001 /**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018 package org.apache.hadoop.security;
019
020 import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION;
021
022 import java.io.IOException;
023 import java.lang.reflect.UndeclaredThrowableException;
024 import java.security.AccessControlContext;
025 import java.security.AccessController;
026 import java.security.Principal;
027 import java.security.PrivilegedAction;
028 import java.security.PrivilegedActionException;
029 import java.security.PrivilegedExceptionAction;
030 import java.util.Arrays;
031 import java.util.Collection;
032 import java.util.Collections;
033 import java.util.HashMap;
034 import java.util.List;
035 import java.util.Map;
036 import java.util.Set;
037
038 import javax.security.auth.Subject;
039 import javax.security.auth.callback.CallbackHandler;
040 import javax.security.auth.kerberos.KerberosKey;
041 import javax.security.auth.kerberos.KerberosPrincipal;
042 import javax.security.auth.kerberos.KerberosTicket;
043 import javax.security.auth.login.AppConfigurationEntry;
044 import javax.security.auth.login.LoginContext;
045 import javax.security.auth.login.LoginException;
046 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
047 import javax.security.auth.spi.LoginModule;
048
049 import org.apache.commons.logging.Log;
050 import org.apache.commons.logging.LogFactory;
051 import org.apache.hadoop.classification.InterfaceAudience;
052 import org.apache.hadoop.classification.InterfaceStability;
053 import org.apache.hadoop.conf.Configuration;
054 import org.apache.hadoop.fs.Path;
055 import org.apache.hadoop.io.Text;
056 import org.apache.hadoop.metrics2.annotation.Metric;
057 import org.apache.hadoop.metrics2.annotation.Metrics;
058 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
059 import org.apache.hadoop.metrics2.lib.MutableRate;
060 import org.apache.hadoop.security.authentication.util.KerberosName;
061 import org.apache.hadoop.security.token.Token;
062 import org.apache.hadoop.security.token.TokenIdentifier;
063 import org.apache.hadoop.util.Shell;
064
065 import com.sun.security.auth.NTUserPrincipal;
066 import com.sun.security.auth.UnixPrincipal;
067 import com.sun.security.auth.module.Krb5LoginModule;
068
069 /**
070 * User and group information for Hadoop.
071 * This class wraps around a JAAS Subject and provides methods to determine the
072 * user's username and groups. It supports both the Windows, Unix and Kerberos
073 * login modules.
074 */
075 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
076 @InterfaceStability.Evolving
077 public class UserGroupInformation {
078 private static final Log LOG = LogFactory.getLog(UserGroupInformation.class);
079 /**
080 * Percentage of the ticket window to use before we renew ticket.
081 */
082 private static final float TICKET_RENEW_WINDOW = 0.80f;
083 static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
084 static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
085
086 /**
087 * UgiMetrics maintains UGI activity statistics
088 * and publishes them through the metrics interfaces.
089 */
090 @Metrics(about="User and group related metrics", context="ugi")
091 static class UgiMetrics {
092 @Metric("Rate of successful kerberos logins and latency (milliseconds)")
093 MutableRate loginSuccess;
094 @Metric("Rate of failed kerberos logins and latency (milliseconds)")
095 MutableRate loginFailure;
096
097 static UgiMetrics create() {
098 return DefaultMetricsSystem.instance().register(new UgiMetrics());
099 }
100 }
101
102 /**
103 * A login module that looks at the Kerberos, Unix, or Windows principal and
104 * adds the corresponding UserName.
105 */
106 @InterfaceAudience.Private
107 public static class HadoopLoginModule implements LoginModule {
108 private Subject subject;
109
110 @Override
111 public boolean abort() throws LoginException {
112 return true;
113 }
114
115 private <T extends Principal> T getCanonicalUser(Class<T> cls) {
116 for(T user: subject.getPrincipals(cls)) {
117 return user;
118 }
119 return null;
120 }
121
122 @Override
123 public boolean commit() throws LoginException {
124 if (LOG.isDebugEnabled()) {
125 LOG.debug("hadoop login commit");
126 }
127 // if we already have a user, we are done.
