Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security;
019
020import java.io.IOException;
021import java.util.LinkedHashSet;
022import java.util.Set;
023import java.util.concurrent.Callable;
024import java.util.concurrent.Executors;
025import java.util.concurrent.TimeUnit;
026import org.apache.hadoop.conf.Configuration;
027import org.apache.hadoop.fs.CommonConfigurationKeys;
028import org.apache.hadoop.hbase.BaseConfigurable;
029import org.apache.hadoop.security.Groups;
030import org.apache.hadoop.security.UserGroupInformation;
031import org.apache.hadoop.util.ReflectionUtils;
032import org.apache.yetus.audience.InterfaceAudience;
033
034import org.apache.hbase.thirdparty.com.google.common.cache.CacheBuilder;
035import org.apache.hbase.thirdparty.com.google.common.cache.CacheLoader;
036import org.apache.hbase.thirdparty.com.google.common.cache.LoadingCache;
037import org.apache.hbase.thirdparty.com.google.common.util.concurrent.ListenableFuture;
038import org.apache.hbase.thirdparty.com.google.common.util.concurrent.ListeningExecutorService;
039import org.apache.hbase.thirdparty.com.google.common.util.concurrent.MoreExecutors;
040import org.apache.hbase.thirdparty.com.google.common.util.concurrent.ThreadFactoryBuilder;
041
042/**
043 * Provide an instance of a user. Allows custom {@link User} creation.
044 */
045@InterfaceAudience.Private
046public class UserProvider extends BaseConfigurable {
047
048  private static final String USER_PROVIDER_CONF_KEY = "hbase.client.userprovider.class";
049  private static final ListeningExecutorService executor = MoreExecutors.listeningDecorator(
050      Executors.newScheduledThreadPool(
051          1,
052          new ThreadFactoryBuilder().setDaemon(true).setNameFormat("group-cache-%d").build()));
053
054  private LoadingCache<String, String[]> groupCache = null;
055
056  static Groups groups = Groups.getUserToGroupsMappingService();
057
058  public static Groups getGroups() {
059    return groups;
060  }
061
062  public static void setGroups(Groups groups) {
063    UserProvider.groups = groups;
064  }
065
066  @Override
067  public void setConf(final Configuration conf) {
068    super.setConf(conf);
069
070    synchronized (UserProvider.class) {
071      if (!(groups instanceof User.TestingGroups)) {
072        groups = Groups.getUserToGroupsMappingService(conf);
073      }
074    }
075
076    long cacheTimeout =
077        getConf().getLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS,
078            CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS_DEFAULT) * 1000;
079
080    this.groupCache = CacheBuilder.newBuilder()
081        // This is the same timeout that hadoop uses. So we'll follow suit.
082        .refreshAfterWrite(cacheTimeout, TimeUnit.MILLISECONDS)
083        .expireAfterWrite(10 * cacheTimeout, TimeUnit.MILLISECONDS)
084            // Set concurrency level equal to the default number of handlers that
085            // the simple handler spins up.
086        .concurrencyLevel(20)
087            // create the loader
088            // This just delegates to UGI.
089        .build(new CacheLoader<String, String[]>() {
090
091          // Since UGI's don't hash based on the user id
092          // The cache needs to be keyed on the same thing that Hadoop's Groups class
093          // uses. So this cache uses shortname.
094          @Override
095          public String[] load(String ugi) throws Exception {
096            return getGroupStrings(ugi);
097          }
098
099          private String[] getGroupStrings(String ugi) {
100            try {
101              Set<String> result = new LinkedHashSet<>(groups.getGroups(ugi));
102              return result.toArray(new String[result.size()]);
103            } catch (Exception e) {
104              return new String[0];
105            }
106          }
107
108          // Provide the reload function that uses the executor thread.
109          @Override
110          public ListenableFuture<String[]> reload(final String k, String[] oldValue)
111              throws Exception {
112
113            return executor.submit(new Callable<String[]>() {
114              @Override
115              public String[] call() throws Exception {
116                return getGroupStrings(k);
117              }
118            });
119          }
120        });
121  }
122
123  /**
124   * Instantiate the {@link UserProvider} specified in the configuration and set the passed
125   * configuration via {@link UserProvider#setConf(Configuration)}
126   * @param conf to read and set on the created {@link UserProvider}
127   * @return a {@link UserProvider} ready for use.
