View Javadoc

1   /*
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *     http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing, software
14   * distributed under the License is distributed on an "AS IS" BASIS,
15   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16   * See the License for the specific language governing permissions and
17   * limitations under the License.
18   */
19  
20  package org.apache.hadoop.hbase.security;
21  
22  import java.io.IOException;
23  import java.lang.reflect.UndeclaredThrowableException;
24  import java.security.PrivilegedAction;
25  import java.security.PrivilegedExceptionAction;
26  import java.util.Collection;
27  
28  import org.apache.commons.logging.Log;
29  import org.apache.commons.logging.LogFactory;
30  import org.apache.hadoop.conf.Configuration;
31  import org.apache.hadoop.hbase.classification.InterfaceAudience;
32  import org.apache.hadoop.hbase.classification.InterfaceStability;
33  import org.apache.hadoop.hbase.util.Methods;
34  import org.apache.hadoop.mapred.JobConf;
35  import org.apache.hadoop.mapreduce.Job;
36  import org.apache.hadoop.security.SecurityUtil;
37  import org.apache.hadoop.security.UserGroupInformation;
38  import org.apache.hadoop.security.token.Token;
39  import org.apache.hadoop.security.token.TokenIdentifier;
40  
41  /**
42   * Wrapper to abstract out usage of user and group information in HBase.
43   *
44   * <p>
45   * This class provides a common interface for interacting with user and group
46   * information across changing APIs in different versions of Hadoop.  It only
47   * provides access to the common set of functionality in
48   * {@link org.apache.hadoop.security.UserGroupInformation} currently needed by
49   * HBase, but can be extended as needs change.
50   * </p>
51   */
52  @InterfaceAudience.Public
53  @InterfaceStability.Stable
54  public abstract class User {
55    public static final String HBASE_SECURITY_CONF_KEY =
56        "hbase.security.authentication";
57    public static final String HBASE_SECURITY_AUTHORIZATION_CONF_KEY =
58        "hbase.security.authorization";
59  
60    private static Log LOG = LogFactory.getLog(User.class);
61  
62    protected UserGroupInformation ugi;
63  
64    public UserGroupInformation getUGI() {
65      return ugi;
66    }
67  
68    /**
69     * Returns the full user name.  For Kerberos principals this will include
70     * the host and realm portions of the principal name.
71     *
72     * @return User full name.
73     */
74    public String getName() {
75      return ugi.getUserName();
76    }
77  
78    /**
79     * Returns the list of groups of which this user is a member.  On secure
80     * Hadoop this returns the group information for the user as resolved on the
81     * server.  For 0.20 based Hadoop, the group names are passed from the client.
82     */
83    public String[] getGroupNames() {
84      return ugi.getGroupNames();
85    }
86  
87    /**
88     * Returns the shortened version of the user name -- the portion that maps
89     * to an operating system user name.
90     *
91     * @return Short name
92     */
93    public abstract String getShortName();
94  
95    /**
96     * Executes the given action within the context of this user.
97     */
98    public abstract <T> T runAs(PrivilegedAction<T> action);
99  
100   /**
101    * Executes the given action within the context of this user.
102    */
103   public abstract <T> T runAs(PrivilegedExceptionAction<T> action)
104       throws IOException, InterruptedException;
105 
106   /**
107    * Requests an authentication token for this user and stores it in the
108    * user's credentials.
109    *
110    * @throws IOException
111    * @deprecated Use {@code TokenUtil.obtainAuthTokenForJob(HConnection,User,Job)}
112    *     instead.
113    */
114   @Deprecated
115   public abstract void obtainAuthTokenForJob(Configuration conf, Job job)
116       throws IOException, InterruptedException;
117 
118   /**
119    * Requests an authentication token for this user and stores it in the
120    * user's credentials.
121    *
122    * @throws IOException
123    * @deprecated Use {@code TokenUtil.obtainAuthTokenForJob(HConnection,JobConf,User)}
124    *     instead.
125    */
126   @Deprecated
127   public abstract void obtainAuthTokenForJob(JobConf job)
128       throws IOException, InterruptedException;
129 
130   /**
131    * Returns the Token of the specified kind associated with this user,
132    * or null if the Token is not present.
133    *
134    * @param kind the kind of token
135    * @param service service on which the token is supposed to be used
136    * @return the token of the specified kind.
