AuthUtil (Apache HBase 2.5.0 API)

java.lang.Object
- org.apache.hadoop.hbase.AuthUtil

Deprecated.
since 2.2.0, to be marked as InterfaceAudience.Private in 4.0.0.
```
@Deprecated
 @InterfaceAudience.Public
public final class AuthUtil
extends Object
```
Utility methods for helping with security tasks. Downstream users may rely on this class to handle authenticating via keytab where long running services need access to a secure HBase cluster. Callers must ensure:
- HBase configuration files are in the Classpath
- hbase.client.keytab.file points to a valid keytab on the local filesystem
- hbase.client.kerberos.principal gives the Kerberos principal to use
```
 {
   @code
   ChoreService choreService = null;
   // Presumes HBase configuration files are on the classpath
   final Configuration conf = HBaseConfiguration.create();
   final ScheduledChore authChore = AuthUtil.getAuthChore(conf);
   if (authChore != null) {
     choreService = new ChoreService("MY_APPLICATION");
     choreService.scheduleChore(authChore);
   }
   try {
     // do application work
   } finally {
     if (choreService != null) {
       choreService.shutdown();
     }
   }
 }
 
```
See the "Running Canary in a Kerberos-enabled Cluster" section of the HBase Reference Guide for an example of configuring a user of this Auth Chore to run on a secure cluster.
```
 
```
This class will be internal used only from 2.2.0 version, and will transparently work for kerberized applications. For more, please refer Client-side Configuration for Secure Operation
See Also:

HBASE-20886

Field Summary

Fields
Modifier and Type	Field and Description
`private static String`	`GROUP_PREFIX` Deprecated. Prefix character to denote group names
`static boolean`	`HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT` Deprecated.
`static String`	`HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY` Deprecated. Configuration to automatically try to renew keytab-based logins
`static String`	`HBASE_CLIENT_KERBEROS_PRINCIPAL` Deprecated. Client principal
`static String`	`HBASE_CLIENT_KEYTAB_FILE` Deprecated. Client keytab file
`private static org.slf4j.Logger`	`LOG` Deprecated.

Constructor Summary

Constructors
Modifier Constructor and Description

private AuthUtil()
Deprecated.

Constructors
Modifier	Constructor and Description
`private`	`AuthUtil()` Deprecated.

Method Summary

All Methods Static Methods Concrete Methods Deprecated Methods
Modifier and Type	Method and Description
`private static boolean`	`checkPrincipalMatch(org.apache.hadoop.conf.Configuration conf, String loginUserName)` Deprecated.
`private static Stoppable`	`createDummyStoppable()` Deprecated.
`static ScheduledChore`	`getAuthChore(org.apache.hadoop.conf.Configuration conf)` Deprecated. Deprecated since 2.2.0, this method will be `InterfaceAudience.Private` use only after 4.0.0.
`static ScheduledChore`	`getAuthRenewalChore(org.apache.hadoop.security.UserGroupInformation user, org.apache.hadoop.conf.Configuration conf)` Deprecated. Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
`static String`	`getGroupName(String aclKey)` Deprecated. Returns the actual name for a group principal (stripped of the group prefix).
`(package private) static boolean`	`isAuthRenewalChoreEnabled(org.apache.hadoop.conf.Configuration conf)` Deprecated. Returns true if the chore to automatically renew Kerberos tickets (from keytabs) should be started.
`static boolean`	`isGroupPrincipal(String name)` Deprecated. Returns whether or not the given name should be interpreted as a group principal.
`static User`	`loginClient(org.apache.hadoop.conf.Configuration conf)` Deprecated. For kerberized cluster, return login user (from kinit or from keytab if specified).
`private static User`	`loginClientAsService(org.apache.hadoop.conf.Configuration conf)` Deprecated. For kerberized cluster, return login user (from kinit or from keytab).
`private static User`	`loginFromKeytabAndReturnUser(UserProvider provider)` Deprecated.
`static String`	`toGroupEntry(String name)` Deprecated. Returns the group entry with the group prefix for a group principal.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - LOG
```
private static final org.slf4j.Logger LOG
```
    Deprecated.
  - GROUP_PREFIX
```
private static final String GROUP_PREFIX
```
    Deprecated.
    
    Prefix character to denote group names
    
    See Also:
    
    Constant Field Values
  - HBASE_CLIENT_KEYTAB_FILE
```
public static final String HBASE_CLIENT_KEYTAB_FILE
```
    Deprecated.
    
