001 /**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018 package org.apache.hadoop.security;
019
020 import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION;
021
022 import java.io.IOException;
023 import java.lang.reflect.UndeclaredThrowableException;
024 import java.security.AccessControlContext;
025 import java.security.AccessController;
026 import java.security.Principal;
027 import java.security.PrivilegedAction;
028 import java.security.PrivilegedActionException;
029 import java.security.PrivilegedExceptionAction;
030 import java.util.Arrays;
031 import java.util.Collection;
032 import java.util.Collections;
033 import java.util.HashMap;
034 import java.util.List;
035 import java.util.Map;
036 import java.util.Set;
037
038 import javax.security.auth.Subject;
039 import javax.security.auth.callback.CallbackHandler;
040 import javax.security.auth.kerberos.KerberosKey;
041 import javax.security.auth.kerberos.KerberosPrincipal;
042 import javax.security.auth.kerberos.KerberosTicket;
043 import javax.security.auth.login.AppConfigurationEntry;
044 import javax.security.auth.login.LoginContext;
045 import javax.security.auth.login.LoginException;
046 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
047 import javax.security.auth.spi.LoginModule;
048
049 import org.apache.commons.logging.Log;
050 import org.apache.commons.logging.LogFactory;
051 import org.apache.hadoop.classification.InterfaceAudience;
052 import org.apache.hadoop.classification.InterfaceStability;
053 import org.apache.hadoop.conf.Configuration;
054 import org.apache.hadoop.fs.Path;
055 import org.apache.hadoop.io.Text;
056 import org.apache.hadoop.metrics2.annotation.Metric;
057 import org.apache.hadoop.metrics2.annotation.Metrics;
058 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
059 import org.apache.hadoop.metrics2.lib.MutableRate;
060 import org.apache.hadoop.security.authentication.util.KerberosName;
061 import org.apache.hadoop.security.token.Token;
062 import org.apache.hadoop.security.token.TokenIdentifier;
063 import org.apache.hadoop.util.Shell;
064
065 import com.sun.security.auth.NTUserPrincipal;
066 import com.sun.security.auth.UnixPrincipal;
067 import com.sun.security.auth.module.Krb5LoginModule;
068
069 /**
070 * User and group information for Hadoop.
071 * This class wraps around a JAAS Subject and provides methods to determine the
072 * user's username and groups. It supports both the Windows, Unix and Kerberos
073 * login modules.
074 */
075 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
076 @InterfaceStability.Evolving
077 public class UserGroupInformation {
078 private static final Log LOG = LogFactory.getLog(UserGroupInformation.class);
079 /**
080 * Percentage of the ticket window to use before we renew ticket.
081 */
082 private static final float TICKET_RENEW_WINDOW = 0.80f;
083 static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
084
085 /**
086 * UgiMetrics maintains UGI activity statistics
087 * and publishes them through the metrics interfaces.
088 */
089 @Metrics(about="User and group related metrics", context="ugi")
090 static class UgiMetrics {
091 @Metric("Rate of successful kerberos logins and latency (milliseconds)")
092 MutableRate loginSuccess;
093 @Metric("Rate of failed kerberos logins and latency (milliseconds)")
094 MutableRate loginFailure;
095
096 static UgiMetrics create() {
097 return DefaultMetricsSystem.instance().register(new UgiMetrics());
098 }
099 }
100
101 /**
102 * A login module that looks at the Kerberos, Unix, or Windows principal and
103 * adds the corresponding UserName.
104 */
105 @InterfaceAudience.Private
106 public static class HadoopLoginModule implements LoginModule {
107 private Subject subject;
108
109 @Override
110 public boolean abort() throws LoginException {
111 return true;
112 }
113
114 private <T extends Principal> T getCanonicalUser(Class<T> cls) {
115 for(T user: subject.getPrincipals(cls)) {
116 return user;
117 }
118 return null;
119 }
120
121 @Override
122 public boolean commit() throws LoginException {
123 if (LOG.isDebugEnabled()) {
124 LOG.debug("hadoop login commit");
125 }
126 // if we already have a user, we are done.