128 if (!subject.getPrincipals(User.class).isEmpty()) {
129 if (LOG.isDebugEnabled()) {
130 LOG.debug("using existing subject:"+subject.getPrincipals());
131 }
132 return true;
133 }
134 Principal user = null;
135 // if we are using kerberos, try it out
136 if (useKerberos) {
137 user = getCanonicalUser(KerberosPrincipal.class);
138 if (LOG.isDebugEnabled()) {
139 LOG.debug("using kerberos user:"+user);
140 }
141 }
142 //If we don't have a kerberos user and security is disabled, check
143 //if user is specified in the environment or properties
144 if (!isSecurityEnabled() && (user == null)) {
145 String envUser = System.getenv(HADOOP_USER_NAME);
146 if (envUser == null) {
147 envUser = System.getProperty(HADOOP_USER_NAME);
148 }
149 user = envUser == null ? null : new User(envUser);
150 }
151 // use the OS user
152 if (user == null) {
153 user = getCanonicalUser(OS_PRINCIPAL_CLASS);
154 if (LOG.isDebugEnabled()) {
155 LOG.debug("using local user:"+user);
156 }
157 }
158 // if we found the user, add our principal
159 if (user != null) {
160 subject.getPrincipals().add(new User(user.getName()));
161 return true;
162 }
163 LOG.error("Can't find user in " + subject);
164 throw new LoginException("Can't find user name");
165 }
166
167 @Override
168 public void initialize(Subject subject, CallbackHandler callbackHandler,
169 Map<String, ?> sharedState, Map<String, ?> options) {
170 this.subject = subject;
171 }
172
173 @Override
174 public boolean login() throws LoginException {
175 if (LOG.isDebugEnabled()) {
176 LOG.debug("hadoop login");
177 }
178 return true;
179 }
180
181 @Override
182 public boolean logout() throws LoginException {
183 if (LOG.isDebugEnabled()) {
184 LOG.debug("hadoop logout");
185 }
186 return true;
187 }
188 }
189
190 /** Metrics to track UGI activity */
191 static UgiMetrics metrics = UgiMetrics.create();
192 /** Are the static variables that depend on configuration initialized? */
193 private static boolean isInitialized = false;
194 /** Should we use Kerberos configuration? */
195 private static boolean useKerberos;
196 /** Server-side groups fetching service */
197 private static Groups groups;
198 /** The configuration to use */
199 private static Configuration conf;
200
201
202 /** Leave 10 minutes between relogin attempts. */
203 private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L;
204
205 /**Environment variable pointing to the token cache file*/
206 public static final String HADOOP_TOKEN_FILE_LOCATION =
207 "HADOOP_TOKEN_FILE_LOCATION";
208
209 /**
210 * A method to initialize the fields that depend on a configuration.
211 * Must be called before useKerberos or groups is used.
212 */
213 private static synchronized void ensureInitialized() {
214 if (!isInitialized) {
215 initialize(new Configuration(), KerberosName.hasRulesBeenSet());
216 }
217 }
218
219 /**
220 * Initialize UGI and related classes.
221 * @param conf the configuration to use
222 */
223 private static synchronized void initialize(Configuration conf, boolean skipRulesSetting) {
224 initUGI(conf);
225 // give the configuration on how to translate Kerberos names
226 try {
227 if (!skipRulesSetting) {
228 HadoopKerberosName.setConfiguration(conf);
229 }
230 } catch (IOException ioe) {
231 throw new RuntimeException("Problem with Kerberos auth_to_local name " +
232 "configuration", ioe);
233 }
234 }
235
236 /**
237 * Set the configuration values for UGI.
238 * @param conf the configuration to use
239 */
240 private static synchronized void initUGI(Configuration conf) {
241 String value = conf.get(HADOOP_SECURITY_AUTHENTICATION);
242 if (value == null || "simple".equals(value)) {
243 useKerberos = false;
244 } else if ("kerberos".equals(value)) {
245 useKerberos = true;
246 } else {
247 throw new IllegalArgumentException("Invalid attribute value for " +
248 HADOOP_SECURITY_AUTHENTICATION +
249 " of " + value);
250 }
251 // If we haven't set up testing groups, use the configuration to find it
252 if (!(groups instanceof TestingGroups)) {
253 groups = Groups.getUserToGroupsMappingService(conf);
254 }
255 isInitialized = true;
256 UserGroupInformation.conf = conf;
257 }
258
259 /**
260 * Set the static configuration for UGI.
261 * In particular, set the security authentication mechanism and the
262 * group look up service.
263 * @param conf the configuration to use
264 */
265 public static void setConfiguration(Configuration conf) {
266 initialize(conf, false);
267 }
268
269 /**
270 * Determine if UserGroupInformation is using Kerberos to determine
271 * user identities or is relying on simple authentication
272 *
273 * @return true if UGI is working in a secure environment
274 */
275 public static boolean isSecurityEnabled() {
276 ensureInitialized();
277 return useKerberos;
278 }
279
280 /**
281 * Information about the logged in user.
282 */
283 private static UserGroupInformation loginUser = null;
284 private static String keytabPrincipal = null;
285 private static String keytabFile = null;
286
287 private final Subject subject;
288 // All non-static fields must be read-only caches that come from the subject.
289 private final User user;
290 private final boolean isKeytab;
291 private final boolean isKrbTkt;
292
293 private static final String OS_LOGIN_MODULE_NAME;
294 private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
295 private static final boolean windows =
296 System.getProperty("os.name").startsWith("Windows");
297 static {
298 if (windows) {
299 OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.NTLoginModule";
300 OS_PRINCIPAL_CLASS = NTUserPrincipal.class;
301 } else {
302 OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.UnixLoginModule";
303 OS_PRINCIPAL_CLASS = UnixPrincipal.class;
304 }
305 }
306
307 private static class RealUser implements Principal {
308 private final UserGroupInformation realUser;
309
310 RealUser(UserGroupInformation realUser) {
311 this.realUser = realUser;
312 }
313
314 public String getName() {
315 return realUser.getUserName();
316 }
317
318 public UserGroupInformation getRealUser() {
319 return realUser;
320 }
321
322 @Override
323 public boolean equals(Object o) {
324 if (this == o) {
325 return true;
326 } else if (o == null || getClass() != o.getClass()) {
327 return false;
328 } else {
329 return realUser.equals(((RealUser) o).realUser);
330 }
331 }
332
333 @Override
334 public int hashCode() {
335 return realUser.hashCode();
336 }
337
338 @Override
339 public String toString() {
340 return realUser.toString();
341 }
342 }
343
344 /**
345 * A JAAS configuration that defines the login modules that we want
346 * to use for login.
