View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase;
20  
21  import java.io.IOException;
22  import java.net.UnknownHostException;
23  
24  import org.apache.commons.logging.Log;
25  import org.apache.commons.logging.LogFactory;
26  import org.apache.hadoop.conf.Configuration;
27  import org.apache.hadoop.hbase.classification.InterfaceAudience;
28  import org.apache.hadoop.hbase.classification.InterfaceStability;
29  import org.apache.hadoop.hbase.security.UserProvider;
30  import org.apache.hadoop.hbase.util.DNS;
31  import org.apache.hadoop.hbase.util.Strings;
32  import org.apache.hadoop.hbase.util.Threads;
33  import org.apache.hadoop.security.UserGroupInformation;
34  
35  /**
36   * Utility methods for helping with security tasks.
37   */
38  @InterfaceAudience.Public
39  @InterfaceStability.Evolving
40  public class AuthUtil {
41    private static final Log LOG = LogFactory.getLog(AuthUtil.class);
42  
43    /** Prefix character to denote group names */
44    public static final String GROUP_PREFIX = "@";
45  
46    private AuthUtil() {
47      super();
48    }
49  
50    /**
51     * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
52     */
53    public static void launchAuthChore(Configuration conf) throws IOException {
54      UserProvider userProvider = UserProvider.instantiate(conf);
55      // login the principal (if using secure Hadoop)
56      boolean securityEnabled =
57          userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled();
58      if (!securityEnabled) return;
59      String host = null;
60      try {
61        host = Strings.domainNamePointerToHostName(DNS.getDefaultHost(
62            conf.get("hbase.client.dns.interface", "default"),
63            conf.get("hbase.client.dns.nameserver", "default")));
64        userProvider.login("hbase.client.keytab.file", "hbase.client.kerberos.principal", host);
65      } catch (UnknownHostException e) {
66        LOG.error("Error resolving host name: " + e.getMessage(), e);
67        throw e;
68      } catch (IOException e) {
69        LOG.error("Error while trying to perform the initial login: " + e.getMessage(), e);
70        throw e;
71      }
72  
73      final UserGroupInformation ugi = userProvider.getCurrent().getUGI();
74      Stoppable stoppable = new Stoppable() {
75        private volatile boolean isStopped = false;
76  
77        @Override
78        public void stop(String why) {
79          isStopped = true;
80        }
81  
82        @Override
83        public boolean isStopped() {
84          return isStopped;
85        }
86      };
87  
88      // if you're in debug mode this is useful to avoid getting spammed by the getTGT()
89      // you can increase this, keeping in mind that the default refresh window is 0.8
90      // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min
91      final int CHECK_TGT_INTERVAL = 30 * 1000; // 30sec
92  
93      Chore refreshCredentials = new Chore("RefreshCredentials", CHECK_TGT_INTERVAL, stoppable) {
94        @Override
95        protected void chore() {
96          try {
97            ugi.checkTGTAndReloginFromKeytab();
98          } catch (IOException e) {
99            LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e);
100         }
101       }
102     };
103     // Start the chore for refreshing credentials
104     Threads.setDaemonThreadRunning(refreshCredentials.getThread());
105   }
106 
107   /**
108    * Returns whether or not the given name should be interpreted as a group
109    * principal.  Currently this simply checks if the name starts with the
110    * special group prefix character ("@").
111    */
112   public static boolean isGroupPrincipal(String name) {
113     return name != null && name.startsWith(GROUP_PREFIX);
114   }
115 
116   /**
117    * Returns the actual name for a group principal (stripped of the
118    * group prefix).
119    */
120   public static String getGroupName(String aclKey) {
121     if (!isGroupPrincipal(aclKey)) {
122       return aclKey;
123     }
124 
125     return aclKey.substring(GROUP_PREFIX.length());
126   }
127 
128   /**
129    * Returns the group entry with the group prefix for a group principal.
130    */
131   public static String toGroupEntry(String name) {
132     return GROUP_PREFIX + name;
133   }
134 }