127 if (!subject.getPrincipals(User.class).isEmpty()) {
128 if (LOG.isDebugEnabled()) {
129 LOG.debug("using existing subject:"+subject.getPrincipals());
130 }
131 return true;
132 }
133 Principal user = null;
134 // if we are using kerberos, try it out
135 if (useKerberos) {
136 user = getCanonicalUser(KerberosPrincipal.class);
137 if (LOG.isDebugEnabled()) {
138 LOG.debug("using kerberos user:"+user);
139 }
140 }
141 //If we don't have a kerberos user and security is disabled, check
142 //if user is specified in the environment or properties
143 if (!isSecurityEnabled() && (user == null)) {
144 String envUser = System.getenv(HADOOP_USER_NAME);
145 if (envUser == null) {
146 envUser = System.getProperty(HADOOP_USER_NAME);
147 }
148 user = envUser == null ? null : new User(envUser);
149 }
150 // use the OS user
151 if (user == null) {
152 user = getCanonicalUser(OS_PRINCIPAL_CLASS);
153 if (LOG.isDebugEnabled()) {
154 LOG.debug("using local user:"+user);
155 }
156 }
157 // if we found the user, add our principal
158 if (user != null) {
159 subject.getPrincipals().add(new User(user.getName()));
160 return true;
161 }
162 LOG.error("Can't find user in " + subject);
163 throw new LoginException("Can't find user name");
164 }
165
166 @Override
167 public void initialize(Subject subject, CallbackHandler callbackHandler,
168 Map<String, ?> sharedState, Map<String, ?> options) {
169 this.subject = subject;
170 }
171
172 @Override
173 public boolean login() throws LoginException {
174 if (LOG.isDebugEnabled()) {
175 LOG.debug("hadoop login");
176 }
177 return true;
178 }
179
180 @Override
181 public boolean logout() throws LoginException {
182 if (LOG.isDebugEnabled()) {
183 LOG.debug("hadoop logout");
184 }
185 return true;
186 }
187 }
188
189 /** Metrics to track UGI activity */
190 static UgiMetrics metrics = UgiMetrics.create();
191 /** Are the static variables that depend on configuration initialized? */
192 private static boolean isInitialized = false;
193 /** Should we use Kerberos configuration? */
194 private static boolean useKerberos;
195 /** Server-side groups fetching service */
196 private static Groups groups;
197 /** The configuration to use */
198 private static Configuration conf;
199
200
201 /** Leave 10 minutes between relogin attempts. */
202 private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L;
203
204 /**Environment variable pointing to the token cache file*/
205 public static final String HADOOP_TOKEN_FILE_LOCATION =
206 "HADOOP_TOKEN_FILE_LOCATION";
207
208 /**
209 * A method to initialize the fields that depend on a configuration.
210 * Must be called before useKerberos or groups is used.
211 */
212 private static synchronized void ensureInitialized() {
213 if (!isInitialized) {
214 initialize(new Configuration(), KerberosName.hasRulesBeenSet());
215 }
216 }
217
218 /**
219 * Initialize UGI and related classes.
220 * @param conf the configuration to use
221 */
222 private static synchronized void initialize(Configuration conf, boolean skipRulesSetting) {
223 initUGI(conf);
224 // give the configuration on how to translate Kerberos names
225 try {
226 if (!skipRulesSetting) {
227 HadoopKerberosName.setConfiguration(conf);
228 }
229 } catch (IOException ioe) {
230 throw new RuntimeException("Problem with Kerberos auth_to_local name " +
231 "configuration", ioe);
232 }
233 }
234
235 /**
236 * Set the configuration values for UGI.
237 * @param conf the configuration to use
238 */
239 private static synchronized void initUGI(Configuration conf) {
240 String value = conf.get(HADOOP_SECURITY_AUTHENTICATION);
241 if (value == null || "simple".equals(value)) {
242 useKerberos = false;
243 } else if ("kerberos".equals(value)) {
244 useKerberos = true;
245 } else {
246 throw new IllegalArgumentException("Invalid attribute value for " +
247 HADOOP_SECURITY_AUTHENTICATION +
248 " of " + value);
249 }
250 // If we haven't set up testing groups, use the configuration to find it
251 if (!(groups instanceof TestingGroups)) {
252 groups = Groups.getUserToGroupsMappingService(conf);
253 }
254 isInitialized = true;
255 UserGroupInformation.conf = conf;
256 }
257
258 /**
259 * Set the static configuration for UGI.
260 * In particular, set the security authentication mechanism and the
261 * group look up service.
262 * @param conf the configuration to use
263 */
264 public static void setConfiguration(Configuration conf) {
265 initialize(conf, false);
266 }
267
268 /**
269 * Determine if UserGroupInformation is using Kerberos to determine
270 * user identities or is relying on simple authentication
271 *
272 * @return true if UGI is working in a secure environment
273 */
274 public static boolean isSecurityEnabled() {
275 ensureInitialized();
276 return useKerberos;
277 }
278
279 /**
280 * Information about the logged in user.
281 */
282 private static UserGroupInformation loginUser = null;
283 private static String keytabPrincipal = null;
284 private static String keytabFile = null;
285
286 private final Subject subject;
287 // All non-static fields must be read-only caches that come from the subject.
288 private final User user;
289 private final boolean isKeytab;
290 private final boolean isKrbTkt;
291
292 private static final String OS_LOGIN_MODULE_NAME;
293 private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
294 private static final boolean windows =
295 System.getProperty("os.name").startsWith("Windows");
296 static {
297 if (windows) {
298 OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.NTLoginModule";
299 OS_PRINCIPAL_CLASS = NTUserPrincipal.class;
300 } else {
301 OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.UnixLoginModule";
302 OS_PRINCIPAL_CLASS = UnixPrincipal.class;
303 }
304 }
305
306 private static class RealUser implements Principal {
307 private final UserGroupInformation realUser;
308
309 RealUser(UserGroupInformation realUser) {
310 this.realUser = realUser;
311 }
312
313 public String getName() {
314 return realUser.getUserName();
315 }
316
317 public UserGroupInformation getRealUser() {
318 return realUser;
319 }
320
321 @Override
322 public boolean equals(Object o) {
323 if (this == o) {
324 return true;
325 } else if (o == null || getClass() != o.getClass()) {
326 return false;
327 } else {
328 return realUser.equals(((RealUser) o).realUser);
329 }
330 }
331
332 @Override
333 public int hashCode() {
334 return realUser.hashCode();
335 }
336
337 @Override
338 public String toString() {
339 return realUser.toString();
340 }
341 }
342
343 /**
344 * A JAAS configuration that defines the login modules that we want
345 * to use for login.
