001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.security; 019 020import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION; 021 022import java.io.File; 023import java.io.IOException; 024import java.lang.reflect.UndeclaredThrowableException; 025import java.security.AccessControlContext; 026import java.security.AccessController; 027import java.security.Principal; 028import java.security.PrivilegedAction; 029import java.security.PrivilegedActionException; 030import java.security.PrivilegedExceptionAction; 031import java.util.Arrays; 032import java.util.Collection; 033import java.util.Collections; 034import java.util.HashMap; 035import java.util.List; 036import java.util.Map; 037import java.util.Set; 038 039import javax.security.auth.Subject; 040import javax.security.auth.callback.CallbackHandler; 041import javax.security.auth.kerberos.KerberosKey; 042import javax.security.auth.kerberos.KerberosPrincipal; 043import javax.security.auth.kerberos.KerberosTicket; 044import javax.security.auth.login.AppConfigurationEntry; 045import javax.security.auth.login.LoginContext; 046import javax.security.auth.login.LoginException; 047import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; 048import javax.security.auth.spi.LoginModule; 049 050import org.apache.commons.logging.Log; 051import org.apache.commons.logging.LogFactory; 052import org.apache.hadoop.classification.InterfaceAudience; 053import org.apache.hadoop.classification.InterfaceStability; 054import org.apache.hadoop.conf.Configuration; 055import org.apache.hadoop.fs.Path; 056import org.apache.hadoop.io.Text; 057import org.apache.hadoop.metrics2.annotation.Metric; 058import org.apache.hadoop.metrics2.annotation.Metrics; 059import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem; 060import org.apache.hadoop.metrics2.lib.MutableRate; 061import org.apache.hadoop.security.authentication.util.KerberosName; 062import org.apache.hadoop.security.authentication.util.KerberosUtil; 063import org.apache.hadoop.security.token.Token; 064import org.apache.hadoop.security.token.TokenIdentifier; 065import org.apache.hadoop.util.Shell; 066 067import com.google.common.annotations.VisibleForTesting; 068 069/** 070 * User and group information for Hadoop. 071 * This class wraps around a JAAS Subject and provides methods to determine the 072 * user's username and groups. It supports both the Windows, Unix and Kerberos 073 * login modules. 074 */ 075@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) 076@InterfaceStability.Evolving 077public class UserGroupInformation { 078 private static final Log LOG = LogFactory.getLog(UserGroupInformation.class); 079 /** 080 * Percentage of the ticket window to use before we renew ticket. 081 */ 082 private static final float TICKET_RENEW_WINDOW = 0.80f; 083 static final String HADOOP_USER_NAME = "HADOOP_USER_NAME"; 084 static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER"; 085 086 /** 087 * UgiMetrics maintains UGI activity statistics 088 * and publishes them through the metrics interfaces. 089 */ 090 @Metrics(about="User and group related metrics", context="ugi") 091 static class UgiMetrics { 092 @Metric("Rate of successful kerberos logins and latency (milliseconds)") 093 MutableRate loginSuccess; 094 @Metric("Rate of failed kerberos logins and latency (milliseconds)") 095 MutableRate loginFailure; 096 097 static UgiMetrics create() { 098 return DefaultMetricsSystem.instance().register(new UgiMetrics()); 099 } 100 } 101 102 /** 103 * A login module that looks at the Kerberos, Unix, or Windows principal and 104 * adds the corresponding UserName. 105 */ 106 @InterfaceAudience.Private 107 public static class HadoopLoginModule implements LoginModule { 108 private Subject subject; 109 110 @Override 111 public boolean abort() throws LoginException { 112 return true; 113 } 114 115 private <T extends Principal> T getCanonicalUser(Class<T> cls) { 116 for(T user: subject.getPrincipals(cls)) { 117 return user; 118 } 119 return null; 120 } 121 122 @Override 123 public boolean commit() throws LoginException { 124 if (LOG.isDebugEnabled()) { 125 LOG.debug("hadoop login commit"); 126 } 127 // if we already have a user, we are done. 128 if (!subject.getPrincipals(User.class).isEmpty()) { 129 if (LOG.isDebugEnabled()) { 130 LOG.debug("using existing subject:"+subject.getPrincipals()); 131 } 132 return true; 133 } 134 Principal user = null; 135 // if we are using kerberos, try it out 136 if (useKerberos) { 137 user = getCanonicalUser(KerberosPrincipal.class); 138 if (LOG.isDebugEnabled()) { 139 LOG.debug("using kerberos user:"+user); 140 } 141 } 142 //If we don't have a kerberos user and security is disabled, check 143 //if user is specified in the environment or properties 144 if (!isSecurityEnabled() && (user == null)) { 145 String envUser = System.getenv(HADOOP_USER_NAME); 146 if (envUser == null) { 147 envUser = System.getProperty(HADOOP_USER_NAME); 148 } 149 user = envUser == null ? null : new User(envUser); 150 } 151 // use the OS user 152 if (user == null) { 153 user = getCanonicalUser(OS_PRINCIPAL_CLASS); 154 if (LOG.isDebugEnabled()) { 155 LOG.debug("using local user:"+user); 156 } 157 } 158 // if we found the user, add our principal 159 if (user != null) { 160 subject.getPrincipals().add(new User(user.getName())); 161 return true; 162 } 163 LOG.error("Can't find user in " + subject); 164 throw new LoginException("Can't find user name"); 165 } 166 167 @Override 168 public void initialize(Subject subject, CallbackHandler callbackHandler, 169 Map<String, ?