137    */
138   public Token<?> getToken(String kind, String service) throws IOException {
139     for (Token<?> token : ugi.getTokens()) {
140       if (token.getKind().toString().equals(kind) &&
141           (service != null && token.getService().toString().equals(service))) {
142         return token;
143       }
144     }
145     return null;
146   }
147 
148   /**
149    * Returns all the tokens stored in the user's credentials.
150    */
151   public Collection<Token<? extends TokenIdentifier>> getTokens() {
152     return ugi.getTokens();
153   }
154 
155   /**
156    * Adds the given Token to the user's credentials.
157    *
158    * @param token the token to add
159    */
160   public void addToken(Token<? extends TokenIdentifier> token) {
161     ugi.addToken(token);
162   }
163 
164   @Override
165   public boolean equals(Object o) {
166     if (this == o) {
167       return true;
168     }
169     if (o == null || getClass() != o.getClass()) {
170       return false;
171     }
172     return ugi.equals(((User) o).ugi);
173   }
174 
175   @Override
176   public int hashCode() {
177     return ugi.hashCode();
178   }
179 
180   @Override
181   public String toString() {
182     return ugi.toString();
183   }
184 
185   /**
186    * Returns the {@code User} instance within current execution context.
187    */
188   public static User getCurrent() throws IOException {
189     User user = new SecureHadoopUser();
190     if (user.getUGI() == null) {
191       return null;
192     }
193     return user;
194   }
195 
196   /**
197    * Executes the given action as the login user
198    * @param action
199    * @return
200    * @throws IOException
201    * @throws InterruptedException
202    */
203   @SuppressWarnings({ "rawtypes", "unchecked" })
204   public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException {
205     return doAsUser(UserGroupInformation.getLoginUser(), action);
206   }
207 
208   private static <T> T doAsUser(UserGroupInformation ugi,
209       PrivilegedExceptionAction<T> action) throws IOException {
210     try {
211       return ugi.doAs(action);
212     } catch (InterruptedException ie) {
213       throw new IOException(ie);
214     }
215   }
216 
217   /**
218    * Wraps an underlying {@code UserGroupInformation} instance.
219    * @param ugi The base Hadoop user
220    * @return User
221    */
222   public static User create(UserGroupInformation ugi) {
223     if (ugi == null) {
224       return null;
225     }
226     return new SecureHadoopUser(ugi);
227   }
228 
229   /**
230    * Generates a new {@code User} instance specifically for use in test code.
231    * @param name the full username
232    * @param groups the group names to which the test user will belong
233    * @return a new <code>User</code> instance
234    */
235   public static User createUserForTesting(Configuration conf,
236       String name, String[] groups) {
237     User userForTesting = SecureHadoopUser.createUserForTesting(conf, name, groups);
238     return userForTesting;
239   }
240 
241   /**
242    * Log in the current process using the given configuration keys for the
243    * credential file and login principal.
244    *
245    * <p><strong>This is only applicable when
246    * running on secure Hadoop</strong> -- see
247    * org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String).
248    * On regular Hadoop (without security features), this will safely be ignored.
249    * </p>
250    *
251    * @param conf The configuration data to use
252    * @param fileConfKey Property key used to configure path to the credential file
253    * @param principalConfKey Property key used to configure login principal
254    * @param localhost Current hostname to use in any credentials
255    * @throws IOException underlying exception from SecurityUtil.login() call
256    */
257   public static void login(Configuration conf, String fileConfKey,
258       String principalConfKey, String localhost) throws IOException {
259     SecureHadoopUser.login(conf, fileConfKey, principalConfKey, localhost);
260   }
261 
262   /**
263    * Returns whether or not Kerberos authentication is configured for Hadoop.
264    * For non-secure Hadoop, this always returns <code>false</code>.
265    * For secure Hadoop, it will return the value from
266    * {@code UserGroupInformation.isSecurityEnabled()}.
267    */
268   public static boolean isSecurityEnabled() {
269     return SecureHadoopUser.isSecurityEnabled();
270   }
271 
272   /**
273    * Returns whether or not secure authentication is enabled for HBase. Note that
274    * HBase security requires HDFS security to provide any guarantees, so it is
275    * recommended that secure HBase should run on secure HDFS.