346 */
347 private static class HadoopConfiguration
348 extends javax.security.auth.login.Configuration {
349 private static final String SIMPLE_CONFIG_NAME = "hadoop-simple";
350 private static final String USER_KERBEROS_CONFIG_NAME =
351 "hadoop-user-kerberos";
352 private static final String KEYTAB_KERBEROS_CONFIG_NAME =
353 "hadoop-keytab-kerberos";
354
355 private static final Map<String, String> BASIC_JAAS_OPTIONS =
356 new HashMap<String,String>();
357 static {
358 String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG");
359 if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) {
360 BASIC_JAAS_OPTIONS.put("debug", "true");
361 }
362 }
363
364 private static final AppConfigurationEntry OS_SPECIFIC_LOGIN =
365 new AppConfigurationEntry(OS_LOGIN_MODULE_NAME,
366 LoginModuleControlFlag.REQUIRED,
367 BASIC_JAAS_OPTIONS);
368 private static final AppConfigurationEntry HADOOP_LOGIN =
369 new AppConfigurationEntry(HadoopLoginModule.class.getName(),
370 LoginModuleControlFlag.REQUIRED,
371 BASIC_JAAS_OPTIONS);
372 private static final Map<String,String> USER_KERBEROS_OPTIONS =
373 new HashMap<String,String>();
374 static {
375 USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
376 USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
377 USER_KERBEROS_OPTIONS.put("renewTGT", "true");
378 String ticketCache = System.getenv("KRB5CCNAME");
379 if (ticketCache != null) {
380 USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache);
381 }
382 USER_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
383 }
384 private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
385 new AppConfigurationEntry(Krb5LoginModule.class.getName(),
386 LoginModuleControlFlag.OPTIONAL,
387 USER_KERBEROS_OPTIONS);
388 private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS =
389 new HashMap<String,String>();
390 static {
391 KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
392 KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
393 KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
394 KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
395 KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
396 }
397 private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
398 new AppConfigurationEntry(Krb5LoginModule.class.getName(),
399 LoginModuleControlFlag.REQUIRED,
400 KEYTAB_KERBEROS_OPTIONS);
401
402 private static final AppConfigurationEntry[] SIMPLE_CONF =
403 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, HADOOP_LOGIN};
404
405 private static final AppConfigurationEntry[] USER_KERBEROS_CONF =
406 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN,
407 HADOOP_LOGIN};
408
409 private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
410 new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
411
412 @Override
413 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
414 if (SIMPLE_CONFIG_NAME.equals(appName)) {
415 return SIMPLE_CONF;
416 } else if (USER_KERBEROS_CONFIG_NAME.equals(appName)) {
417 return USER_KERBEROS_CONF;
418 } else if (KEYTAB_KERBEROS_CONFIG_NAME.equals(appName)) {
419 KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
420 KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
421 return KEYTAB_KERBEROS_CONF;
422 }
423 return null;
424 }
425 }
426
427 private static LoginContext
428 newLoginContext(String appName, Subject subject) throws LoginException {
429 // Temporarily switch the thread's ContextClassLoader to match this
430 // class's classloader, so that we can properly load HadoopLoginModule
431 // from the JAAS libraries.
432 Thread t = Thread.currentThread();
433 ClassLoader oldCCL = t.getContextClassLoader();
434 t.setContextClassLoader(HadoopLoginModule.class.getClassLoader());
435 try {
436 return new LoginContext(appName, subject, null, new HadoopConfiguration());
437 } finally {
438 t.setContextClassLoader(oldCCL);
439 }
440 }
441
442 private LoginContext getLogin() {
443 return user.getLogin();
444 }
445
446 private void setLogin(LoginContext login) {
447 user.setLogin(login);
448 }
449
450 /**
451 * Create a UserGroupInformation for the given subject.
452 * This does not change the subject or acquire new credentials.
453 * @param subject the user's subject
454 */
455 UserGroupInformation(Subject subject) {
456 this.subject = subject;
457 this.user = subject.getPrincipals(User.class).iterator().next();
458 this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
459 this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
460 }
461
462 /**
463 * checks if logged in using kerberos
464 * @return true if the subject logged via keytab or has a Kerberos TGT
465 */
466 public boolean hasKerberosCredentials() {
467 return isKeytab || isKrbTkt;
468 }
469
470 /**
471 * Return the current user, including any doAs in the current stack.
472 * @return the current user
473 * @throws IOException if login fails
474 */
475 public synchronized
476 static UserGroupInformation getCurrentUser() throws IOException {
477 AccessControlContext context = AccessController.getContext();
478 Subject subject = Subject.getSubject(context);
479 if (subject == null || subject.getPrincipals(User.class).isEmpty()) {
480 return getLoginUser();
481 } else {
482 return new UserGroupInformation(subject);
483 }
484 }
485
486 /**
487 * Get the currently logged in user.