> sharedState, Map<String, ?> options) { 170 this.subject = subject; 171 } 172 173 @Override 174 public boolean login() throws LoginException { 175 if (LOG.isDebugEnabled()) { 176 LOG.debug("hadoop login"); 177 } 178 return true; 179 } 180 181 @Override 182 public boolean logout() throws LoginException { 183 if (LOG.isDebugEnabled()) { 184 LOG.debug("hadoop logout"); 185 } 186 return true; 187 } 188 } 189 190 /** Metrics to track UGI activity */ 191 static UgiMetrics metrics = UgiMetrics.create(); 192 /** Are the static variables that depend on configuration initialized? */ 193 /** Should we use Kerberos configuration? */ 194 private static boolean useKerberos; 195 /** Server-side groups fetching service */ 196 private static Groups groups; 197 /** The configuration to use */ 198 private static Configuration conf; 199 200 201 /** Leave 10 minutes between relogin attempts. */ 202 private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L; 203 204 /**Environment variable pointing to the token cache file*/ 205 public static final String HADOOP_TOKEN_FILE_LOCATION = 206 "HADOOP_TOKEN_FILE_LOCATION"; 207 208 /** 209 * A method to initialize the fields that depend on a configuration. 210 * Must be called before useKerberos or groups is used. 211 */ 212 private static void ensureInitialized() { 213 if (conf == null) { 214 synchronized(UserGroupInformation.class) { 215 if (conf == null) { // someone might have beat us 216 initialize(new Configuration(), KerberosName.hasRulesBeenSet()); 217 } 218 } 219 } 220 } 221 222 /** 223 * Initialize UGI and related classes. 224 * @param conf the configuration to use 225 */ 226 private static synchronized void initialize(Configuration conf, boolean skipRulesSetting) { 227 initUGI(conf); 228 // give the configuration on how to translate Kerberos names 229 try { 230 if (!skipRulesSetting) { 231 HadoopKerberosName.setConfiguration(conf); 232 } 233 } catch (IOException ioe) { 234 throw new RuntimeException("Problem with Kerberos auth_to_local name " + 235 "configuration", ioe); 236 } 237 } 238 239 /** 240 * Set the configuration values for UGI. 241 * @param conf the configuration to use 242 */ 243 private static synchronized void initUGI(Configuration conf) { 244 String value = conf.get(HADOOP_SECURITY_AUTHENTICATION); 245 if (value == null || "simple".equals(value)) { 246 useKerberos = false; 247 } else if ("kerberos".equals(value)) { 248 useKerberos = true; 249 } else { 250 throw new IllegalArgumentException("Invalid attribute value for " + 251 HADOOP_SECURITY_AUTHENTICATION + 252 " of " + value); 253 } 254 // If we haven't set up testing groups, use the configuration to find it 255 if (!(groups instanceof TestingGroups)) { 256 groups = Groups.getUserToGroupsMappingService(conf); 257 } 258 UserGroupInformation.conf = conf; 259 } 260 261 /** 262 * Set the static configuration for UGI. 263 * In particular, set the security authentication mechanism and the 264 * group look up service. 265 * @param conf the configuration to use 266 */ 267 public static void setConfiguration(Configuration conf) { 268 initialize(conf, false); 269 } 270 271 /** 272 * Determine if UserGroupInformation is using Kerberos to determine 273 * user identities or is relying on simple authentication 274 * 275 * @return true if UGI is working in a secure environment 276 */ 277 public static boolean isSecurityEnabled() { 278 ensureInitialized(); 279 return useKerberos; 280 } 281 282 /** 283 * Information about the logged in user. 284 */ 285 private static UserGroupInformation loginUser = null; 286 private static String keytabPrincipal = null; 287 private static String keytabFile = null; 288 289 private final Subject subject; 290 // All non-static fields must be read-only caches that come from the subject. 291 private final User user; 292 private final boolean isKeytab; 293 private final boolean isKrbTkt; 294 295 private static String OS_LOGIN_MODULE_NAME; 296 private static Class<? extends Principal> OS_PRINCIPAL_CLASS; 297 private static final boolean windows = 298 System.getProperty("os.name").startsWith("Windows"); 299 /* Return the OS login module class name */ 300 private static String getOSLoginModuleName() { 301 if (System.getProperty("java.vendor").contains("IBM")) { 302 return windows ? "com.ibm.security.auth.module.NTLoginModule" 303 : "com.ibm.security.auth.module.LinuxLoginModule"; 304 } else { 305 return windows ? "com.sun.security.auth.module.NTLoginModule" 306 : "com.sun.security.auth.module.UnixLoginModule"; 307 } 308 } 309 310 /* Return the OS principal class */ 311 @SuppressWarnings("unchecked") 312 private static Class<? extends Principal> getOsPrincipalClass() { 313 ClassLoader cl = ClassLoader.getSystemClassLoader(); 314 try { 315 if (System.getProperty("java.vendor").contains("IBM")) { 316 if (windows) { 317 return (Class<? extends Principal>) 318 cl.loadClass("com.ibm.security.auth.UsernamePrincipal"); 319 } else { 320 return (Class<? extends Principal>) 321 (System.getProperty("os.arch").contains("64") 322 ? cl.loadClass("com.ibm.security.auth.UsernamePrincipal") 323 : cl.loadClass("com.ibm.security.auth.LinuxPrincipal")); 324 } 325 } else { 326 return (Class<? extends Principal>) (windows 327 ? cl.loadClass("com.sun.security.auth.NTUserPrincipal") 328 : cl.loadClass("com.sun.security.auth.UnixPrincipal")); 