_KEYTAB_FILE

public static final String HBASE_CLIENT_KEYTAB_FILE

Deprecated.

Client keytab file

See Also:

Constant Field Values

HBASE_CLIENT_KERBEROS_PRINCIPAL

public static final String HBASE_CLIENT_KERBEROS_PRINCIPAL

Deprecated.

Client principal

See Also:

Constant Field Values

Constructor Detail

AuthUtil

private AuthUtil()

Deprecated.

Method Detail

loginClient

@InterfaceAudience.Private
public static User loginClient(org.apache.hadoop.conf.Configuration conf)
                                                   throws IOException

Deprecated.

For kerberized cluster, return login user (from kinit or from keytab if specified). For non-kerberized cluster, return system user.

Parameters:

conf - configuartion file

Returns:

user

Throws:

IOException - login exception

checkPrincipalMatch

private static boolean checkPrincipalMatch(org.apache.hadoop.conf.Configuration conf,
                                           String loginUserName)

Deprecated.

loginFromKeytabAndReturnUser

private static User loginFromKeytabAndReturnUser(UserProvider provider)
                                          throws IOException

Deprecated.

Throws:

IOException

loginClientAsService

private static User loginClientAsService(org.apache.hadoop.conf.Configuration conf)
                                  throws IOException

Deprecated.

For kerberized cluster, return login user (from kinit or from keytab). Principal should be the following format: name/fully.qualified.domain.name@REALM. For non-kerberized cluster, return system user.

NOT recommend to use to method unless you're sure what you're doing, it is for canary only. Please use User#loginClient.

Parameters:

conf - configuration file

Returns:

user

Throws:

IOException - login exception

getAuthRenewalChore

@InterfaceAudience.Private
public static ScheduledChore getAuthRenewalChore(org.apache.hadoop.security.UserGroupInformation user)

Deprecated.

Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.

Returns:

a ScheduledChore for renewals.

getAuthChore

@Deprecated
public static ScheduledChore getAuthChore(org.apache.hadoop.conf.Configuration conf)
                                               throws IOException

Deprecated. Deprecated since 2.2.0, this method will be InterfaceAudience.Private use only after 4.0.0.

Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.

Parameters:

conf - the hbase service configuration

Returns:

a ScheduledChore for renewals, if needed, and null otherwise.

Throws:

IOException

See Also:

HBASE-20886

createDummyStoppable

private static Stoppable createDummyStoppable()

Deprecated.

isGroupPrincipal

@InterfaceAudience.Private
public static boolean isGroupPrincipal(String name)

Deprecated.

Returns whether or not the given name should be interpreted as a group principal. Currently this simply checks if the name starts with the special group prefix character ("@").

getGroupName

@InterfaceAudience.Private
public static String getGroupName(String aclKey)

Deprecated.

Returns the actual name for a group principal (stripped of the group prefix).

toGroupEntry

@InterfaceAudience.Private
public static String toGroupEntry(String name)

Deprecated.

Returns the group entry with the group prefix for a group principal.