488 * @return the logged in user
489 * @throws IOException if login fails
490 */
491 public synchronized
492 static UserGroupInformation getLoginUser() throws IOException {
493 if (loginUser == null) {
494 try {
495 Subject subject = new Subject();
496 LoginContext login;
497 if (isSecurityEnabled()) {
498 login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
499 subject);
500 } else {
501 login = newLoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME,
502 subject);
503 }
504 login.login();
505 loginUser = new UserGroupInformation(subject);
506 loginUser.setLogin(login);
507 loginUser.setAuthenticationMethod(isSecurityEnabled() ?
508 AuthenticationMethod.KERBEROS :
509 AuthenticationMethod.SIMPLE);
510 loginUser = new UserGroupInformation(login.getSubject());
511 String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
512 if (fileLocation != null) {
513 // load the token storage file and put all of the tokens into the
514 // user.
515 Credentials cred = Credentials.readTokenStorageFile(
516 new Path("file:///" + fileLocation), conf);
517 loginUser.addCredentials(cred);
518 }
519 loginUser.spawnAutoRenewalThreadForUserCreds();
520 } catch (LoginException le) {
521 throw new IOException("failure to login", le);
522 }
523 if (LOG.isDebugEnabled()) {
524 LOG.debug("UGI loginUser:"+loginUser);
525 }
526 }
527 return loginUser;
528 }
529
530 /**
531 * Is this user logged in from a keytab file?
532 * @return true if the credentials are from a keytab file.
533 */
534 public boolean isFromKeytab() {
535 return isKeytab;
536 }
537
538 /**
539 * Get the Kerberos TGT
540 * @return the user's TGT or null if none was found
541 */
542 private synchronized KerberosTicket getTGT() {
543 Set<KerberosTicket> tickets = subject
544 .getPrivateCredentials(KerberosTicket.class);
545 for (KerberosTicket ticket : tickets) {
546 if (SecurityUtil.isOriginalTGT(ticket)) {
547 if (LOG.isDebugEnabled()) {
548 LOG.debug("Found tgt " + ticket);
549 }
550 return ticket;
551 }
552 }
553 return null;
554 }
555
556 private long getRefreshTime(KerberosTicket tgt) {
557 long start = tgt.getStartTime().getTime();
558 long end = tgt.getEndTime().getTime();
559 return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
560 }
561
562 /**Spawn a thread to do periodic renewals of kerberos credentials*/
563 private void spawnAutoRenewalThreadForUserCreds() {
564 if (isSecurityEnabled()) {
565 //spawn thread only if we have kerb credentials
566 if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS &&
567 !isKeytab) {
568 Thread t = new Thread(new Runnable() {
569
570 public void run() {
571 String cmd = conf.get("hadoop.kerberos.kinit.command",
572 "kinit");
573 KerberosTicket tgt = getTGT();
574 if (tgt == null) {
575 return;
576 }
577 long nextRefresh = getRefreshTime(tgt);
578 while (true) {
579 try {
580 long now = System.currentTimeMillis();
581 if(LOG.isDebugEnabled()) {
582 LOG.debug("Current time is " + now);
583 LOG.debug("Next refresh is " + nextRefresh);
584 }
585 if (now < nextRefresh) {
586 Thread.sleep(nextRefresh - now);
587 }
588 Shell.execCommand(cmd, "-R");
589 if(LOG.isDebugEnabled()) {
590 LOG.debug("renewed ticket");
591 }
592 reloginFromTicketCache();
593 tgt = getTGT();
594 if (tgt == null) {
595 LOG.warn("No TGT after renewal. Aborting renew thread for " +
596 getUserName());
597 return;
598 }
599 nextRefresh = Math.max(getRefreshTime(tgt),
600 now + MIN_TIME_BEFORE_RELOGIN);
601 } catch (InterruptedException ie) {
602 LOG.warn("Terminating renewal thread");
603 return;
604 } catch (IOException ie) {
605 LOG.warn("Exception encountered while running the" +
606 " renewal command. Aborting renew thread. " + ie);
607 return;
608 }
609 }
610 }
611 });
612 t.setDaemon(true);
613 t.setName("TGT Renewer for " + getUserName());
614 t.start();
615 }
616 }
617 }
618 /**
619 * Log a user in from a keytab file. Loads a user identity from a keytab
620 * file and logs them in. They become the currently logged-in user.