329 } 330 } catch (ClassNotFoundException e) { 331 LOG.error("Unable to find JAAS classes:" + e.getMessage()); 332 } 333 return null; 334 } 335 static { 336 OS_LOGIN_MODULE_NAME = getOSLoginModuleName(); 337 OS_PRINCIPAL_CLASS = getOsPrincipalClass(); 338 } 339 340 private static class RealUser implements Principal { 341 private final UserGroupInformation realUser; 342 343 RealUser(UserGroupInformation realUser) { 344 this.realUser = realUser; 345 } 346 347 public String getName() { 348 return realUser.getUserName(); 349 } 350 351 public UserGroupInformation getRealUser() { 352 return realUser; 353 } 354 355 @Override 356 public boolean equals(Object o) { 357 if (this == o) { 358 return true; 359 } else if (o == null || getClass() != o.getClass()) { 360 return false; 361 } else { 362 return realUser.equals(((RealUser) o).realUser); 363 } 364 } 365 366 @Override 367 public int hashCode() { 368 return realUser.hashCode(); 369 } 370 371 @Override 372 public String toString() { 373 return realUser.toString(); 374 } 375 } 376 377 /** 378 * A JAAS configuration that defines the login modules that we want 379 * to use for login. 380 */ 381 private static class HadoopConfiguration 382 extends javax.security.auth.login.Configuration { 383 private static final String SIMPLE_CONFIG_NAME = "hadoop-simple"; 384 private static final String USER_KERBEROS_CONFIG_NAME = 385 "hadoop-user-kerberos"; 386 private static final String KEYTAB_KERBEROS_CONFIG_NAME = 387 "hadoop-keytab-kerberos"; 388 389 private static final Map<String, String> BASIC_JAAS_OPTIONS = 390 new HashMap<String,String>(); 391 static { 392 String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG"); 393 if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) { 394 BASIC_JAAS_OPTIONS.put("debug", "true"); 395 } 396 } 397 398 private static final AppConfigurationEntry OS_SPECIFIC_LOGIN = 399 new AppConfigurationEntry(OS_LOGIN_MODULE_NAME, 400 LoginModuleControlFlag.REQUIRED, 401 BASIC_JAAS_OPTIONS); 402 private static final AppConfigurationEntry HADOOP_LOGIN = 403 new AppConfigurationEntry(HadoopLoginModule.class.getName(), 404 LoginModuleControlFlag.REQUIRED, 405 BASIC_JAAS_OPTIONS); 406 private static final Map<String,String> USER_KERBEROS_OPTIONS = 407 new HashMap<String,String>(); 408 static { 409 USER_KERBEROS_OPTIONS.put("doNotPrompt", "true"); 410 USER_KERBEROS_OPTIONS.put("useTicketCache", "true"); 411 USER_KERBEROS_OPTIONS.put("renewTGT", "true"); 412 String ticketCache = System.getenv("KRB5CCNAME"); 413 if (ticketCache != null) { 414 USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache); 415 } 416 USER_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); 417 } 418 private static final AppConfigurationEntry USER_KERBEROS_LOGIN = 419 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), 420 LoginModuleControlFlag.OPTIONAL, 421 USER_KERBEROS_OPTIONS); 422 private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS = 423 new HashMap<String,String>(); 424 static { 425 KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); 426 KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); 427 KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); 428 KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); 429 KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); 430 } 431 private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = 432 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), 433 LoginModuleControlFlag.REQUIRED, 434 KEYTAB_KERBEROS_OPTIONS); 435 436 private static final AppConfigurationEntry[] SIMPLE_CONF = 437 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, HADOOP_LOGIN}; 438 439 private static final AppConfigurationEntry[] USER_KERBEROS_CONF = 440 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN, 441 HADOOP_LOGIN}; 442 443 private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = 444 new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN}; 445 446 @Override 447 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { 448 if (SIMPLE_CONFIG_NAME.equals(appName)) { 449 return SIMPLE_CONF; 450 } else if (USER_KERBEROS_CONFIG_NAME.equals(appName)) { 451 return USER_KERBEROS_CONF; 452 } else if (KEYTAB_KERBEROS_CONFIG_NAME.equals(appName)) { 453 KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); 454 KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); 455 return KEYTAB_KERBEROS_CONF; 456 } 457 return null; 458 } 459 } 460 461 private static LoginContext 462 newLoginContext(String appName, Subject subject) throws LoginException { 463 // Temporarily switch the thread's ContextClassLoader to match this 464 // class's classloader, so that we can properly load HadoopLoginModule 465 // from the JAAS libraries. 466 Thread t = Thread.currentThread(); 467 ClassLoader oldCCL = t.getContextClassLoader(); 468 t.setContextClassLoader(HadoopLoginModule.class.getClassLoader()); 469 try { 470 return new LoginContext(appName, subject, null, new HadoopConfiguration()); 471 } finally { 472 t.setContextClassLoader(oldCCL); 473 } 474 } 475 476 private LoginContext getLogin() { 477 return user.getLogin(); 478 } 479 480 private void setLogin(LoginContext login) { 481 user.setLogin(login); 482 } 483 484 /** 485 * Create a UserGroupInformation for the given subject. 486 * This does not change the subject or acquire new credentials. 