001 /**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018 package org.apache.hadoop.security;
019
020 import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION;
021
022 import java.io.File;
023 import java.io.IOException;
024 import java.lang.reflect.UndeclaredThrowableException;
025 import java.security.AccessControlContext;
026 import java.security.AccessController;
027 import java.security.Principal;
028 import java.security.PrivilegedAction;
029 import java.security.PrivilegedActionException;
030 import java.security.PrivilegedExceptionAction;
031 import java.util.Arrays;
032 import java.util.Collection;
033 import java.util.Collections;
034 import java.util.HashMap;
035 import java.util.List;
036 import java.util.Map;
037 import java.util.Set;
038
039 import javax.security.auth.Subject;
040 import javax.security.auth.callback.CallbackHandler;
041 import javax.security.auth.kerberos.KerberosKey;
042 import javax.security.auth.kerberos.KerberosPrincipal;
043 import javax.security.auth.kerberos.KerberosTicket;
044 import javax.security.auth.login.AppConfigurationEntry;
045 import javax.security.auth.login.LoginContext;
046 import javax.security.auth.login.LoginException;
047 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
048 import javax.security.auth.spi.LoginModule;
049
050 import org.apache.commons.logging.Log;
051 import org.apache.commons.logging.LogFactory;
052 import org.apache.hadoop.classification.InterfaceAudience;
053 import org.apache.hadoop.classification.InterfaceStability;
054 import org.apache.hadoop.conf.Configuration;
055 import org.apache.hadoop.fs.Path;
056 import org.apache.hadoop.io.Text;
057 import org.apache.hadoop.metrics2.annotation.Metric;
058 import org.apache.hadoop.metrics2.annotation.Metrics;
059 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
060 import org.apache.hadoop.metrics2.lib.MutableRate;
061 import org.apache.hadoop.security.authentication.util.KerberosName;
062 import org.apache.hadoop.security.authentication.util.KerberosUtil;
063 import org.apache.hadoop.security.token.Token;
064 import org.apache.hadoop.security.token.TokenIdentifier;
065 import org.apache.hadoop.util.Shell;
066
067 import com.google.common.annotations.VisibleForTesting;
068
069 /**
070 * User and group information for Hadoop.
071 * This class wraps around a JAAS Subject and provides methods to determine the
072 * user's username and groups. It supports both the Windows, Unix and Kerberos
073 * login modules.
074 */
075 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
076 @InterfaceStability.Evolving
077 public class UserGroupInformation {
078 private static final Log LOG = LogFactory.getLog(UserGroupInformation.class);
079 /**
080 * Percentage of the ticket window to use before we renew ticket.
081 */
082 private static final float TICKET_RENEW_WINDOW = 0.80f;
083 static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
084 static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
085
086 /**
087 * UgiMetrics maintains UGI activity statistics
088 * and publishes them through the metrics interfaces.
089 */
090 @Metrics(about="User and group related metrics", context="ugi")
091 static class UgiMetrics {
092 @Metric("Rate of successful kerberos logins and latency (milliseconds)")
093 MutableRate loginSuccess;
094 @Metric("Rate of failed kerberos logins and latency (milliseconds)")
095 MutableRate loginFailure;
096
097 static UgiMetrics create() {
098 return DefaultMetricsSystem.instance().register(new UgiMetrics());
099 }
100 }
101
102 /**
103 * A login module that looks at the Kerberos, Unix, or Windows principal and
104 * adds the corresponding UserName.
105 */
106 @InterfaceAudience.Private
107 public static class HadoopLoginModule implements LoginModule {
108 private Subject subject;
109
110 @Override
111 public boolean abort() throws LoginException {
112 return true;
113 }
114
115 private <T extends Principal> T getCanonicalUser(Class<T> cls) {
116 for(T user: subject.getPrincipals(cls)) {
117 return user;
118 }
119 return null;
120 }
121
122 @Override
123 public boolean commit() throws LoginException {
124 if (LOG.isDebugEnabled()) {
125 LOG.debug("hadoop login commit");
126 }
127 // if we already have a user, we are done.
128 if (!subject.getPrincipals(User.class).isEmpty()) {
129 if (LOG.isDebugEnabled()) {
130 LOG.debug("using existing subject:"+subject.getPrincipals());
131 }
132 return true;
133 }
134 Principal user = null;
135 // if we are using kerberos, try it out
136 if (useKerberos) {
137 user = getCanonicalUser(KerberosPrincipal.class);
138 if (LOG.isDebugEnabled()) {
139 LOG.debug("using kerberos user:"+user);
140 }
141 }
142 //If we don't have a kerberos user and security is disabled, check
143 //if user is specified in the environment or properties
144 if (!isSecurityEnabled() && (user == null)) {
145 String envUser = System.getenv(HADOOP_USER_NAME);
146 if (envUser == null) {
147 envUser = System.getProperty(HADOOP_USER_NAME);
148 }
149 user = envUser == null ? null : new User(envUser);
150 }
151 // use the OS user
152 if (user == null) {
153 user = getCanonicalUser(OS_PRINCIPAL_CLASS);
154 if (LOG.isDebugEnabled()) {
155 LOG.debug("using local user:"+user);
156 }
157 }
158 // if we found the user, add our principal
159 if (user != null) {
160 subject.getPrincipals().add(new User(user.getName()));
161 return true;
162 }
163 LOG.error("Can't find user in " + subject);
164 throw new LoginException("Can't find user name");
165 }
166
167 @Override
168 public void initialize(Subject subject, CallbackHandler callbackHandler,
169 Map<String, ?> sharedState, Map<String, ?> options) {
170 this.subject = subject;
171 }
172
173 @Override
174 public boolean login() throws LoginException {
175 if (LOG.isDebugEnabled()) {
176 LOG.debug("hadoop login");
177 }
178 return true;
179 }
180
181 @Override
182 public boolean logout() throws LoginException {
183 if (LOG.isDebugEnabled()) {
184 LOG.debug("hadoop logout");
185 }
186 return true;
187 }
188 }
189
190 /** Metrics to track UGI activity */
191 static UgiMetrics metrics = UgiMetrics.create();
192 /** Are the static variables that depend on configuration initialized? */
193 private static boolean isInitialized = false;
194 /** Should we use Kerberos configuration? */
195 private static boolean useKerberos;
196 /** Server-side groups fetching service */
197 private static Groups groups;
198 /** The configuration to use */
199 private static Configuration conf;
200
201
202 /** Leave 10 minutes between relogin attempts. */
203 private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L;
204
205 /**Environment variable pointing to the token cache file*/
206 public static final String HADOOP_TOKEN_FILE_LOCATION =
207 "HADOOP_TOKEN_FILE_LOCATION";
208
209 /**
210 * A method to initialize the fields that depend on a configuration.