621 * @param user the principal name to load from the keytab
622 * @param path the path to the keytab file
623 * @throws IOException if the keytab file can't be read
624 */
625 public synchronized
626 static void loginUserFromKeytab(String user,
627 String path
628 ) throws IOException {
629 if (!isSecurityEnabled())
630 return;
631
632 keytabFile = path;
633 keytabPrincipal = user;
634 Subject subject = new Subject();
635 LoginContext login;
636 long start = 0;
637 try {
638 login =
639 newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
640 start = System.currentTimeMillis();
641 login.login();
642 metrics.loginSuccess.add(System.currentTimeMillis() - start);
643 loginUser = new UserGroupInformation(subject);
644 loginUser.setLogin(login);
645 loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
646 } catch (LoginException le) {
647 if (start > 0) {
648 metrics.loginFailure.add(System.currentTimeMillis() - start);
649 }
650 throw new IOException("Login failure for " + user + " from keytab " +
651 path, le);
652 }
653 LOG.info("Login successful for user " + keytabPrincipal
654 + " using keytab file " + keytabFile);
655 }
656
657 /**
658 * Re-login a user from keytab if TGT is expired or is close to expiry.
659 *
660 * @throws IOException
661 */
662 public synchronized void checkTGTAndReloginFromKeytab() throws IOException {
663 if (!isSecurityEnabled()
664 || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
665 || !isKeytab)
666 return;
667 KerberosTicket tgt = getTGT();
668 if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) {
669 return;
670 }
671 reloginFromKeytab();
672 }
673
674 /**
675 * Re-Login a user in from a keytab file. Loads a user identity from a keytab
676 * file and logs them in. They become the currently logged-in user. This
677 * method assumes that {@link #loginUserFromKeytab(String, String)} had
678 * happened already.
679 * The Subject field of this UserGroupInformation object is updated to have
680 * the new credentials.
681 * @throws IOException on a failure
682 */
683 public synchronized void reloginFromKeytab()
684 throws IOException {
685 if (!isSecurityEnabled() ||
686 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
687 !isKeytab)
688 return;
689
690 long now = System.currentTimeMillis();
691 if (!hasSufficientTimeElapsed(now)) {
692 return;
693 }
694
695 KerberosTicket tgt = getTGT();
696 //Return if TGT is valid and is not going to expire soon.
697 if (tgt != null && now < getRefreshTime(tgt)) {
698 return;
699 }
700
701 LoginContext login = getLogin();
702 if (login == null || keytabFile == null) {
703 throw new IOException("loginUserFromKeyTab must be done first");
704 }
705
706 long start = 0;
707 // register most recent relogin attempt
708 user.setLastLogin(now);
709 try {
710 LOG.info("Initiating logout for " + getUserName());
711 synchronized (UserGroupInformation.class) {
712 // clear up the kerberos state. But the tokens are not cleared! As per
713 // the Java kerberos login module code, only the kerberos credentials
714 // are cleared
715 login.logout();
716 // login and also update the subject field of this instance to
717 // have the new credentials (pass it to the LoginContext constructor)
718 login = newLoginContext(
719 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject());
720 LOG.info("Initiating re-login for " + keytabPrincipal);
721 start = System.currentTimeMillis();
722 login.login();
723 metrics.loginSuccess.add(System.currentTimeMillis() - start);
724 setLogin(login);
725 }
726 } catch (LoginException le) {
727 if (start > 0) {
728 metrics.loginFailure.add(System.currentTimeMillis() - start);
729 }
730 throw new IOException("Login failure for " + keytabPrincipal +
731 " from keytab " + keytabFile, le);
732 }
733 }
734
735 /**
736 * Re-Login a user in from the ticket cache. This
737 * method assumes that login had happened already.
738 * The Subject field of this UserGroupInformation object is updated to have
739 * the new credentials.
740 * @throws IOException on a failure
741 */
742 public synchronized void reloginFromTicketCache()
743 throws IOException {
744 if (!isSecurityEnabled() ||
745 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
746 !isKrbTkt)
747 return;
748 LoginContext login = getLogin();
749 if (login == null) {
750 throw new IOException("login must be done first");
751 }
752 long now = System.currentTimeMillis();
753 if (!hasSufficientTimeElapsed(now)) {
754 return;
755 }
756 // register most recent relogin attempt
757 user.setLastLogin(now);
758 try {
759 LOG.info("Initiating logout for " + getUserName());
760 //clear up the kerberos state. But the tokens are not cleared! As per
761 //the Java kerberos login module code, only the kerberos credentials
762 //are cleared
763 login.logout();
764 //login and also update the subject field of this instance to
765 //have the new credentials (pass it to the LoginContext constructor)
766 login =
767 newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
768 getSubject());
769 LOG.info("Initiating re-login for " + getUserName());
770 login.login();
771 setLogin(login);
772 } catch (LoginException le) {
773 throw new IOException("Login failure for " + getUserName(), le);
774 }
775 }
776
777
778 /**
779 * Log a user in from a keytab file. Loads a user identity from a keytab
780 * file and login them in. This new user does not affect the currently
781 * logged-in user.