487 * @param subject the user's subject 488 */ 489 UserGroupInformation(Subject subject) { 490 this.subject = subject; 491 this.user = subject.getPrincipals(User.class).iterator().next(); 492 this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty(); 493 this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty(); 494 } 495 496 /** 497 * checks if logged in using kerberos 498 * @return true if the subject logged via keytab or has a Kerberos TGT 499 */ 500 public boolean hasKerberosCredentials() { 501 return isKeytab || isKrbTkt; 502 } 503 504 /** 505 * Return the current user, including any doAs in the current stack. 506 * @return the current user 507 * @throws IOException if login fails 508 */ 509 public synchronized 510 static UserGroupInformation getCurrentUser() throws IOException { 511 AccessControlContext context = AccessController.getContext(); 512 Subject subject = Subject.getSubject(context); 513 if (subject == null || subject.getPrincipals(User.class).isEmpty()) { 514 return getLoginUser(); 515 } else { 516 return new UserGroupInformation(subject); 517 } 518 } 519 520 /** 521 * Get the currently logged in user. 522 * @return the logged in user 523 * @throws IOException if login fails 524 */ 525 public synchronized 526 static UserGroupInformation getLoginUser() throws IOException { 527 if (loginUser == null) { 528 try { 529 Subject subject = new Subject(); 530 LoginContext login; 531 if (isSecurityEnabled()) { 532 login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, 533 subject); 534 } else { 535 login = newLoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME, 536 subject); 537 } 538 login.login(); 539 UserGroupInformation realUser = new UserGroupInformation(subject); 540 realUser.setLogin(login); 541 realUser.setAuthenticationMethod(isSecurityEnabled() ? 542 AuthenticationMethod.KERBEROS : 543 AuthenticationMethod.SIMPLE); 544 realUser = new UserGroupInformation(login.getSubject()); 545 // If the HADOOP_PROXY_USER environment variable or property 546 // is specified, create a proxy user as the logged in user. 547 String proxyUser = System.getenv(HADOOP_PROXY_USER); 548 if (proxyUser == null) { 549 proxyUser = System.getProperty(HADOOP_PROXY_USER); 550 } 551 setLoginUser(proxyUser == null ? realUser : createProxyUser(proxyUser, realUser)); 552 553 String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION); 554 if (fileLocation != null) { 555 // Load the token storage file and put all of the tokens into the 556 // user. Don't use the FileSystem API for reading since it has a lock 557 // cycle (HADOOP-9212). 558 Credentials cred = Credentials.readTokenStorageFile( 559 new File(fileLocation), conf); 560 loginUser.addCredentials(cred); 561 } 562 loginUser.spawnAutoRenewalThreadForUserCreds(); 563 } catch (LoginException le) { 564 throw new IOException("failure to login", le); 565 } 566 if (LOG.isDebugEnabled()) { 567 LOG.debug("UGI loginUser:"+loginUser); 568 } 569 } 570 return loginUser; 571 } 572 573 @InterfaceAudience.Private 574 @InterfaceStability.Unstable 575 @VisibleForTesting 576 public synchronized static void setLoginUser(UserGroupInformation ugi) { 577 // if this is to become stable, should probably logout the currently 578 // logged in ugi if it's different 579 loginUser = ugi; 580 } 581 582 /** 583 * Is this user logged in from a keytab file? 584 * @return true if the credentials are from a keytab file. 585 */ 586 public boolean isFromKeytab() { 587 return isKeytab; 588 } 589 590 /** 591 * Get the Kerberos TGT 592 * @return the user's TGT or null if none was found 593 */ 594 private synchronized KerberosTicket getTGT() { 595 Set<KerberosTicket> tickets = subject 596 .getPrivateCredentials(KerberosTicket.class); 597 for (KerberosTicket ticket : tickets) { 598 if (SecurityUtil.isOriginalTGT(ticket)) { 599 if (LOG.isDebugEnabled()) { 600 LOG.debug("Found tgt " + ticket); 601 } 602 return ticket; 603 } 604 } 605 return null; 606 } 607 608 private long getRefreshTime(KerberosTicket tgt) { 609 long start = tgt.getStartTime().getTime(); 610 long end = tgt.getEndTime().getTime(); 611 return start + (long) ((end - start) * TICKET_RENEW_WINDOW); 612 } 613 614 /**Spawn a thread to do periodic renewals of kerberos credentials*/ 615 private void spawnAutoRenewalThreadForUserCreds() { 616 if (isSecurityEnabled()) { 617 //spawn thread only if we have kerb credentials 618 if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS && 619 !isKeytab) { 620 Thread t = new Thread(new Runnable() { 621 622 public void run() { 623 String cmd = conf.get("hadoop.kerberos.kinit.command", 624 "kinit"); 625 KerberosTicket tgt = getTGT(); 626 if (tgt == null) { 627 return; 628 } 629 long nextRefresh = getRefreshTime(tgt); 630 while (true) { 631 try { 632 long now = System.currentTimeMillis(); 633 if(LOG.isDebugEnabled()) { 634 LOG.debug("Current time is " + now); 635 LOG.debug("Next refresh is " + nextRefresh); 636 } 637 if (now < nextRefresh) { 638 Thread.sleep(nextRefresh - now); 639 } 640 Shell.execCommand(cmd, "-R"); 641 if(LOG.isDebugEnabled()) { 642 LOG.debug("renewed ticket"); 643 } 644 reloginFromTicketCache(); 645 tgt = getTGT(); 646 if (tgt == null) { 647 LOG.warn("No TGT after renewal. Aborting renew thread for " + 648 getUserName()); 649 return; 650 } 651 nextRefresh = Math.max(getRefreshTime(tgt), 652 now + MIN_TIME_BEFORE_RELOGIN); 653 } catch (InterruptedException ie) { 654 LOG.warn("Terminating renewal thread"); 655 return; 656 } catch (IOException ie) { 657 LOG.warn("Exception encountered while running the" + 658 " renewal