128   */
129  public static UserProvider instantiate(Configuration conf) {
130    Class<? extends UserProvider> clazz =
131        conf.getClass(USER_PROVIDER_CONF_KEY, UserProvider.class, UserProvider.class);
132    return ReflectionUtils.newInstance(clazz, conf);
133  }
134
135  /**
136   * Set the {@link UserProvider} in the given configuration that should be instantiated
137   * @param conf to update
138   * @param provider class of the provider to set
139   */
140  public static void setUserProviderForTesting(Configuration conf,
141      Class<? extends UserProvider> provider) {
142    conf.set(USER_PROVIDER_CONF_KEY, provider.getName());
143  }
144
145  /**
146   * @return the userName for the current logged-in user.
147   * @throws IOException if the underlying user cannot be obtained
148   */
149  public String getCurrentUserName() throws IOException {
150    User user = getCurrent();
151    return user == null ? null : user.getName();
152  }
153
154  /**
155   * @return <tt>true</tt> if security is enabled, <tt>false</tt> otherwise
156   */
157  public boolean isHBaseSecurityEnabled() {
158    return User.isHBaseSecurityEnabled(this.getConf());
159  }
160
161  /**
162   * @return whether or not Kerberos authentication is configured for Hadoop. For non-secure Hadoop,
163   *         this always returns <code>false</code>. For secure Hadoop, it will return the value
164   *         from {@code UserGroupInformation.isSecurityEnabled()}.
165   */
166  public boolean isHadoopSecurityEnabled() {
167    return User.isSecurityEnabled();
168  }
169
170  /**
171   * In secure environment, if a user specified his keytab and principal,
172   * a hbase client will try to login with them. Otherwise, hbase client will try to obtain
173   * ticket(through kinit) from system.
174   */
175  public boolean shouldLoginFromKeytab() {
176    return User.shouldLoginFromKeytab(this.getConf());
177  }
178
179  /**
180   * @return the current user within the current execution context
181   * @throws IOException if the user cannot be loaded
182   */
183  public User getCurrent() throws IOException {
184    return User.getCurrent();
185  }
186
187  /**
188   * Wraps an underlying {@code UserGroupInformation} instance.
189   * @param ugi The base Hadoop user
190   * @return User
191   */
192  public User create(UserGroupInformation ugi) {
193    if (ugi == null) {
194      return null;
195    }
196    return new User.SecureHadoopUser(ugi, groupCache);
197  }
198
199  /**
200   * Log in the current process using the given configuration keys for the credential file and login
201   * principal. It is for SPN(Service Principal Name) login. SPN should be this format,
202   * servicename/fully.qualified.domain.name@REALM.
203   * <p>
204   * <strong>This is only applicable when running on secure Hadoop</strong> -- see
205   * org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String). On regular
206   * Hadoop (without security features), this will safely be ignored.
207   * </p>
208   * @param fileConfKey Property key used to configure path to the credential file
209   * @param principalConfKey Property key used to configure login principal
210   * @param localhost Current hostname to use in any credentials
211   * @throws IOException underlying exception from SecurityUtil.login() call
212   */
213  public void login(String fileConfKey, String principalConfKey, String localhost)
214      throws IOException {
215    User.login(getConf(), fileConfKey, principalConfKey, localhost);
216  }
217
218  /**
219   * Login with given keytab and principal. This can be used for both SPN(Service Principal Name)
220   * and UPN(User Principal Name) which format should be clientname@REALM.
221   * @param fileConfKey config name for client keytab
222   * @param principalConfKey config name for client principal
223   * @throws IOException underlying exception from UserGroupInformation.loginUserFromKeytab
224   */
225  public void login(String fileConfKey, String principalConfKey) throws IOException {
226    User.login(getConf().get(fileConfKey), getConf().get(principalConfKey));
227  }
228}