782 * @param user the principal name to load from the keytab
783 * @param path the path to the keytab file
784 * @throws IOException if the keytab file can't be read
785 */
786 public synchronized
787 static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
788 String path
789 ) throws IOException {
790 if (!isSecurityEnabled())
791 return UserGroupInformation.getCurrentUser();
792 String oldKeytabFile = null;
793 String oldKeytabPrincipal = null;
794
795 long start = 0;
796 try {
797 oldKeytabFile = keytabFile;
798 oldKeytabPrincipal = keytabPrincipal;
799 keytabFile = path;
800 keytabPrincipal = user;
801 Subject subject = new Subject();
802
803 LoginContext login =
804 newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
805
806 start = System.currentTimeMillis();
807 login.login();
808 metrics.loginSuccess.add(System.currentTimeMillis() - start);
809 UserGroupInformation newLoginUser = new UserGroupInformation(subject);
810 newLoginUser.setLogin(login);
811 newLoginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
812
813 return newLoginUser;
814 } catch (LoginException le) {
815 if (start > 0) {
816 metrics.loginFailure.add(System.currentTimeMillis() - start);
817 }
818 throw new IOException("Login failure for " + user + " from keytab " +
819 path, le);
820 } finally {
821 if(oldKeytabFile != null) keytabFile = oldKeytabFile;
822 if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal;
823 }
824 }
825
826 private boolean hasSufficientTimeElapsed(long now) {
827 if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) {
828 LOG.warn("Not attempting to re-login since the last re-login was " +
829 "attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+
830 " before.");
831 return false;
832 }
833 return true;
834 }
835
836 /**
837 * Did the login happen via keytab
838 * @return true or false
839 */
840 public synchronized static boolean isLoginKeytabBased() throws IOException {
841 return getLoginUser().isKeytab;
842 }
843
844 /**
845 * Create a user from a login name. It is intended to be used for remote
846 * users in RPC, since it won't have any credentials.
847 * @param user the full user principal name, must not be empty or null
848 * @return the UserGroupInformation for the remote user.
849 */
850 public static UserGroupInformation createRemoteUser(String user) {
851 if (user == null || "".equals(user)) {
852 throw new IllegalArgumentException("Null user");
853 }
854 Subject subject = new Subject();
855 subject.getPrincipals().add(new User(user));
856 UserGroupInformation result = new UserGroupInformation(subject);
857 result.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
858 return result;
859 }
860
861 /**
862 * existing types of authentications' methods
863 */
864 @InterfaceStability.Evolving
865 public static enum AuthenticationMethod {
866 SIMPLE,
867 KERBEROS,
868 TOKEN,
869 CERTIFICATE,
870 KERBEROS_SSL,
871 PROXY;
872 }
873
874 /**
875 * Create a proxy user using username of the effective user and the ugi of the
876 * real user.
877 * @param user
878 * @param realUser
879 * @return proxyUser ugi
880 */
881 public static UserGroupInformation createProxyUser(String user,
882 UserGroupInformation realUser) {
883 if (user == null || "".equals(user)) {
884 throw new IllegalArgumentException("Null user");
885 }
886 if (realUser == null) {
887 throw new IllegalArgumentException("Null real user");
888 }
889 Subject subject = new Subject();
890 Set<Principal> principals = subject.getPrincipals();
891 principals.add(new User(user));
892 principals.add(new RealUser(realUser));
893 UserGroupInformation result =new UserGroupInformation(subject);
894 result.setAuthenticationMethod(AuthenticationMethod.PROXY);
895 return result;
896 }
897
898 /**
899 * get RealUser (vs. EffectiveUser)
900 * @return realUser running over proxy user
901 */
902 public UserGroupInformation getRealUser() {
903 for (RealUser p: subject.getPrincipals(RealUser.class)) {
904 return p.getRealUser();
905 }
906 return null;
907 }
908
909
910
911 /**
912 * This class is used for storing the groups for testing. It stores a local
913 * map that has the translation of usernames to groups.
914 */
915 private static class TestingGroups extends Groups {
916 private final Map<String, List<String>> userToGroupsMapping =
917 new HashMap<String,List<String>>();
918 private Groups underlyingImplementation;
919
920 private TestingGroups(Groups underlyingImplementation) {
921 super(new org.apache.hadoop.conf.Configuration());
922 this.underlyingImplementation = underlyingImplementation;
923 }
924
925 @Override
926 public List<String> getGroups(String user) throws IOException {
927 List<String> result = userToGroupsMapping.get(user);
928
929 if (result == null) {
930 result = underlyingImplementation.getGroups(user);
931 }
932
933 return result;
934 }
935
936 private void setUserGroups(String user, String[] groups) {
937 userToGroupsMapping.put(user, Arrays.asList(groups));
938 }
939 }
940
941 /**
942 * Create a UGI for testing HDFS and MapReduce
943 * @param user the full user principal name
944 * @param userGroups the names of the groups that the user belongs to
945 * @return a fake user for running unit tests
946 */
947 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
948 public static UserGroupInformation createUserForTesting(String user,
949 String[] userGroups) {
950 ensureInitialized();
951 UserGroupInformation ugi = createRemoteUser(user);
952 // make sure that the testing object is setup
953 if (!(groups instanceof TestingGroups)) {
954 groups = new TestingGroups(groups);
955 }
956 // add the user groups
957 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
958 return ugi;
959 }
960
961
962 /**
963 * Create a proxy user UGI for testing HDFS and MapReduce
964 *
965 * @param user
966 * the full user principal name for effective user
967 * @param realUser
968 * UGI of the real user
969 * @param userGroups
970 * the names of the groups that the user belongs to
971 * @return a fake user for running unit tests
972 */
973 @InterfaceAudience.LimitedPrivate( { "HDFS", "MapReduce" })
974 public static UserGroupInformation createProxyUserForTesting(String user,
975 UserGroupInformation realUser, String[] userGroups) {
976 ensureInitialized();
977 UserGroupInformation ugi = createProxyUser(user, realUser);
978 // make sure that the testing object is setup
979 if (!(groups instanceof TestingGroups)) {
980 groups = new TestingGroups(groups);
981 }
982 // add the user groups
983 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
984 return ugi;
985 }
986
987 /**
988 * Get the user's login name.