command. Aborting renew thread. " + ie); 659 return; 660 } 661 } 662 } 663 }); 664 t.setDaemon(true); 665 t.setName("TGT Renewer for " + getUserName()); 666 t.start(); 667 } 668 } 669 } 670 /** 671 * Log a user in from a keytab file. Loads a user identity from a keytab 672 * file and logs them in. They become the currently logged-in user. 673 * @param user the principal name to load from the keytab 674 * @param path the path to the keytab file 675 * @throws IOException if the keytab file can't be read 676 */ 677 public synchronized 678 static void loginUserFromKeytab(String user, 679 String path 680 ) throws IOException { 681 if (!isSecurityEnabled()) 682 return; 683 684 keytabFile = path; 685 keytabPrincipal = user; 686 Subject subject = new Subject(); 687 LoginContext login; 688 long start = 0; 689 try { 690 login = 691 newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); 692 start = System.currentTimeMillis(); 693 login.login(); 694 metrics.loginSuccess.add(System.currentTimeMillis() - start); 695 setLoginUser(new UserGroupInformation(subject)); 696 loginUser.setLogin(login); 697 loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS); 698 } catch (LoginException le) { 699 if (start > 0) { 700 metrics.loginFailure.add(System.currentTimeMillis() - start); 701 } 702 throw new IOException("Login failure for " + user + " from keytab " + 703 path, le); 704 } 705 LOG.info("Login successful for user " + keytabPrincipal 706 + " using keytab file " + keytabFile); 707 } 708 709 /** 710 * Re-login a user from keytab if TGT is expired or is close to expiry. 711 * 712 * @throws IOException 713 */ 714 public synchronized void checkTGTAndReloginFromKeytab() throws IOException { 715 if (!isSecurityEnabled() 716 || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS 717 || !isKeytab) 718 return; 719 KerberosTicket tgt = getTGT(); 720 if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) { 721 return; 722 } 723 reloginFromKeytab(); 724 } 725 726 /** 727 * Re-Login a user in from a keytab file. Loads a user identity from a keytab 728 * file and logs them in. They become the currently logged-in user. This 729 * method assumes that {@link #loginUserFromKeytab(String, String)} had 730 * happened already. 731 * The Subject field of this UserGroupInformation object is updated to have 732 * the new credentials. 733 * @throws IOException on a failure 734 */ 735 public synchronized void reloginFromKeytab() 736 throws IOException { 737 if (!isSecurityEnabled() || 738 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS || 739 !isKeytab) 740 return; 741 742 long now = System.currentTimeMillis(); 743 if (!hasSufficientTimeElapsed(now)) { 744 return; 745 } 746 747 KerberosTicket tgt = getTGT(); 748 //Return if TGT is valid and is not going to expire soon. 749 if (tgt != null && now < getRefreshTime(tgt)) { 750 return; 751 } 752 753 LoginContext login = getLogin(); 754 if (login == null || keytabFile == null) { 755 throw new IOException("loginUserFromKeyTab must be done first"); 756 } 757 758 long start = 0; 759 // register most recent relogin attempt 760 user.setLastLogin(now); 761 try { 762 LOG.info("Initiating logout for " + getUserName()); 763 synchronized (UserGroupInformation.class) { 764 // clear up the kerberos state. But the tokens are not cleared! As per 765 // the Java kerberos login module code, only the kerberos credentials 766 // are cleared 767 login.logout(); 768 // login and also update the subject field of this instance to 769 // have the new credentials (pass it to the LoginContext constructor) 770 login = newLoginContext( 771 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject()); 772 LOG.info("Initiating re-login for " + keytabPrincipal); 773 start = System.currentTimeMillis(); 774 login.login(); 775 metrics.loginSuccess.add(System.currentTimeMillis() - start); 776 setLogin(login); 777 } 778 } catch (LoginException le) { 779 if (start > 0) { 780 metrics.loginFailure.add(System.currentTimeMillis() - start); 781 } 782 throw new IOException("Login failure for " + keytabPrincipal + 783 " from keytab " + keytabFile, le); 784 } 785 } 786 787 /** 788 * Re-Login a user in from the ticket cache. This 789 * method assumes that login had happened already. 790 * The Subject field of this UserGroupInformation object is updated to have 791 * the new credentials. 792 * @throws IOException on a failure 793 */ 794 public synchronized void reloginFromTicketCache() 795 throws IOException { 796 if (!isSecurityEnabled() || 797 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS || 798 !isKrbTkt) 799 return; 800 LoginContext login = getLogin(); 801 if (login == null) { 802 throw new IOException("login must be done first"); 803 } 804 long now = System.currentTimeMillis(); 805 if (!hasSufficientTimeElapsed(now)) { 806 return; 807 } 808 // register most recent relogin attempt 809 user.setLastLogin(now); 810 try { 811 LOG.info("Initiating logout for " + getUserName()); 812 //clear up the kerberos state. But the tokens are not cleared! As per 813 //the Java kerberos login module code, only the kerberos credentials 814 //are cleared 815 login.logout(); 816 //login and also update the subject field of this instance to 817 //have the new credentials (pass it to the LoginContext constructor) 818 login = 819 newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, 820 getSubject()); 821 LOG.info("Initiating re-login for " + getUserName()); 822 