    Client keytab file
    
    See Also:
    
    Constant Field Values
  - HBASE_CLIENT_KERBEROS_PRINCIPAL
```
public static final String HBASE_CLIENT_KERBEROS_PRINCIPAL
```
    Deprecated.
    
    Client principal
    
    See Also:
    
    Constant Field Values
  - HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY
```
public static final String HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY
```
    Deprecated.
    
    Configuration to automatically try to renew keytab-based logins
    
    See Also:
    
    Constant Field Values
  - HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT
```
public static final boolean HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT
```
    Deprecated.
    
    See Also:
    
    Constant Field Values
- Constructor Detail
  - AuthUtil
```
private AuthUtil()
```
    Deprecated.
- Method Detail
  - loginClient
```
@InterfaceAudience.Private
public static User loginClient(org.apache.hadoop.conf.Configuration conf)
                                                   throws IOException
```
    Deprecated.
    
    For kerberized cluster, return login user (from kinit or from keytab if specified). For non-kerberized cluster, return system user.
    
    Parameters:
    
    conf - configuartion file n * @throws IOException login exception
    
    Throws:
    
    IOException
  - checkPrincipalMatch
```
private static boolean checkPrincipalMatch(org.apache.hadoop.conf.Configuration conf,
                                           String loginUserName)
```
    Deprecated.
  - loginFromKeytabAndReturnUser
```
private static User loginFromKeytabAndReturnUser(UserProvider provider)
                                          throws IOException
```
    Deprecated.
    
    Throws:
    
    IOException
  - loginClientAsService
```
private static User loginClientAsService(org.apache.hadoop.conf.Configuration conf)
                                  throws IOException
```
    Deprecated.
    
    For kerberized cluster, return login user (from kinit or from keytab). Principal should be the following format: name/fully.qualified.domain.name@REALM. For non-kerberized cluster, return system user.
    NOT recommend to use to method unless you're sure what you're doing, it is for canary only. Please use User#loginClient.
    
    Parameters:
    
    conf - configuration file n * @throws IOException login exception
    
    Throws:
    
    IOException
  - getAuthRenewalChore
```
@InterfaceAudience.Private
public static ScheduledChore getAuthRenewalChore(org.apache.hadoop.security.UserGroupInformation user,
                                                                            org.apache.hadoop.conf.Configuration conf)
```
    Deprecated.
    
    Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
    
    Returns:
    
    a ScheduledChore for renewals.
  - getAuthChore
```
@Deprecated
public static ScheduledChore getAuthChore(org.apache.hadoop.conf.Configuration conf)
                                               throws IOException
```
    Deprecated. Deprecated since 2.2.0, this method will be InterfaceAudience.Private use only after 4.0.0.
    
    Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
    
    Parameters:
    
    conf - the hbase service configuration
    
    Returns:
    
    a ScheduledChore for renewals, if needed, and null otherwise.
    
    Throws:
    
    IOException
    
    See Also:
    
    HBASE-20886
  - createDummyStoppable
```
private static Stoppable createDummyStoppable()
```
    Deprecated.
  - isGroupPrincipal
```
@InterfaceAudience.Private
public static boolean isGroupPrincipal(String name)
```
    Deprecated.
    
    Returns whether or not the given name should be interpreted as a group principal. Currently this simply checks if the name starts with the special group prefix character ("@").
  - getGroupName
```
@InterfaceAudience.Private
public static String getGroupName(String aclKey)
```
    Deprecated.
    
    Returns the actual name for a group principal (stripped of the group prefix).
  - toGroupEntry
```
@InterfaceAudience.Private
public static String toGroupEntry(String name)
```
    Deprecated.
    
    Returns the group entry with the group prefix for a group principal.
  - isAuthRenewalChoreEnabled
```
static boolean isAuthRenewalChoreEnabled(org.apache.hadoop.conf.Configuration conf)
```
    Deprecated.
    
    Returns true if the chore to automatically renew Kerberos tickets (from keytabs) should be started. The default is true.

Class AuthUtil

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

LOG

GROUP_PREFIX

HBASE_CLIENT_KEYTAB_FILE

HBASE_CLIENT_KERBEROS_PRINCIPAL

HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY

HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT

Constructor Detail

AuthUtil

Method Detail

loginClient

checkPrincipalMatch

loginFromKeytabAndReturnUser

loginClientAsService

getAuthRenewalChore

getAuthChore

createDummyStoppable

isGroupPrincipal

getGroupName

toGroupEntry

isAuthRenewalChoreEnabled