001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security; 019 020import java.io.IOException; 021import java.util.LinkedHashSet; 022import java.util.Set; 023import java.util.concurrent.Callable; 024import java.util.concurrent.Executors; 025import java.util.concurrent.TimeUnit; 026import org.apache.hadoop.conf.Configuration; 027import org.apache.hadoop.fs.CommonConfigurationKeys; 028import org.apache.hadoop.hbase.BaseConfigurable; 029import org.apache.hadoop.security.Groups; 030import org.apache.hadoop.security.UserGroupInformation; 031import org.apache.hadoop.util.ReflectionUtils; 032import org.apache.yetus.audience.InterfaceAudience; 033 034import org.apache.hbase.thirdparty.com.google.common.cache.CacheBuilder; 035import org.apache.hbase.thirdparty.com.google.common.cache.CacheLoader; 036import org.apache.hbase.thirdparty.com.google.common.cache.LoadingCache; 037import org.apache.hbase.thirdparty.com.google.common.util.concurrent.ListenableFuture; 038import org.apache.hbase.thirdparty.com.google.common.util.concurrent.ListeningExecutorService; 039import org.apache.hbase.thirdparty.com.google.common.util.concurrent.MoreExecutors; 040import org.apache.hbase.thirdparty.com.google.common.util.concurrent.ThreadFactoryBuilder; 041 042/** 043 * Provide an instance of a user. Allows custom {@link User} creation. 044 */ 045@InterfaceAudience.Private 046public class UserProvider extends BaseConfigurable { 047 048 private static final String USER_PROVIDER_CONF_KEY = "hbase.client.userprovider.class"; 049 private static final ListeningExecutorService executor = 050 MoreExecutors.listeningDecorator(Executors.newScheduledThreadPool(1, 051 new ThreadFactoryBuilder().setDaemon(true).setNameFormat("group-cache-%d").build())); 052 053 private LoadingCache<String, String[]> groupCache = null; 054 055 static Groups groups = Groups.getUserToGroupsMappingService(); 056 057 public static Groups getGroups() { 058 return groups; 059 } 060 061 public static void setGroups(Groups groups) { 062 UserProvider.groups = groups; 063 } 064 065 @Override 066 public void setConf(final Configuration conf) { 067 super.setConf(conf); 068 069 synchronized (UserProvider.class) { 070 if (!(groups instanceof User.TestingGroups)) { 071 groups = Groups.getUserToGroupsMappingService(conf); 072 } 073 } 074 075 long cacheTimeout = getConf().getLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS, 076 CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS_DEFAULT) * 1000; 077 078 this.groupCache = CacheBuilder.newBuilder() 079 // This is the same timeout that hadoop uses. So we'll follow suit. 080 .refreshAfterWrite(cacheTimeout, TimeUnit.MILLISECONDS) 081 .expireAfterWrite(10 * cacheTimeout, TimeUnit.MILLISECONDS) 082 // Set concurrency level equal to the default number of handlers that 083 // the simple handler spins up. 084 .concurrencyLevel(20) 085 // create the loader 086 // This just delegates to UGI. 087 .build(new CacheLoader<String, String[]>() { 088 089 // Since UGI's don't hash based on the user id 090 // The cache needs to be keyed on the same thing that Hadoop's Groups class 091 // uses. So this cache uses shortname. 092 @Override 093 public String[] load(String ugi) throws Exception { 094 return getGroupStrings(ugi); 095 } 096 097 private String[] getGroupStrings(String ugi) { 098 try { 099 Set<String> result = new LinkedHashSet<>(groups.getGroups(ugi)); 100 return result.toArray(new String[result.size()]); 101 } catch (Exception e) { 102 return new String[0]; 103 } 104 } 105 106 // Provide the reload function that uses the executor thread. 