347 */
348 private static class HadoopConfiguration
349 extends javax.security.auth.login.Configuration {
350 private static final String SIMPLE_CONFIG_NAME = "hadoop-simple";
351 private static final String USER_KERBEROS_CONFIG_NAME =
352 "hadoop-user-kerberos";
353 private static final String KEYTAB_KERBEROS_CONFIG_NAME =
354 "hadoop-keytab-kerberos";
355
356 private static final Map<String, String> BASIC_JAAS_OPTIONS =
357 new HashMap<String,String>();
358 static {
359 String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG");
360 if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) {
361 BASIC_JAAS_OPTIONS.put("debug", "true");
362 }
363 }
364
365 private static final AppConfigurationEntry OS_SPECIFIC_LOGIN =
366 new AppConfigurationEntry(OS_LOGIN_MODULE_NAME,
367 LoginModuleControlFlag.REQUIRED,
368 BASIC_JAAS_OPTIONS);
369 private static final AppConfigurationEntry HADOOP_LOGIN =
370 new AppConfigurationEntry(HadoopLoginModule.class.getName(),
371 LoginModuleControlFlag.REQUIRED,
372 BASIC_JAAS_OPTIONS);
373 private static final Map<String,String> USER_KERBEROS_OPTIONS =
374 new HashMap<String,String>();
375 static {
376 USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
377 USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
378 USER_KERBEROS_OPTIONS.put("renewTGT", "true");
379 String ticketCache = System.getenv("KRB5CCNAME");
380 if (ticketCache != null) {
381 USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache);
382 }
383 USER_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
384 }
385 private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
386 new AppConfigurationEntry(Krb5LoginModule.class.getName(),
387 LoginModuleControlFlag.OPTIONAL,
388 USER_KERBEROS_OPTIONS);
389 private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS =
390 new HashMap<String,String>();
391 static {
392 KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
393 KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
394 KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
395 KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
396 KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
397 }
398 private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
399 new AppConfigurationEntry(Krb5LoginModule.class.getName(),
400 LoginModuleControlFlag.REQUIRED,
401 KEYTAB_KERBEROS_OPTIONS);
402
403 private static final AppConfigurationEntry[] SIMPLE_CONF =
404 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, HADOOP_LOGIN};
405
406 private static final AppConfigurationEntry[] USER_KERBEROS_CONF =
407 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN,
408 HADOOP_LOGIN};
409
410 private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
411 new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
412
413 @Override
414 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
415 if (SIMPLE_CONFIG_NAME.equals(appName)) {
416 return SIMPLE_CONF;
417 } else if (USER_KERBEROS_CONFIG_NAME.equals(appName)) {
418 return USER_KERBEROS_CONF;
419 } else if (KEYTAB_KERBEROS_CONFIG_NAME.equals(appName)) {
420 KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
421 KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
422 return KEYTAB_KERBEROS_CONF;
423 }
424 return null;
425 }
426 }
427
428 private static LoginContext
429 newLoginContext(String appName, Subject subject) throws LoginException {
430 // Temporarily switch the thread's ContextClassLoader to match this
431 // class's classloader, so that we can properly load HadoopLoginModule
432 // from the JAAS libraries.
433 Thread t = Thread.currentThread();
434 ClassLoader oldCCL = t.getContextClassLoader();
435 t.setContextClassLoader(HadoopLoginModule.class.getClassLoader());
436 try {
437 return new LoginContext(appName, subject, null, new HadoopConfiguration());
438 } finally {
439 t.setContextClassLoader(oldCCL);
440 }
441 }
442
443 private LoginContext getLogin() {
444 return user.getLogin();
445 }
446
447 private void setLogin(LoginContext login) {
448 user.setLogin(login);
449 }
450
451 /**
452 * Create a UserGroupInformation for the given subject.
453 * This does not change the subject or acquire new credentials.
454 * @param subject the user's subject
455 */
456 UserGroupInformation(Subject subject) {
457 this.subject = subject;
458 this.user = subject.getPrincipals(User.class).iterator().next();
459 this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
460 this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
461 }
462
463 /**
464 * checks if logged in using kerberos
465 * @return true if the subject logged via keytab or has a Kerberos TGT
466 */
467 public boolean hasKerberosCredentials() {
468 return isKeytab || isKrbTkt;
469 }
470
471 /**
472 * Return the current user, including any doAs in the current stack.
473 * @return the current user
474 * @throws IOException if login fails
475 */
476 public synchronized
477 static UserGroupInformation getCurrentUser() throws IOException {
478 AccessControlContext context = AccessController.getContext();
479 Subject subject = Subject.getSubject(context);
480 if (subject == null || subject.getPrincipals(User.class).isEmpty()) {
481 return getLoginUser();
482 } else {
483 return new UserGroupInformation(subject);
484 }
485 }
486
487 /**
488 * Get the currently logged in user.
