org.apache.hadoop.hbase.security

Class User

java.lang.Object

org.apache.hadoop.hbase.security.User

@InterfaceAudience.Public
public abstract class User
extends Object

Wrapper to abstract out usage of user and group information in HBase.

This class provides a common interface for interacting with user and group information across changing APIs in different versions of Hadoop. It only provides access to the common set of functionality in UserGroupInformation currently needed by HBase, but can be extended as needs change.

Field Summary

Fields

Modifier and Type	Field and Description
static String	HBASE_SECURITY_AUTHORIZATION_CONF_KEY
static String	HBASE_SECURITY_CONF_KEY
protected org.apache.hadoop.security.UserGroupInformation	ugi

Constructor Summary

Constructors

Constructor and Description
User()

Method Summary

Modifier and Type	Method and Description
void	addToken(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token) Adds the given Token to the user's credentials.
static User	create(org.apache.hadoop.security.UserGroupInformation ugi) Wraps an underlying UserGroupInformation instance.
static User	createUserForTesting(org.apache.hadoop.conf.Configuration conf, String name, String[] groups) Generates a new User instance specifically for use in test code.
boolean	equals(Object o)
static User	getCurrent() Returns the User instance within current execution context.
String[]	getGroupNames() Returns the list of groups of which this user is a member.
String	getName() Returns the full user name.
abstract String	getShortName() Returns the shortened version of the user name -- the portion that maps to an operating system user name.
org.apache.hadoop.security.token.Token<?>	getToken(String kind, String service) Returns the Token of the specified kind associated with this user, or null if the Token is not present.
Collection<org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier>>	getTokens() Returns all the tokens stored in the user's credentials.
org.apache.hadoop.security.UserGroupInformation	getUGI()
int	hashCode()
static boolean	isHBaseSecurityEnabled(org.apache.hadoop.conf.Configuration conf) Returns whether or not secure authentication is enabled for HBase.
boolean	isLoginFromKeytab() Returns true if user credentials are obtained from keytab.
static boolean	isSecurityEnabled() Returns whether or not Kerberos authentication is configured for Hadoop.
static void	login(org.apache.hadoop.conf.Configuration conf, String fileConfKey, String principalConfKey, String localhost) Log in the current process using the given configuration keys for the credential file and login principal.
static void	login(String keytabLocation, String pricipalName) Login with the given keytab and principal.
abstract <T> T	runAs(PrivilegedAction<T> action) Executes the given action within the context of this user.
abstract <T> T	runAs(PrivilegedExceptionAction<T> action) Executes the given action within the context of this user.
static <T> T	runAsLoginUser(PrivilegedExceptionAction<T> action) Executes the given action as the login user
static boolean	shouldLoginFromKeytab(org.apache.hadoop.conf.Configuration conf) In secure environment, if a user specified his keytab and principal, a hbase client will try to login with them.
String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

HBASE_SECURITY_CONF_KEY

public static final String HBASE_SECURITY_CONF_KEY

See Also:

Constant Field Values

HBASE_SECURITY_AUTHORIZATION_CONF_KEY

public static final String HBASE_SECURITY_AUTHORIZATION_CONF_KEY

See Also:

Constant Field Values

ugi

protected org.apache.hadoop.security.UserGroupInformation ugi

Constructor Detail

User

public User()

Method Detail

getUGI

public org.apache.hadoop.security.UserGroupInformation getUGI()

getName

public String getName()

Returns the full user name. For Kerberos principals this will include the host and realm portions of the principal name.

Returns:

User full name.

getGroupNames

public String[] getGroupNames()

Returns the list of groups of which this user is a member. On secure Hadoop this returns the group information for the user as resolved on the server. For 0.20 based Hadoop, the group names are passed from the client.

getShortName

public abstract String getShortName()

Returns the shortened version of the user name -- the portion that maps to an operating system user name.

Returns:

Short name

runAs

public abstract <T> T runAs(PrivilegedAction<T> action)

Executes the given action within the context of this user.

runAs

public abstract <T> T runAs(PrivilegedExceptionAction<T> action)
                     throws IOException,
                            InterruptedException

Executes the given action within the context of this user.

Throws:

IOException

InterruptedException

getToken

public org.apache.hadoop.security.token.Token<?> getToken(String kind,
                                                          String service)
                                                   throws IOException

Returns the Token of the specified kind associated with this user, or null if the Token is not present.

Parameters:

kind - the kind of token

service - service on which the token is supposed to be used

Returns:

the token of the specified kind.

Throws:

IOException

getTokens

public Collection<org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier>> getTokens()

Returns all the tokens stored in the user's credentials.

addToken

public void addToken(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token)

Adds the given Token to the user's credentials.

Parameters:

token - the token to add

isLoginFromKeytab

public boolean isLoginFromKeytab()

Returns true if user credentials are obtained from keytab.

equals

public boolean equals(Object o)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

toString

public String toString()

Overrides:

toString in class Object

getCurrent

public static User getCurrent()
                       throws IOException

Returns the User instance within current execution context.

Throws:

IOException

runAsLoginUser

public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action)
                            throws IOException

Executes the given action as the login user

Throws:

IOException

create

public static User create(org.apache.hadoop.security.UserGroupInformation ugi)

Wraps an underlying UserGroupInformation instance.

Parameters:

ugi - The base Hadoop user n

createUserForTesting

public static User createUserForTesting(org.apache.hadoop.conf.Configuration conf,
                                        String name,
                                        String[] groups)

Generates a new User instance specifically for use in test code.

Parameters:

name - the full username

groups - the group names to which the test user will belong

Returns:

a new User instance

login

public static void login(org.apache.hadoop.conf.Configuration conf,
                         String fileConfKey,
                         String principalConfKey,
                         String localhost)
                  throws IOException

Log in the current process using the given configuration keys for the credential file and login principal.

This is only applicable when running on secure Hadoop -- see org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String). On regular Hadoop (without security features), this will safely be ignored.

Parameters:

conf - The configuration data to use

fileConfKey - Property key used to configure path to the credential file

principalConfKey - Property key used to configure login principal

localhost - Current hostname to use in any credentials

Throws:

IOException - underlying exception from SecurityUtil.login() call

login

public static void login(String keytabLocation,
                         String pricipalName)
                  throws IOException

Login with the given keytab and principal.

Parameters:

keytabLocation - path of keytab

pricipalName - login principal

Throws:

IOException - underlying exception from UserGroupInformation.loginUserFromKeytab

isSecurityEnabled

public static boolean isSecurityEnabled()

Returns whether or not Kerberos authentication is configured for Hadoop. For non-secure Hadoop, this always returns false. For secure Hadoop, it will return the value from UserGroupInformation.isSecurityEnabled().

isHBaseSecurityEnabled

public static boolean isHBaseSecurityEnabled(org.apache.hadoop.conf.Configuration conf)

Returns whether or not secure authentication is enabled for HBase. Note that HBase security requires HDFS security to provide any guarantees, so it is recommended that secure HBase should run on secure HDFS.

shouldLoginFromKeytab

public static boolean shouldLoginFromKeytab(org.apache.hadoop.conf.Configuration conf)

In secure environment, if a user specified his keytab and principal, a hbase client will try to login with them. Otherwise, hbase client will try to obtain ticket(through kinit) from system.

Parameters:

conf - configuration file

Returns:

true if keytab and principal are configured