Package org.apache.hadoop.hbase

Class AuthUtil

java.lang.Object
org.apache.hadoop.hbase.AuthUtil
@Deprecated @Public public final class AuthUtil extends Object
Deprecated.
since 2.2.0, to be marked as InterfaceAudience.Private in 4.0.0.
Utility methods for helping with security tasks. Downstream users may rely on this class to handle authenticating via keytab where long running services need access to a secure HBase cluster. Callers must ensure:
  • HBase configuration files are in the Classpath
  • hbase.client.keytab.file points to a valid keytab on the local filesystem
  • hbase.client.kerberos.principal gives the Kerberos principal to use 
 {
   @code
   ChoreService choreService = null;
   // Presumes HBase configuration files are on the classpath
   final Configuration conf = HBaseConfiguration.create();
   final ScheduledChore authChore = AuthUtil.getAuthChore(conf);
   if (authChore != null) {
     choreService = new ChoreService("MY_APPLICATION");
     choreService.scheduleChore(authChore);
   }
   try {
     // do application work
   } finally {
     if (choreService != null) {
       choreService.shutdown();
     }
   }
 }
See the "Running Canary in a Kerberos-enabled Cluster" section of the HBase Reference Guide for an example of configuring a user of this Auth Chore to run on a secure cluster.
This class will be internal used only from 2.2.0 version, and will transparently work for kerberized applications. For more, please refer Client-side Configuration for Secure Operation
See Also:

  • Field Details

  • Constructor Details

    • AuthUtil

      private AuthUtil()
      Deprecated.

  • Method Details

    • loginClient

      @Private public static User loginClient(org.apache.hadoop.conf.Configuration conf) throws IOException
      Deprecated.
      For kerberized cluster, return login user (from kinit or from keytab if specified). For non-kerberized cluster, return system user.
      Parameters:
      conf - configuartion file
      Throws:
      IOException - login exception

    • checkPrincipalMatch

      private static boolean checkPrincipalMatch(org.apache.hadoop.conf.Configuration conf, String loginUserName)
      Deprecated.

    • loginFromKeytabAndReturnUser

      private static User loginFromKeytabAndReturnUser(UserProvider provider) throws IOException
      Deprecated.
      Throws:
      IOException

    • loginClientAsService

      private static User loginClientAsService(org.apache.hadoop.conf.Configuration conf) throws IOException
      Deprecated.
      For kerberized cluster, return login user (from kinit or from keytab). Principal should be the following format: name/fully.qualified.domain.name@REALM. For non-kerberized cluster, return system user.

      NOT recommend to use to method unless you're sure what you're doing, it is for canary only. Please use User#loginClient.

      Parameters:
      conf - configuration file
      Throws:
      IOException - login exception

    • getAuthRenewalChore

      @Private public static ScheduledChore getAuthRenewalChore(org.apache.hadoop.security.UserGroupInformation user, org.apache.hadoop.conf.Configuration conf)
      Deprecated.
      Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
      Returns:
      a ScheduledChore for renewals.

    • getAuthChore

      @Deprecated public static ScheduledChore getAuthChore(org.apache.hadoop.conf.Configuration conf) throws IOException
      Deprecated.
      Deprecated since 2.2.0, this method will be InterfaceAudience.Private use only after 4.0.0.
      Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
      Parameters:
      conf - the hbase service configuration
      Returns:
      a ScheduledChore for renewals, if needed, and null otherwise.
      Throws:
      IOException
      See Also:

    • createDummyStoppable

      private static Stoppable createDummyStoppable()
      Deprecated.

    • isGroupPrincipal

      @Private public static boolean isGroupPrincipal(String name)
      Deprecated.
      Returns whether or not the given name should be interpreted as a group principal. Currently this simply checks if the name starts with the special group prefix character ("@").

    • getGroupName

      @Private public static String getGroupName(String aclKey)
      Deprecated.
      Returns the actual name for a group principal (stripped of the group prefix).

    • toGroupEntry

      @Private public static String toGroupEntry(String name)
      Deprecated.
      Returns the group entry with the group prefix for a group principal.

    • isAuthRenewalChoreEnabled

      static boolean isAuthRenewalChoreEnabled(org.apache.hadoop.conf.Configuration conf)
      Deprecated.
      Returns true if the chore to automatically renew Kerberos tickets (from keytabs) should be started. The default is true.