276    */
277   public static boolean isHBaseSecurityEnabled(Configuration conf) {
278     return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY));
279   }
280 
281   /* Concrete implementations */
282 
283   /**
284    * Bridges {@code User} invocations to underlying calls to
285    * {@link org.apache.hadoop.security.UserGroupInformation} for secure Hadoop
286    * 0.20 and versions 0.21 and above.
287    */
288   private static class SecureHadoopUser extends User {
289     private String shortName;
290 
291     private SecureHadoopUser() throws IOException {
292       ugi = UserGroupInformation.getCurrentUser();
293     }
294 
295     private SecureHadoopUser(UserGroupInformation ugi) {
296       this.ugi = ugi;
297     }
298 
299     @Override
300     public String getShortName() {
301       if (shortName != null) return shortName;
302       try {
303         shortName = ugi.getShortUserName();
304         return shortName;
305       } catch (Exception e) {
306         throw new RuntimeException("Unexpected error getting user short name",
307           e);
308       }
309     }
310 
311     @Override
312     public <T> T runAs(PrivilegedAction<T> action) {
313       return ugi.doAs(action);
314     }
315 
316     @Override
317     public <T> T runAs(PrivilegedExceptionAction<T> action)
318         throws IOException, InterruptedException {
319       return ugi.doAs(action);
320     }
321 
322     @Override
323     public void obtainAuthTokenForJob(Configuration conf, Job job)
324         throws IOException, InterruptedException {
325       try {
326         Class<?> c = Class.forName(
327             "org.apache.hadoop.hbase.security.token.TokenUtil");
328         Methods.call(c, null, "obtainTokenForJob",
329             new Class[]{Configuration.class, UserGroupInformation.class,
330                 Job.class},
331             new Object[]{conf, ugi, job});
332       } catch (ClassNotFoundException cnfe) {
333         throw new RuntimeException("Failure loading TokenUtil class, "
334             +"is secure RPC available?", cnfe);
335       } catch (IOException ioe) {
336         throw ioe;
337       } catch (InterruptedException ie) {
338         throw ie;
339       } catch (RuntimeException re) {
340         throw re;
341       } catch (Exception e) {
342         throw new UndeclaredThrowableException(e,
343             "Unexpected error calling TokenUtil.obtainAndCacheToken()");
344       }
345     }
346 
347     @Override
348     public void obtainAuthTokenForJob(JobConf job)
349         throws IOException, InterruptedException {
350       try {
351         Class<?> c = Class.forName(
352             "org.apache.hadoop.hbase.security.token.TokenUtil");
353         Methods.call(c, null, "obtainTokenForJob",
354             new Class[]{JobConf.class, UserGroupInformation.class},
355             new Object[]{job, ugi});
356       } catch (ClassNotFoundException cnfe) {
357         throw new RuntimeException("Failure loading TokenUtil class, "
358             +"is secure RPC available?", cnfe);
359       } catch (IOException ioe) {
360         throw ioe;
361       } catch (InterruptedException ie) {
362         throw ie;
363       } catch (RuntimeException re) {
364         throw re;
365       } catch (Exception e) {
366         throw new UndeclaredThrowableException(e,
367             "Unexpected error calling TokenUtil.obtainAndCacheToken()");
368       }
369     }
370 
371     /** @see User#createUserForTesting(org.apache.hadoop.conf.Configuration, String, String[]) */
372     public static User createUserForTesting(Configuration conf,
373         String name, String[] groups) {
374       return new SecureHadoopUser(UserGroupInformation.createUserForTesting(name, groups));
375     }
376 
377     /**
378      * Obtain credentials for the current process using the configured
379      * Kerberos keytab file and principal.
380      * @see User#login(org.apache.hadoop.conf.Configuration, String, String, String)
381      *
382      * @param conf the Configuration to use
383      * @param fileConfKey Configuration property key used to store the path
384      * to the keytab file
385      * @param principalConfKey Configuration property key used to store the
386      * principal name to login as
387      * @param localhost the local hostname
388      */
389     public static void login(Configuration conf, String fileConfKey,
390         String principalConfKey, String localhost) throws IOException {
391       if (isSecurityEnabled()) {
392         SecurityUtil.login(conf, fileConfKey, principalConfKey, localhost);
393       }
394     }
395 
396     /**
397      * Returns the result of {@code UserGroupInformation.isSecurityEnabled()}.
398      */
399     public static boolean isSecurityEnabled() {
400       return UserGroupInformation.isSecurityEnabled();
401     }
402   }
403 }