489 * @return the logged in user
490 * @throws IOException if login fails
491 */
492 public synchronized
493 static UserGroupInformation getLoginUser() throws IOException {
494 if (loginUser == null) {
495 try {
496 Subject subject = new Subject();
497 LoginContext login;
498 if (isSecurityEnabled()) {
499 login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
500 subject);
501 } else {
502 login = newLoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME,
503 subject);
504 }
505 login.login();
506 UserGroupInformation realUser = new UserGroupInformation(subject);
507 realUser.setLogin(login);
508 realUser.setAuthenticationMethod(isSecurityEnabled() ?
509 AuthenticationMethod.KERBEROS :
510 AuthenticationMethod.SIMPLE);
511 realUser = new UserGroupInformation(login.getSubject());
512 // If the HADOOP_PROXY_USER environment variable or property
513 // is specified, create a proxy user as the logged in user.
514 String proxyUser = System.getenv(HADOOP_PROXY_USER);
515 if (proxyUser == null) {
516 proxyUser = System.getProperty(HADOOP_PROXY_USER);
517 }
518 loginUser = proxyUser == null ? realUser : createProxyUser(proxyUser, realUser);
519
520 String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
521 if (fileLocation != null) {
522 // load the token storage file and put all of the tokens into the
523 // user.
524 Credentials cred = Credentials.readTokenStorageFile(
525 new Path("file:///" + fileLocation), conf);
526 loginUser.addCredentials(cred);
527 }
528 loginUser.spawnAutoRenewalThreadForUserCreds();
529 } catch (LoginException le) {
530 throw new IOException("failure to login", le);
531 }
532 if (LOG.isDebugEnabled()) {
533 LOG.debug("UGI loginUser:"+loginUser);
534 }
535 }
536 return loginUser;
537 }
538
539 /**
540 * Is this user logged in from a keytab file?
541 * @return true if the credentials are from a keytab file.
542 */
543 public boolean isFromKeytab() {
544 return isKeytab;
545 }
546
547 /**
548 * Get the Kerberos TGT
549 * @return the user's TGT or null if none was found
550 */
551 private synchronized KerberosTicket getTGT() {
552 Set<KerberosTicket> tickets = subject
553 .getPrivateCredentials(KerberosTicket.class);
554 for (KerberosTicket ticket : tickets) {
555 if (SecurityUtil.isOriginalTGT(ticket)) {
556 if (LOG.isDebugEnabled()) {
557 LOG.debug("Found tgt " + ticket);
558 }
559 return ticket;
560 }
561 }
562 return null;
563 }
564
565 private long getRefreshTime(KerberosTicket tgt) {
566 long start = tgt.getStartTime().getTime();
567 long end = tgt.getEndTime().getTime();
568 return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
569 }
570
571 /**Spawn a thread to do periodic renewals of kerberos credentials*/
572 private void spawnAutoRenewalThreadForUserCreds() {
573 if (isSecurityEnabled()) {
574 //spawn thread only if we have kerb credentials
575 if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS &&
576 !isKeytab) {
577 Thread t = new Thread(new Runnable() {
578
579 public void run() {
580 String cmd = conf.get("hadoop.kerberos.kinit.command",
581 "kinit");
582 KerberosTicket tgt = getTGT();
583 if (tgt == null) {
584 return;
585 }
586 long nextRefresh = getRefreshTime(tgt);
587 while (true) {
588 try {
589 long now = System.currentTimeMillis();
590 if(LOG.isDebugEnabled()) {
591 LOG.debug("Current time is " + now);
592 LOG.debug("Next refresh is " + nextRefresh);
593 }
594 if (now < nextRefresh) {
595 Thread.sleep(nextRefresh - now);
596 }
597 Shell.execCommand(cmd, "-R");
598 if(LOG.isDebugEnabled()) {
599 LOG.debug("renewed ticket");
600 }
601 reloginFromTicketCache();
602 tgt = getTGT();
603 if (tgt == null) {
604 LOG.warn("No TGT after renewal. Aborting renew thread for " +
605 getUserName());
606 return;
607 }
608 nextRefresh = Math.max(getRefreshTime(tgt),
609 now + MIN_TIME_BEFORE_RELOGIN);
610 } catch (InterruptedException ie) {
611 LOG.warn("Terminating renewal thread");
612 return;
613 } catch (IOException ie) {
614 LOG.warn("Exception encountered while running the" +
615 " renewal command. Aborting renew thread. " + ie);
616 return;
617 }
618 }
619 }
620 });
621 t.setDaemon(true);
622 t.setName("TGT Renewer for " + getUserName());
623 t.start();
624 }
625 }
626 }
627 /**
628 * Log a user in from a keytab file. Loads a user identity from a keytab
629 * file and logs them in. They become the currently logged-in user.