login.login(); 823 setLogin(login); 824 } catch (LoginException le) { 825 throw new IOException("Login failure for " + getUserName(), le); 826 } 827 } 828 829 830 /** 831 * Log a user in from a keytab file. Loads a user identity from a keytab 832 * file and login them in. This new user does not affect the currently 833 * logged-in user. 834 * @param user the principal name to load from the keytab 835 * @param path the path to the keytab file 836 * @throws IOException if the keytab file can't be read 837 */ 838 public synchronized 839 static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user, 840 String path 841 ) throws IOException { 842 if (!isSecurityEnabled()) 843 return UserGroupInformation.getCurrentUser(); 844 String oldKeytabFile = null; 845 String oldKeytabPrincipal = null; 846 847 long start = 0; 848 try { 849 oldKeytabFile = keytabFile; 850 oldKeytabPrincipal = keytabPrincipal; 851 keytabFile = path; 852 keytabPrincipal = user; 853 Subject subject = new Subject(); 854 855 LoginContext login = 856 newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); 857 858 start = System.currentTimeMillis(); 859 login.login(); 860 metrics.loginSuccess.add(System.currentTimeMillis() - start); 861 UserGroupInformation newLoginUser = new UserGroupInformation(subject); 862 newLoginUser.setLogin(login); 863 newLoginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS); 864 865 return newLoginUser; 866 } catch (LoginException le) { 867 if (start > 0) { 868 metrics.loginFailure.add(System.currentTimeMillis() - start); 869 } 870 throw new IOException("Login failure for " + user + " from keytab " + 871 path, le); 872 } finally { 873 if(oldKeytabFile != null) keytabFile = oldKeytabFile; 874 if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal; 875 } 876 } 877 878 private boolean hasSufficientTimeElapsed(long now) { 879 if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) { 880 LOG.warn("Not attempting to re-login since the last re-login was " + 881 "attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+ 882 " before."); 883 return false; 884 } 885 return true; 886 } 887 888 /** 889 * Did the login happen via keytab 890 * @return true or false 891 */ 892 public synchronized static boolean isLoginKeytabBased() throws IOException { 893 return getLoginUser().isKeytab; 894 } 895 896 /** 897 * Create a user from a login name. It is intended to be used for remote 898 * users in RPC, since it won't have any credentials. 899 * @param user the full user principal name, must not be empty or null 900 * @return the UserGroupInformation for the remote user. 901 */ 902 public static UserGroupInformation createRemoteUser(String user) { 903 if (user == null || "".equals(user)) { 904 throw new IllegalArgumentException("Null user"); 905 } 906 Subject subject = new Subject(); 907 subject.getPrincipals().add(new User(user)); 908 UserGroupInformation result = new UserGroupInformation(subject); 909 result.setAuthenticationMethod(AuthenticationMethod.SIMPLE); 910 return result; 911 } 912 913 /** 914 * existing types of authentications' methods 915 */ 916 @InterfaceStability.Evolving 917 public static enum AuthenticationMethod { 918 SIMPLE, 919 KERBEROS, 920 TOKEN, 921 CERTIFICATE, 922 KERBEROS_SSL, 923 PROXY; 924 } 925 926 /** 927 * Create a proxy user using username of the effective user and the ugi of the 928 * real user. 929 * @param user 930 * @param realUser 931 * @return proxyUser ugi 932 */ 933 public static UserGroupInformation createProxyUser(String user, 934 UserGroupInformation realUser) { 935 if (user == null || "".equals(user)) { 936 throw new IllegalArgumentException("Null user"); 937 } 938 if (realUser == null) { 939 throw new IllegalArgumentException("Null real user"); 940 } 941 Subject subject = new Subject(); 942 Set<Principal> principals = subject.getPrincipals(); 943 principals.add(new User(user)); 944 principals.add(new RealUser(realUser)); 945 UserGroupInformation result =new UserGroupInformation(subject); 946 result.setAuthenticationMethod(AuthenticationMethod.PROXY); 947 return result; 948 } 949 950 /** 951 * get RealUser (vs. EffectiveUser) 952 * @return realUser running over proxy user 953 */ 954 public UserGroupInformation getRealUser() { 955 for (RealUser p: subject.getPrincipals(RealUser.class)) { 956 return p.getRealUser(); 957 } 958 return null; 959 } 960 961 962 963 /** 964 * This class is used for storing the groups for testing. It stores a local 965 * map that has the translation of usernames to groups. 966 */ 967 private static class TestingGroups extends Groups { 968 private final Map<String, List<String>> userToGroupsMapping = 969 new HashMap<String,List<String>>(); 970 private Groups underlyingImplementation; 971 972 private TestingGroups(Groups underlyingImplementation) { 973 super(new org.apache.hadoop.conf.Configuration()); 974 this.underlyingImplementation = underlyingImplementation; 975 } 976 977 @Override 978 public List<String> getGroups(String user) throws IOException { 979 List<String> result = userToGroupsMapping.get(user); 980 981 if (result == null) { 982 result = underlyingImplementation.getGroups(user); 983 } 984 985 return result; 986 } 987 988 private void setUserGroups(String user, String[] groups) { 989 userToGroupsMapping.put(user, Arrays.asList(groups)); 990 } 991 } 992 993 /** 994 * Create a UGI for testing HDFS and MapReduce 995 * @param user the full user principal name 996 * @param userGroups the names of the groups that the user belongs to 997 * @return a fake user for running unit tests 998 */ 999 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) 1000 public static UserGroupInformation createUserForTesting(String user, 1001 String[] userGroups) { 1002 ensureInitialized(); 1003 UserGroupInformation ugi = createRemoteUser(user); 1004 // make sure that the testing object is setup 1005 if (!