989 * @return the user's name up to the first '/' or '@'.
990 */
991 public String getShortUserName() {
992 for (User p: subject.getPrincipals(User.class)) {
993 return p.getShortName();
994 }
995 return null;
996 }
997
998 /**
999 * Get the user's full principal name.
1000 * @return the user's full principal name.
1001 */
1002 public String getUserName() {
1003 return user.getName();
1004 }
1005
1006 /**
1007 * Add a TokenIdentifier to this UGI. The TokenIdentifier has typically been
1008 * authenticated by the RPC layer as belonging to the user represented by this
1009 * UGI.
1010 *
1011 * @param tokenId
1012 * tokenIdentifier to be added
1013 * @return true on successful add of new tokenIdentifier
1014 */
1015 public synchronized boolean addTokenIdentifier(TokenIdentifier tokenId) {
1016 return subject.getPublicCredentials().add(tokenId);
1017 }
1018
1019 /**
1020 * Get the set of TokenIdentifiers belonging to this UGI
1021 *
1022 * @return the set of TokenIdentifiers belonging to this UGI
1023 */
1024 public synchronized Set<TokenIdentifier> getTokenIdentifiers() {
1025 return subject.getPublicCredentials(TokenIdentifier.class);
1026 }
1027
1028 /**
1029 * Add a token to this UGI
1030 *
1031 * @param token Token to be added
1032 * @return true on successful add of new token
1033 */
1034 public synchronized boolean addToken(Token<? extends TokenIdentifier> token) {
1035 return (token != null) ? addToken(token.getService(), token) : false;
1036 }
1037
1038 /**
1039 * Add a named token to this UGI
1040 *
1041 * @param alias Name of the token
1042 * @param token Token to be added
1043 * @return true on successful add of new token
1044 */
1045 public synchronized boolean addToken(Text alias,
1046 Token<? extends TokenIdentifier> token) {
1047 getCredentialsInternal().addToken(alias, token);
1048 return true;
1049 }
1050
1051 /**
1052 * Obtain the collection of tokens associated with this user.
1053 *
1054 * @return an unmodifiable collection of tokens associated with user
1055 */
1056 public synchronized
1057 Collection<Token<? extends TokenIdentifier>> getTokens() {
1058 return Collections.unmodifiableCollection(
1059 getCredentialsInternal().getAllTokens());
1060 }
1061
1062 /**
1063 * Obtain the tokens in credentials form associated with this user.
1064 *
1065 * @return Credentials of tokens associated with this user
1066 */
1067 public synchronized Credentials getCredentials() {
1068 return new Credentials(getCredentialsInternal());
1069 }
1070
1071 /**
1072 * Add the given Credentials to this user.
1073 * @param credentials of tokens and secrets
1074 */
1075 public synchronized void addCredentials(Credentials credentials) {
1076 getCredentialsInternal().addAll(credentials);
1077 }
1078
1079 private synchronized Credentials getCredentialsInternal() {
1080 final Credentials credentials;
1081 final Set<Credentials> credentialsSet =
1082 subject.getPrivateCredentials(Credentials.class);
1083 if (!credentialsSet.isEmpty()){
1084 credentials = credentialsSet.iterator().next();
1085 } else {
1086 credentials = new Credentials();
1087 subject.getPrivateCredentials().add(credentials);
1088 }
1089 return credentials;
1090 }
1091
1092 /**
1093 * Get the group names for this user.
1094 * @return the list of users with the primary group first. If the command
1095 * fails, it returns an empty list.
1096 */
1097 public synchronized String[] getGroupNames() {
1098 ensureInitialized();
1099 try {
1100 List<String> result = groups.getGroups(getShortUserName());
1101 return result.toArray(new String[result.size()]);
1102 } catch (IOException ie) {
1103 LOG.warn("No groups available for user " + getShortUserName());
1104 return new String[0];
1105 }
1106 }
1107
1108 /**
1109 * Return the username.
1110 */
1111 @Override
1112 public String toString() {
1113 StringBuilder sb = new StringBuilder(getUserName());
1114 sb.append(" (auth:"+getAuthenticationMethod()+")");
1115 if (getRealUser() != null) {
1116 sb.append(" via ").append(getRealUser().toString());
1117 }
1118 return sb.toString();
1119 }
1120
1121 /**
1122 * Sets the authentication method in the subject
1123 *
1124 * @param authMethod
1125 */
1126 public synchronized
1127 void setAuthenticationMethod(AuthenticationMethod authMethod) {
1128 user.setAuthenticationMethod(authMethod);
1129 }
1130
1131 /**
1132 * Get the authentication method from the subject
1133 *
1134 * @return AuthenticationMethod in the subject, null if not present.