630 * @param user the principal name to load from the keytab
631 * @param path the path to the keytab file
632 * @throws IOException if the keytab file can't be read
633 */
634 public synchronized
635 static void loginUserFromKeytab(String user,
636 String path
637 ) throws IOException {
638 if (!isSecurityEnabled())
639 return;
640
641 keytabFile = path;
642 keytabPrincipal = user;
643 Subject subject = new Subject();
644 LoginContext login;
645 long start = 0;
646 try {
647 login =
648 newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
649 start = System.currentTimeMillis();
650 login.login();
651 metrics.loginSuccess.add(System.currentTimeMillis() - start);
652 loginUser = new UserGroupInformation(subject);
653 loginUser.setLogin(login);
654 loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
655 } catch (LoginException le) {
656 if (start > 0) {
657 metrics.loginFailure.add(System.currentTimeMillis() - start);
658 }
659 throw new IOException("Login failure for " + user + " from keytab " +
660 path, le);
661 }
662 LOG.info("Login successful for user " + keytabPrincipal
663 + " using keytab file " + keytabFile);
664 }
665
666 /**
667 * Re-login a user from keytab if TGT is expired or is close to expiry.
668 *
669 * @throws IOException
670 */
671 public synchronized void checkTGTAndReloginFromKeytab() throws IOException {
672 if (!isSecurityEnabled()
673 || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
674 || !isKeytab)
675 return;
676 KerberosTicket tgt = getTGT();
677 if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) {
678 return;
679 }
680 reloginFromKeytab();
681 }
682
683 /**
684 * Re-Login a user in from a keytab file. Loads a user identity from a keytab
685 * file and logs them in. They become the currently logged-in user. This
686 * method assumes that {@link #loginUserFromKeytab(String, String)} had
687 * happened already.
688 * The Subject field of this UserGroupInformation object is updated to have
689 * the new credentials.
690 * @throws IOException on a failure
691 */
692 public synchronized void reloginFromKeytab()
693 throws IOException {
694 if (!isSecurityEnabled() ||
695 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
696 !isKeytab)
697 return;
698
699 long now = System.currentTimeMillis();
700 if (!hasSufficientTimeElapsed(now)) {
701 return;
702 }
703
704 KerberosTicket tgt = getTGT();
705 //Return if TGT is valid and is not going to expire soon.
706 if (tgt != null && now < getRefreshTime(tgt)) {
707 return;
708 }
709
710 LoginContext login = getLogin();
711 if (login == null || keytabFile == null) {
712 throw new IOException("loginUserFromKeyTab must be done first");
713 }
714
715 long start = 0;
716 // register most recent relogin attempt
717 user.setLastLogin(now);
718 try {
719 LOG.info("Initiating logout for " + getUserName());
720 synchronized (UserGroupInformation.class) {
721 // clear up the kerberos state. But the tokens are not cleared! As per
722 // the Java kerberos login module code, only the kerberos credentials
723 // are cleared
724 login.logout();
725 // login and also update the subject field of this instance to
726 // have the new credentials (pass it to the LoginContext constructor)
727 login = newLoginContext(
728 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject());
729 LOG.info("Initiating re-login for " + keytabPrincipal);
730 start = System.currentTimeMillis();
731 login.login();
732 metrics.loginSuccess.add(System.currentTimeMillis() - start);
733 setLogin(login);
734 }
735 } catch (LoginException le) {
736 if (start > 0) {
737 metrics.loginFailure.add(System.currentTimeMillis() - start);
738 }
739 throw new IOException("Login failure for " + keytabPrincipal +
740 " from keytab " + keytabFile, le);
741 }
742 }
743
744 /**
745 * Re-Login a user in from the ticket cache. This
746 * method assumes that login had happened already.
747 * The Subject field of this UserGroupInformation object is updated to have
748 * the new credentials.
749 * @throws IOException on a failure
750 */
751 public synchronized void reloginFromTicketCache()
752 throws IOException {
753 if (!isSecurityEnabled() ||
754 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
755 !isKrbTkt)
756 return;
757 LoginContext login = getLogin();
758 if (login == null) {
759 throw new IOException("login must be done first");
760 }
761 long now = System.currentTimeMillis();
762 if (!hasSufficientTimeElapsed(now)) {
763 return;
764 }
765 // register most recent relogin attempt
766 user.setLastLogin(now);
767 try {
768 LOG.info("Initiating logout for " + getUserName());
769 //clear up the kerberos state. But the tokens are not cleared! As per
770 //the Java kerberos login module code, only the kerberos credentials
771 //are cleared
772 login.logout();
773 //login and also update the subject field of this instance to
774 //have the new credentials (pass it to the LoginContext constructor)
775 login =
776 newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
777 getSubject());
778 LOG.info("Initiating re-login for " + getUserName());
779 login.login();
780 setLogin(login);
781 } catch (LoginException le) {
782 throw new IOException("Login failure for " + getUserName(), le);
783 }
784 }
785
786
787 /**
788 * Log a user in from a keytab file. Loads a user identity from a keytab
789 * file and login them in. This new user does not affect the currently
790 * logged-in user.