(groups instanceof TestingGroups)) { 1006 groups = new TestingGroups(groups); 1007 } 1008 // add the user groups 1009 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups); 1010 return ugi; 1011 } 1012 1013 1014 /** 1015 * Create a proxy user UGI for testing HDFS and MapReduce 1016 * 1017 * @param user 1018 * the full user principal name for effective user 1019 * @param realUser 1020 * UGI of the real user 1021 * @param userGroups 1022 * the names of the groups that the user belongs to 1023 * @return a fake user for running unit tests 1024 */ 1025 @InterfaceAudience.LimitedPrivate( { "HDFS", "MapReduce" }) 1026 public static UserGroupInformation createProxyUserForTesting(String user, 1027 UserGroupInformation realUser, String[] userGroups) { 1028 ensureInitialized(); 1029 UserGroupInformation ugi = createProxyUser(user, realUser); 1030 // make sure that the testing object is setup 1031 if (!(groups instanceof TestingGroups)) { 1032 groups = new TestingGroups(groups); 1033 } 1034 // add the user groups 1035 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups); 1036 return ugi; 1037 } 1038 1039 /** 1040 * Get the user's login name. 1041 * @return the user's name up to the first '/' or '@'. 1042 */ 1043 public String getShortUserName() { 1044 for (User p: subject.getPrincipals(User.class)) { 1045 return p.getShortName(); 1046 } 1047 return null; 1048 } 1049 1050 /** 1051 * Get the user's full principal name. 1052 * @return the user's full principal name. 1053 */ 1054 public String getUserName() { 1055 return user.getName(); 1056 } 1057 1058 /** 1059 * Add a TokenIdentifier to this UGI. The TokenIdentifier has typically been 1060 * authenticated by the RPC layer as belonging to the user represented by this 1061 * UGI. 1062 * 1063 * @param tokenId 1064 * tokenIdentifier to be added 1065 * @return true on successful add of new tokenIdentifier 1066 */ 1067 public synchronized boolean addTokenIdentifier(TokenIdentifier tokenId) { 1068 return subject.getPublicCredentials().add(tokenId); 1069 } 1070 1071 /** 1072 * Get the set of TokenIdentifiers belonging to this UGI 1073 * 1074 * @return the set of TokenIdentifiers belonging to this UGI 1075 */ 1076 public synchronized Set<TokenIdentifier> getTokenIdentifiers() { 1077 return subject.getPublicCredentials(TokenIdentifier.class); 1078 } 1079 1080 /** 1081 * Add a token to this UGI 1082 * 1083 * @param token Token to be added 1084 * @return true on successful add of new token 1085 */ 1086 public synchronized boolean addToken(Token<? extends TokenIdentifier> token) { 1087 return (token != null) ? addToken(token.getService(), token) : false; 1088 } 1089 1090 /** 1091 * Add a named token to this UGI 1092 * 1093 * @param alias Name of the token 1094 * @param token Token to be added 1095 * @return true on successful add of new token 1096 */ 1097 public synchronized boolean addToken(Text alias, 1098 Token<? extends TokenIdentifier> token) { 1099 getCredentialsInternal().addToken(alias, token); 1100 return true; 1101 } 1102 1103 /** 1104 * Obtain the collection of tokens associated with this user. 1105 * 1106 * @return an unmodifiable collection of tokens associated with user 1107 */ 1108 public synchronized 1109 Collection<Token<? extends TokenIdentifier>> getTokens() { 1110 return Collections.unmodifiableCollection( 1111 getCredentialsInternal().getAllTokens()); 1112 } 1113 1114 /** 1115 * Obtain the tokens in credentials form associated with this user. 1116 * 1117 * @return Credentials of tokens associated with this user 1118 */ 1119 public synchronized Credentials getCredentials() { 1120 return new Credentials(getCredentialsInternal()); 1121 } 1122 1123 /** 1124 * Add the given Credentials to this user. 1125 * @param credentials of tokens and secrets 1126 */ 1127 public synchronized void addCredentials(Credentials credentials) { 1128 getCredentialsInternal().addAll(credentials); 1129 } 1130 1131 private synchronized Credentials getCredentialsInternal() { 1132 final Credentials credentials; 1133 final Set<Credentials> credentialsSet = 1134 subject.getPrivateCredentials(Credentials.class); 1135 if (!credentialsSet.isEmpty()){ 1136 credentials = credentialsSet.iterator().next(); 1137 } else { 1138 credentials = new Credentials(); 1139 subject.getPrivateCredentials().add(credentials); 1140 } 1141 return credentials; 1142 } 1143 1144 /** 1145 * Get the group names for this user. 1146 * @return the list of users with the primary group first. If the command 1147 * fails, it returns an empty list. 1148 */ 1149 public synchronized String[] getGroupNames() { 1150 ensureInitialized(); 1151 try { 1152 List<String> result = groups.getGroups(getShortUserName()); 1153 return result.toArray(new String[result.size()]); 1154 } catch (IOException ie) { 1155 LOG.warn("No groups available for user " + getShortUserName()); 1156 return new String[0]; 1157 } 1158 } 1159 1160 /** 1161 * Return the username. 