View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase;
20  
21  import java.io.IOException;
22  import java.net.UnknownHostException;
23  
24  import org.apache.commons.logging.Log;
25  import org.apache.commons.logging.LogFactory;
26  import org.apache.hadoop.conf.Configuration;
27  import org.apache.hadoop.hbase.classification.InterfaceAudience;
28  import org.apache.hadoop.hbase.classification.InterfaceStability;
29  import org.apache.hadoop.hbase.security.UserProvider;
30  import org.apache.hadoop.hbase.util.Strings;
31  import org.apache.hadoop.hbase.util.Threads;
32  import org.apache.hadoop.net.DNS;
33  import org.apache.hadoop.security.UserGroupInformation;
34  
35  /**
36   * Utility methods for helping with security tasks.
37   */
38  @InterfaceAudience.Public
39  @InterfaceStability.Evolving
40  public class AuthUtil {
41    private static final Log LOG = LogFactory.getLog(AuthUtil.class);
42  
43    private AuthUtil() {
44      super();
45    }
46  
47    /**
48     * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
49     */
50    public static void launchAuthChore(Configuration conf) throws IOException {
51      UserProvider userProvider = UserProvider.instantiate(conf);
52      // login the principal (if using secure Hadoop)
53      boolean securityEnabled =
54          userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled();
55      if (!securityEnabled) return;
56      String host = null;
57      try {
58        host = Strings.domainNamePointerToHostName(DNS.getDefaultHost(
59            conf.get("hbase.client.dns.interface", "default"),
60            conf.get("hbase.client.dns.nameserver", "default")));
61        userProvider.login("hbase.client.keytab.file", "hbase.client.kerberos.principal", host);
62      } catch (UnknownHostException e) {
63        LOG.error("Error resolving host name: " + e.getMessage(), e);
64        throw e;
65      } catch (IOException e) {
66        LOG.error("Error while trying to perform the initial login: " + e.getMessage(), e);
67        throw e;
68      }
69  
70      final UserGroupInformation ugi = userProvider.getCurrent().getUGI();
71      Stoppable stoppable = new Stoppable() {
72        private volatile boolean isStopped = false;
73  
74        @Override
75        public void stop(String why) {
76          isStopped = true;
77        }
78  
79        @Override
80        public boolean isStopped() {
81          return isStopped;
82        }
83      };
84  
85      // if you're in debug mode this is useful to avoid getting spammed by the getTGT()
86      // you can increase this, keeping in mind that the default refresh window is 0.8
87      // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min
88      final int CHECK_TGT_INTERVAL = 30 * 1000; // 30sec
89  
90      Chore refreshCredentials = new Chore("RefreshCredentials", CHECK_TGT_INTERVAL, stoppable) {
91        @Override
92        protected void chore() {
93          try {
94            ugi.checkTGTAndReloginFromKeytab();
95          } catch (IOException e) {
96            LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e);
97          }
98        }
99      };
100     // Start the chore for refreshing credentials
101     Threads.setDaemonThreadRunning(refreshCredentials.getThread());
102   }
103 }