791 * @param user the principal name to load from the keytab
792 * @param path the path to the keytab file
793 * @throws IOException if the keytab file can't be read
794 */
795 public synchronized
796 static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
797 String path
798 ) throws IOException {
799 if (!isSecurityEnabled())
800 return UserGroupInformation.getCurrentUser();
801 String oldKeytabFile = null;
802 String oldKeytabPrincipal = null;
803
804 long start = 0;
805 try {
806 oldKeytabFile = keytabFile;
807 oldKeytabPrincipal = keytabPrincipal;
808 keytabFile = path;
809 keytabPrincipal = user;
810 Subject subject = new Subject();
811
812 LoginContext login =
813 newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
814
815 start = System.currentTimeMillis();
816 login.login();
817 metrics.loginSuccess.add(System.currentTimeMillis() - start);
818 UserGroupInformation newLoginUser = new UserGroupInformation(subject);
819 newLoginUser.setLogin(login);
820 newLoginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
821
822 return newLoginUser;
823 } catch (LoginException le) {
824 if (start > 0) {
825 metrics.loginFailure.add(System.currentTimeMillis() - start);
826 }
827 throw new IOException("Login failure for " + user + " from keytab " +
828 path, le);
829 } finally {
830 if(oldKeytabFile != null) keytabFile = oldKeytabFile;
831 if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal;
832 }
833 }
834
835 private boolean hasSufficientTimeElapsed(long now) {
836 if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) {
837 LOG.warn("Not attempting to re-login since the last re-login was " +
838 "attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+
839 " before.");
840 return false;
841 }
842 return true;
843 }
844
845 /**
846 * Did the login happen via keytab
847 * @return true or false
848 */
849 public synchronized static boolean isLoginKeytabBased() throws IOException {
850 return getLoginUser().isKeytab;
851 }
852
853 /**
854 * Create a user from a login name. It is intended to be used for remote
855 * users in RPC, since it won't have any credentials.
856 * @param user the full user principal name, must not be empty or null
857 * @return the UserGroupInformation for the remote user.
858 */
859 public static UserGroupInformation createRemoteUser(String user) {
860 if (user == null || "".equals(user)) {
861 throw new IllegalArgumentException("Null user");
862 }
863 Subject subject = new Subject();
864 subject.getPrincipals().add(new User(user));
865 UserGroupInformation result = new UserGroupInformation(subject);
866 result.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
867 return result;
868 }
869
870 /**
871 * existing types of authentications' methods
872 */
873 @InterfaceStability.Evolving
874 public static enum AuthenticationMethod {
875 SIMPLE,
876 KERBEROS,
877 TOKEN,
878 CERTIFICATE,
879 KERBEROS_SSL,
880 PROXY;
881 }
882
883 /**
884 * Create a proxy user using username of the effective user and the ugi of the
885 * real user.
886 * @param user
887 * @param realUser
888 * @return proxyUser ugi
889 */
890 public static UserGroupInformation createProxyUser(String user,
891 UserGroupInformation realUser) {
892 if (user == null || "".equals(user)) {
893 throw new IllegalArgumentException("Null user");
894 }
895 if (realUser == null) {
896 throw new IllegalArgumentException("Null real user");
897 }
898 Subject subject = new Subject();
899 Set<Principal> principals = subject.getPrincipals();
900 principals.add(new User(user));
901 principals.add(new RealUser(realUser));
902 UserGroupInformation result =new UserGroupInformation(subject);
903 result.setAuthenticationMethod(AuthenticationMethod.PROXY);
904 return result;
905 }
906
907 /**
908 * get RealUser (vs. EffectiveUser)
909 * @return realUser running over proxy user
910 */
911 public UserGroupInformation getRealUser() {
912 for (RealUser p: subject.getPrincipals(RealUser.class)) {
913 return p.getRealUser();
914 }
915 return null;
916 }
917
918
919
920 /**
921 * This class is used for storing the groups for testing. It stores a local
922 * map that has the translation of usernames to groups.
923 */
924 private static class TestingGroups extends Groups {
925 private final Map<String, List<String>> userToGroupsMapping =
926 new HashMap<String,List<String>>();
927 private Groups underlyingImplementation;
928
929 private TestingGroups(Groups underlyingImplementation) {
930 super(new org.apache.hadoop.conf.Configuration());
931 this.underlyingImplementation = underlyingImplementation;
932 }
933
934 @Override
935 public List<String> getGroups(String user) throws IOException {
936 List<String> result = userToGroupsMapping.get(user);
937
938 if (result == null) {
939 result = underlyingImplementation.getGroups(user);
940 }
941
942 return result;
943 }
944
945 private void setUserGroups(String user, String[] groups) {
946 userToGroupsMapping.put(user, Arrays.asList(groups));
947 }
948 }
949
950 /**
951 * Create a UGI for testing HDFS and MapReduce
952 * @param user the full user principal name
953 * @param userGroups the names of the groups that the user belongs to
954 * @return a fake user for running unit tests
955 */
956 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
957 public static UserGroupInformation createUserForTesting(String user,
958 String[] userGroups) {
959 ensureInitialized();
960 UserGroupInformation ugi = createRemoteUser(user);
961 // make sure that the testing object is setup
962 if (!(groups instanceof TestingGroups)) {
963 groups = new TestingGroups(groups);
964 }
965 // add the user groups
966 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
967 return ugi;
968 }
969
970
971 /**
972 * Create a proxy user UGI for testing HDFS and MapReduce
973 *
974 * @param user
975 * the full user principal name for effective user
976 * @param realUser
977 * UGI of the real user
978 * @param userGroups
979 * the names of the groups that the user belongs to
980 * @return a fake user for running unit tests
981 */
982 @InterfaceAudience.LimitedPrivate( { "HDFS", "MapReduce" })
983 public static UserGroupInformation createProxyUserForTesting(String user,
984 UserGroupInformation realUser, String[] userGroups) {
985 ensureInitialized();
986 UserGroupInformation ugi = createProxyUser(user, realUser);
987 // make sure that the testing object is setup
988 if (!(groups instanceof TestingGroups)) {
989 groups = new TestingGroups(groups);
990 }
991 // add the user groups
992 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
993 return ugi;
994 }
995
996 /**
997 * Get the user's login name.