1135 */
1136 public synchronized AuthenticationMethod getAuthenticationMethod() {
1137 return user.getAuthenticationMethod();
1138 }
1139
1140 /**
1141 * Returns the authentication method of a ugi. If the authentication method is
1142 * PROXY, returns the authentication method of the real user.
1143 *
1144 * @param ugi
1145 * @return AuthenticationMethod
1146 */
1147 public static AuthenticationMethod getRealAuthenticationMethod(
1148 UserGroupInformation ugi) {
1149 AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
1150 if (authMethod == AuthenticationMethod.PROXY) {
1151 authMethod = ugi.getRealUser().getAuthenticationMethod();
1152 }
1153 return authMethod;
1154 }
1155
1156 /**
1157 * Compare the subjects to see if they are equal to each other.
1158 */
1159 @Override
1160 public boolean equals(Object o) {
1161 if (o == this) {
1162 return true;
1163 } else if (o == null || getClass() != o.getClass()) {
1164 return false;
1165 } else {
1166 return subject == ((UserGroupInformation) o).subject;
1167 }
1168 }
1169
1170 /**
1171 * Return the hash of the subject.
1172 */
1173 @Override
1174 public int hashCode() {
1175 return System.identityHashCode(subject);
1176 }
1177
1178 /**
1179 * Get the underlying subject from this ugi.
1180 * @return the subject that represents this user.
1181 */
1182 protected Subject getSubject() {
1183 return subject;
1184 }
1185
1186 /**
1187 * Run the given action as the user.
1188 * @param <T> the return type of the run method
1189 * @param action the method to execute
1190 * @return the value from the run method
1191 */
1192 public <T> T doAs(PrivilegedAction<T> action) {
1193 logPrivilegedAction(subject, action);
1194 return Subject.doAs(subject, action);
1195 }
1196
1197 /**
1198 * Run the given action as the user, potentially throwing an exception.
1199 * @param <T> the return type of the run method
1200 * @param action the method to execute
1201 * @return the value from the run method
1202 * @throws IOException if the action throws an IOException
1203 * @throws Error if the action throws an Error
1204 * @throws RuntimeException if the action throws a RuntimeException
1205 * @throws InterruptedException if the action throws an InterruptedException
1206 * @throws UndeclaredThrowableException if the action throws something else
1207 */
1208 public <T> T doAs(PrivilegedExceptionAction<T> action
1209 ) throws IOException, InterruptedException {
1210 try {
1211 logPrivilegedAction(subject, action);
1212 return Subject.doAs(subject, action);
1213 } catch (PrivilegedActionException pae) {
1214 Throwable cause = pae.getCause();
1215 LOG.error("PriviledgedActionException as:"+this+" cause:"+cause);
1216 if (cause instanceof IOException) {
1217 throw (IOException) cause;
1218 } else if (cause instanceof Error) {
1219 throw (Error) cause;
1220 } else if (cause instanceof RuntimeException) {
1221 throw (RuntimeException) cause;
1222 } else if (cause instanceof InterruptedException) {
1223 throw (InterruptedException) cause;
1224 } else {
1225 throw new UndeclaredThrowableException(pae,"Unknown exception in doAs");
1226 }
1227 }
1228 }
1229
1230 private void logPrivilegedAction(Subject subject, Object action) {
1231 if (LOG.isDebugEnabled()) {
1232 // would be nice if action included a descriptive toString()
1233 String where = new Throwable().getStackTrace()[2].toString();
1234 LOG.debug("PrivilegedAction as:"+this+" from:"+where);
1235 }
1236 }
1237
1238 private void print() throws IOException {
1239 System.out.println("User: " + getUserName());
1240 System.out.print("Group Ids: ");
1241 System.out.println();
1242 String[] groups = getGroupNames();
1243 System.out.print("Groups: ");
1244 for(int i=0; i < groups.length; i++) {
1245 System.out.print(groups[i] + " ");
1246 }
1247 System.out.println();
1248 }
1249
1250 /**
1251 * A test method to print out the current user's UGI.
1252 * @param args if there are two arguments, read the user from the keytab
1253 * and print it out.
1254 * @throws Exception
1255 */
1256 public static void main(String [] args) throws Exception {
1257 System.out.println("Getting UGI for current user");
1258 UserGroupInformation ugi = getCurrentUser();
1259 ugi.print();
1260 System.out.println("UGI: " + ugi);
1261 System.out.println("Auth method " + ugi.user.getAuthenticationMethod());
1262 System.out.println("Keytab " + ugi.isKeytab);
1263 System.out.println("============================================================");
1264
1265 if (args.length == 2) {
1266 System.out.println("Getting UGI from keytab....");
1267 loginUserFromKeytab(args[0], args[1]);
1268 getCurrentUser().print();
1269 System.out.println("Keytab: " + ugi);
1270 System.out.println("Auth method " + loginUser.user.getAuthenticationMethod());
1271 System.out.println("Keytab " + loginUser.isKeytab);
1272 }
1273 }
1274
1275 }