1162 */ 1163 @Override 1164 public String toString() { 1165 StringBuilder sb = new StringBuilder(getUserName()); 1166 sb.append(" (auth:"+getAuthenticationMethod()+")"); 1167 if (getRealUser() != null) { 1168 sb.append(" via ").append(getRealUser().toString()); 1169 } 1170 return sb.toString(); 1171 } 1172 1173 /** 1174 * Sets the authentication method in the subject 1175 * 1176 * @param authMethod 1177 */ 1178 public synchronized 1179 void setAuthenticationMethod(AuthenticationMethod authMethod) { 1180 user.setAuthenticationMethod(authMethod); 1181 } 1182 1183 /** 1184 * Get the authentication method from the subject 1185 * 1186 * @return AuthenticationMethod in the subject, null if not present. 1187 */ 1188 public synchronized AuthenticationMethod getAuthenticationMethod() { 1189 return user.getAuthenticationMethod(); 1190 } 1191 1192 /** 1193 * Returns the authentication method of a ugi. If the authentication method is 1194 * PROXY, returns the authentication method of the real user. 1195 * 1196 * @param ugi 1197 * @return AuthenticationMethod 1198 */ 1199 public static AuthenticationMethod getRealAuthenticationMethod( 1200 UserGroupInformation ugi) { 1201 AuthenticationMethod authMethod = ugi.getAuthenticationMethod(); 1202 if (authMethod == AuthenticationMethod.PROXY) { 1203 authMethod = ugi.getRealUser().getAuthenticationMethod(); 1204 } 1205 return authMethod; 1206 } 1207 1208 /** 1209 * Compare the subjects to see if they are equal to each other. 1210 */ 1211 @Override 1212 public boolean equals(Object o) { 1213 if (o == this) { 1214 return true; 1215 } else if (o == null || getClass() != o.getClass()) { 1216 return false; 1217 } else { 1218 return subject == ((UserGroupInformation) o).subject; 1219 } 1220 } 1221 1222 /** 1223 * Return the hash of the subject. 1224 */ 1225 @Override 1226 public int hashCode() { 1227 return System.identityHashCode(subject); 1228 } 1229 1230 /** 1231 * Get the underlying subject from this ugi. 1232 * @return the subject that represents this user. 1233 */ 1234 protected Subject getSubject() { 1235 return subject; 1236 } 1237 1238 /** 1239 * Run the given action as the user. 1240 * @param <T> the return type of the run method 1241 * @param action the method to execute 1242 * @return the value from the run method 1243 */ 1244 public <T> T doAs(PrivilegedAction<T> action) { 1245 logPrivilegedAction(subject, action); 1246 return Subject.doAs(subject, action); 1247 } 1248 1249 /** 1250 * Run the given action as the user, potentially throwing an exception. 1251 * @param <T> the return type of the run method 1252 * @param action the method to execute 1253 * @return the value from the run method 1254 * @throws IOException if the action throws an IOException 1255 * @throws Error if the action throws an Error 1256 * @throws RuntimeException if the action throws a RuntimeException 1257 * @throws InterruptedException if the action throws an InterruptedException 1258 * @throws UndeclaredThrowableException if the action throws something else 1259 */ 1260 public <T> T doAs(PrivilegedExceptionAction<T> action 1261 ) throws IOException, InterruptedException { 1262 try { 1263 logPrivilegedAction(subject, action); 1264 return Subject.doAs(subject, action); 1265 } catch (PrivilegedActionException pae) { 1266 Throwable cause = pae.getCause(); 1267 LOG.error("PriviledgedActionException as:"+this+" cause:"+cause); 1268 if (cause instanceof IOException) { 1269 throw (IOException) cause; 1270 } else if (cause instanceof Error) { 1271 throw (Error) cause; 1272 } else if (cause instanceof RuntimeException) { 1273 throw (RuntimeException) cause; 1274 } else if (cause instanceof InterruptedException) { 1275 throw (InterruptedException) cause; 1276 } else { 1277 throw new UndeclaredThrowableException(pae,"Unknown exception in doAs"); 1278 } 1279 } 1280 } 1281 1282 private void logPrivilegedAction(Subject subject, Object action) { 1283 if (LOG.isDebugEnabled()) { 1284 // would be nice if action included a descriptive toString() 1285 String where = new Throwable().getStackTrace()[2].toString(); 1286 LOG.debug("PrivilegedAction as:"+this+" from:"+where); 1287 } 1288 } 1289 1290 private void print() throws IOException { 1291 System.out.println("User: " + getUserName()); 1292 System.out.print("Group Ids: "); 1293 System.out.println(); 1294 String[] groups = getGroupNames(); 1295 System.out.print("Groups: "); 1296 for(int i=0; i < groups.length; i++) { 1297 System.out.print(groups[i] + " "); 1298 } 1299 System.out.println(); 1300 } 1301 1302 /** 1303 * A test method to print out the current user's UGI. 1304 * @param args if there are two arguments, read the user from the keytab 1305 * and print it out. 1306 * @throws Exception 1307 */ 1308 public static void main(String [] args) throws Exception { 1309 System.out.println("Getting UGI for current user"); 1310 UserGroupInformation ugi = getCurrentUser(); 1311 ugi.print(); 1312 System.out.println("UGI: " + ugi); 1313 System.out.println("Auth method " + ugi.user.getAuthenticationMethod()); 1314 System.out.println("Keytab " + ugi.isKeytab); 1315 System.out.println("============================================================"); 1316 1317 if (args.length == 2) { 1318 System.out.println("Getting UGI from keytab...."); 1319 loginUserFromKeytab(args[0], args[1]); 1320 getCurrentUser().print(); 1321 System.out.println("Keytab: " + ugi); 1322 System.out.println("Auth method " + loginUser.user.getAuthenticationMethod()); 1323 System.out.println("Keytab " + loginUser.isKeytab); 1324 } 1325 } 1326 1327}