998 * @return the user's name up to the first '/' or '@'.
999 */
1000 public String getShortUserName() {
1001 for (User p: subject.getPrincipals(User.class)) {
1002 return p.getShortName();
1003 }
1004 return null;
1005 }
1006
1007 /**
1008 * Get the user's full principal name.
1009 * @return the user's full principal name.
1010 */
1011 public String getUserName() {
1012 return user.getName();
1013 }
1014
1015 /**
1016 * Add a TokenIdentifier to this UGI. The TokenIdentifier has typically been
1017 * authenticated by the RPC layer as belonging to the user represented by this
1018 * UGI.
1019 *
1020 * @param tokenId
1021 * tokenIdentifier to be added
1022 * @return true on successful add of new tokenIdentifier
1023 */
1024 public synchronized boolean addTokenIdentifier(TokenIdentifier tokenId) {
1025 return subject.getPublicCredentials().add(tokenId);
1026 }
1027
1028 /**
1029 * Get the set of TokenIdentifiers belonging to this UGI
1030 *
1031 * @return the set of TokenIdentifiers belonging to this UGI
1032 */
1033 public synchronized Set<TokenIdentifier> getTokenIdentifiers() {
1034 return subject.getPublicCredentials(TokenIdentifier.class);
1035 }
1036
1037 /**
1038 * Add a token to this UGI
1039 *
1040 * @param token Token to be added
1041 * @return true on successful add of new token
1042 */
1043 public synchronized boolean addToken(Token<? extends TokenIdentifier> token) {
1044 return (token != null) ? addToken(token.getService(), token) : false;
1045 }
1046
1047 /**
1048 * Add a named token to this UGI
1049 *
1050 * @param alias Name of the token
1051 * @param token Token to be added
1052 * @return true on successful add of new token
1053 */
1054 public synchronized boolean addToken(Text alias,
1055 Token<? extends TokenIdentifier> token) {
1056 getCredentialsInternal().addToken(alias, token);
1057 return true;
1058 }
1059
1060 /**
1061 * Obtain the collection of tokens associated with this user.
1062 *
1063 * @return an unmodifiable collection of tokens associated with user
1064 */
1065 public synchronized
1066 Collection<Token<? extends TokenIdentifier>> getTokens() {
1067 return Collections.unmodifiableCollection(
1068 getCredentialsInternal().getAllTokens());
1069 }
1070
1071 /**
1072 * Obtain the tokens in credentials form associated with this user.
1073 *
1074 * @return Credentials of tokens associated with this user
1075 */
1076 public synchronized Credentials getCredentials() {
1077 return new Credentials(getCredentialsInternal());
1078 }
1079
1080 /**
1081 * Add the given Credentials to this user.
1082 * @param credentials of tokens and secrets
1083 */
1084 public synchronized void addCredentials(Credentials credentials) {
1085 getCredentialsInternal().addAll(credentials);
1086 }
1087
1088 private synchronized Credentials getCredentialsInternal() {
1089 final Credentials credentials;
1090 final Set<Credentials> credentialsSet =
1091 subject.getPrivateCredentials(Credentials.class);
1092 if (!credentialsSet.isEmpty()){
1093 credentials = credentialsSet.iterator().next();
1094 } else {
1095 credentials = new Credentials();
1096 subject.getPrivateCredentials().add(credentials);
1097 }
1098 return credentials;
1099 }
1100
1101 /**
1102 * Get the group names for this user.
1103 * @return the list of users with the primary group first. If the command
1104 * fails, it returns an empty list.
1105 */
1106 public synchronized String[] getGroupNames() {
1107 ensureInitialized();
1108 try {
1109 List<String> result = groups.getGroups(getShortUserName());
1110 return result.toArray(new String[result.size()]);
1111 } catch (IOException ie) {
1112 LOG.warn("No groups available for user " + getShortUserName());
1113 return new String[0];
1114 }
1115 }
1116
1117 /**
1118 * Return the username.
1119 */
1120 @Override
1121 public String toString() {
1122 StringBuilder sb = new StringBuilder(getUserName());
1123 sb.append(" (auth:"+getAuthenticationMethod()+")");
1124 if (getRealUser() != null) {
1125 sb.append(" via ").append(getRealUser().toString());
1126 }
1127 return sb.toString();
1128 }
1129
1130 /**
1131 * Sets the authentication method in the subject
1132 *
1133 * @param authMethod
1134 */
1135 public synchronized
1136 void setAuthenticationMethod(AuthenticationMethod authMethod) {
1137 user.setAuthenticationMethod(authMethod);
1138 }
1139
1140 /**
1141 * Get the authentication method from the subject
1142 *
1143 * @return AuthenticationMethod in the subject, null if not present.