107 @Override 108 public ListenableFuture<String[]> reload(final String k, String[] oldValue) 109 throws Exception { 110 111 return executor.submit(new Callable<String[]>() { 112 @Override 113 public String[] call() throws Exception { 114 return getGroupStrings(k); 115 } 116 }); 117 } 118 }); 119 } 120 121 /** 122 * Instantiate the {@link UserProvider} specified in the configuration and set the passed 123 * configuration via {@link UserProvider#setConf(Configuration)} 124 * @param conf to read and set on the created {@link UserProvider} 125 * @return a {@link UserProvider} ready for use. 126 */ 127 public static UserProvider instantiate(Configuration conf) { 128 Class<? extends UserProvider> clazz = 129 conf.getClass(USER_PROVIDER_CONF_KEY, UserProvider.class, UserProvider.class); 130 return ReflectionUtils.newInstance(clazz, conf); 131 } 132 133 /** 134 * Set the {@link UserProvider} in the given configuration that should be instantiated 135 * @param conf to update 136 * @param provider class of the provider to set 137 */ 138 public static void setUserProviderForTesting(Configuration conf, 139 Class<? extends UserProvider> provider) { 140 conf.set(USER_PROVIDER_CONF_KEY, provider.getName()); 141 } 142 143 /** 144 * Returns the userName for the current logged-in user. 145 * @throws IOException if the underlying user cannot be obtained 146 */ 147 public String getCurrentUserName() throws IOException { 148 User user = getCurrent(); 149 return user == null ? null : user.getName(); 150 } 151 152 /** Returns <tt>true</tt> if security is enabled, <tt>false</tt> otherwise */ 153 public boolean isHBaseSecurityEnabled() { 154 return User.isHBaseSecurityEnabled(this.getConf()); 155 } 156 157 /** 158 * Return whether or not Kerberos authentication is configured for Hadoop. For non-secure Hadoop, 159 * this always returns <code>false</code>. For secure Hadoop, it will return the value from 160 * {@code UserGroupInformation.isSecurityEnabled()}. 161 */ 162 public boolean isHadoopSecurityEnabled() { 163 return User.isSecurityEnabled(); 164 } 165 166 /** 167 * In secure environment, if a user specified his keytab and principal, a hbase client will try to 168 * login with them. Otherwise, hbase client will try to obtain ticket(through kinit) from system. 169 */ 170 public boolean shouldLoginFromKeytab() { 171 return User.shouldLoginFromKeytab(this.getConf()); 172 } 173 174 /** 175 * Return the current user within the current execution context 176 * @throws IOException if the user cannot be loaded 177 */ 178 public User getCurrent() throws IOException { 179 return User.getCurrent(); 180 } 181 182 /** 183 * Wraps an underlying {@code UserGroupInformation} instance. 184 * @param ugi The base Hadoop user n 185 */ 186 public User create(UserGroupInformation ugi) { 187 if (ugi == null) { 188 return null; 189 } 190 return new User.SecureHadoopUser(ugi, groupCache); 191 } 192 193 /** 194 * Log in the current process using the given configuration keys for the credential file and login 195 * principal. It is for SPN(Service Principal Name) login. SPN should be this format, 196 * servicename/fully.qualified.domain.name@REALM. 197 * <p> 198 * <strong>This is only applicable when running on secure Hadoop</strong> -- see 199 * org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String). On regular 200 * Hadoop (without security features), this will safely be ignored. 201 * </p> 202 * @param fileConfKey Property key used to configure path to the credential file 203 * @param principalConfKey Property key used to configure login principal 204 * @param localhost Current hostname to use in any credentials 205 * @throws IOException underlying exception from SecurityUtil.login() call 206 */ 207 public void login(String fileConfKey, String principalConfKey, String localhost) 208 throws IOException { 209 User.login(getConf(), fileConfKey, principalConfKey, localhost); 210 } 211 212 /** 213 * Login with given keytab and principal. This can be used for both SPN(Service Principal Name) 214 * and UPN(User Principal Name) which format should be clientname@REALM. 215 * @param fileConfKey config name for client keytab 216 * @param principalConfKey config name for client principal 217 * @throws IOException underlying exception from UserGroupInformation.loginUserFromKeytab 218 */ 219 public void login(String fileConfKey, String principalConfKey) throws IOException { 220 User.login(getConf().get(fileConfKey), getConf().get(principalConfKey)); 221 } 222}