1144 */
1145 public synchronized AuthenticationMethod getAuthenticationMethod() {
1146 return user.getAuthenticationMethod();
1147 }
1148
1149 /**
1150 * Returns the authentication method of a ugi. If the authentication method is
1151 * PROXY, returns the authentication method of the real user.
1152 *
1153 * @param ugi
1154 * @return AuthenticationMethod
1155 */
1156 public static AuthenticationMethod getRealAuthenticationMethod(
1157 UserGroupInformation ugi) {
1158 AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
1159 if (authMethod == AuthenticationMethod.PROXY) {
1160 authMethod = ugi.getRealUser().getAuthenticationMethod();
1161 }
1162 return authMethod;
1163 }
1164
1165 /**
1166 * Compare the subjects to see if they are equal to each other.
1167 */
1168 @Override
1169 public boolean equals(Object o) {
1170 if (o == this) {
1171 return true;
1172 } else if (o == null || getClass() != o.getClass()) {
1173 return false;
1174 } else {
1175 return subject == ((UserGroupInformation) o).subject;
1176 }
1177 }
1178
1179 /**
1180 * Return the hash of the subject.
1181 */
1182 @Override
1183 public int hashCode() {
1184 return System.identityHashCode(subject);
1185 }
1186
1187 /**
1188 * Get the underlying subject from this ugi.
1189 * @return the subject that represents this user.
1190 */
1191 protected Subject getSubject() {
1192 return subject;
1193 }
1194
1195 /**
1196 * Run the given action as the user.
1197 * @param <T> the return type of the run method
1198 * @param action the method to execute
1199 * @return the value from the run method
1200 */
1201 public <T> T doAs(PrivilegedAction<T> action) {
1202 logPrivilegedAction(subject, action);
1203 return Subject.doAs(subject, action);
1204 }
1205
1206 /**
1207 * Run the given action as the user, potentially throwing an exception.
1208 * @param <T> the return type of the run method
1209 * @param action the method to execute
1210 * @return the value from the run method
1211 * @throws IOException if the action throws an IOException
1212 * @throws Error if the action throws an Error
1213 * @throws RuntimeException if the action throws a RuntimeException
1214 * @throws InterruptedException if the action throws an InterruptedException
1215 * @throws UndeclaredThrowableException if the action throws something else
1216 */
1217 public <T> T doAs(PrivilegedExceptionAction<T> action
1218 ) throws IOException, InterruptedException {
1219 try {
1220 logPrivilegedAction(subject, action);
1221 return Subject.doAs(subject, action);
1222 } catch (PrivilegedActionException pae) {
1223 Throwable cause = pae.getCause();
1224 LOG.error("PriviledgedActionException as:"+this+" cause:"+cause);
1225 if (cause instanceof IOException) {
1226 throw (IOException) cause;
1227 } else if (cause instanceof Error) {
1228 throw (Error) cause;
1229 } else if (cause instanceof RuntimeException) {
1230 throw (RuntimeException) cause;
1231 } else if (cause instanceof InterruptedException) {
1232 throw (InterruptedException) cause;
1233 } else {
1234 throw new UndeclaredThrowableException(pae,"Unknown exception in doAs");
1235 }
1236 }
1237 }
1238
1239 private void logPrivilegedAction(Subject subject, Object action) {
1240 if (LOG.isDebugEnabled()) {
1241 // would be nice if action included a descriptive toString()
1242 String where = new Throwable().getStackTrace()[2].toString();
1243 LOG.debug("PrivilegedAction as:"+this+" from:"+where);
1244 }
1245 }
1246
1247 private void print() throws IOException {
1248 System.out.println("User: " + getUserName());
1249 System.out.print("Group Ids: ");
1250 System.out.println();
1251 String[] groups = getGroupNames();
1252 System.out.print("Groups: ");
1253 for(int i=0; i < groups.length; i++) {
1254 System.out.print(groups[i] + " ");
1255 }
1256 System.out.println();
1257 }
1258
1259 /**
1260 * A test method to print out the current user's UGI.
1261 * @param args if there are two arguments, read the user from the keytab
1262 * and print it out.
1263 * @throws Exception
1264 */
1265 public static void main(String [] args) throws Exception {
1266 System.out.println("Getting UGI for current user");
1267 UserGroupInformation ugi = getCurrentUser();
1268 ugi.print();
1269 System.out.println("UGI: " + ugi);
1270 System.out.println("Auth method " + ugi.user.getAuthenticationMethod());
1271 System.out.println("Keytab " + ugi.isKeytab);
1272 System.out.println("============================================================");
1273
1274 if (args.length == 2) {
1275 System.out.println("Getting UGI from keytab....");
1276 loginUserFromKeytab(args[0], args[1]);
1277 getCurrentUser().print();
1278 System.out.println("Keytab: " + ugi);
1279 System.out.println("Auth method " + loginUser.user.getAuthenticationMethod());
1280 System.out.println("Keytab " + loginUser.isKeytab);
1281 }
1282 }
1283
1284 }