211 * Must be called before useKerberos or groups is used.
212 */
213 private static synchronized void ensureInitialized() {
214 if (!isInitialized) {
215 initialize(new Configuration(), KerberosName.hasRulesBeenSet());
216 }
217 }
218
219 /**
220 * Initialize UGI and related classes.
221 * @param conf the configuration to use
222 */
223 private static synchronized void initialize(Configuration conf, boolean skipRulesSetting) {
224 initUGI(conf);
225 // give the configuration on how to translate Kerberos names
226 try {
227 if (!skipRulesSetting) {
228 HadoopKerberosName.setConfiguration(conf);
229 }
230 } catch (IOException ioe) {
231 throw new RuntimeException("Problem with Kerberos auth_to_local name " +
232 "configuration", ioe);
233 }
234 }
235
236 /**
237 * Set the configuration values for UGI.
238 * @param conf the configuration to use
239 */
240 private static synchronized void initUGI(Configuration conf) {
241 String value = conf.get(HADOOP_SECURITY_AUTHENTICATION);
242 if (value == null || "simple".equals(value)) {
243 useKerberos = false;
244 } else if ("kerberos".equals(value)) {
245 useKerberos = true;
246 } else {
247 throw new IllegalArgumentException("Invalid attribute value for " +
248 HADOOP_SECURITY_AUTHENTICATION +
249 " of " + value);
250 }
251 // If we haven't set up testing groups, use the configuration to find it
252 if (!(groups instanceof TestingGroups)) {
253 groups = Groups.getUserToGroupsMappingService(conf);
254 }
255 isInitialized = true;
256 UserGroupInformation.conf = conf;
257 }
258
259 /**
260 * Set the static configuration for UGI.
261 * In particular, set the security authentication mechanism and the
262 * group look up service.
263 * @param conf the configuration to use
264 */
265 public static void setConfiguration(Configuration conf) {
266 initialize(conf, false);
267 }
268
269 /**
270 * Determine if UserGroupInformation is using Kerberos to determine
271 * user identities or is relying on simple authentication
272 *
273 * @return true if UGI is working in a secure environment
274 */
275 public static boolean isSecurityEnabled() {
276 ensureInitialized();
277 return useKerberos;
278 }
279
280 /**
281 * Information about the logged in user.
282 */
283 private static UserGroupInformation loginUser = null;
284 private static String keytabPrincipal = null;
285 private static String keytabFile = null;
286
287 private final Subject subject;
288 // All non-static fields must be read-only caches that come from the subject.
289 private final User user;
290 private final boolean isKeytab;
291 private final boolean isKrbTkt;
292
293 private static String OS_LOGIN_MODULE_NAME;
294 private static Class<? extends Principal> OS_PRINCIPAL_CLASS;
295 private static final boolean windows =
296 System.getProperty("os.name").startsWith("Windows");
297 /* Return the OS login module class name */
298 private static String getOSLoginModuleName() {
299 if (System.getProperty("java.vendor").contains("IBM")) {
300 return windows ? "com.ibm.security.auth.module.NTLoginModule"
301 : "com.ibm.security.auth.module.LinuxLoginModule";
302 } else {
303 return windows ? "com.sun.security.auth.module.NTLoginModule"
304 : "com.sun.security.auth.module.UnixLoginModule";
305 }
306 }
307
308 /* Return the OS principal class */
309 @SuppressWarnings("unchecked")
310 private static Class<? extends Principal> getOsPrincipalClass() {
311 ClassLoader cl = ClassLoader.getSystemClassLoader();
312 try {
313 if (System.getProperty("java.vendor").contains("IBM")) {
314 if (windows) {
315 return (Class<? extends Principal>)
316 cl.loadClass("com.ibm.security.auth.UsernamePrincipal");
317 } else {
318 return (Class<? extends Principal>)
319 (System.getProperty("os.arch").contains("64")
320 ? cl.loadClass("com.ibm.security.auth.UsernamePrincipal")
321 : cl.loadClass("com.ibm.security.auth.LinuxPrincipal"));
322 }
323 } else {
324 return (Class<? extends Principal>) (windows
325 ? cl.loadClass("com.sun.security.auth.NTUserPrincipal")
326 : cl.loadClass("com.sun.security.auth.UnixPrincipal"));
327 }
328 } catch (ClassNotFoundException e) {
329 LOG.error("Unable to find JAAS classes:" + e.getMessage());
330 }
331 return null;
332 }
333 static {
334 OS_LOGIN_MODULE_NAME = getOSLoginModuleName();
335 OS_PRINCIPAL_CLASS = getOsPrincipalClass();
336 }
337
338 private static class RealUser implements Principal {
339 private final UserGroupInformation realUser;
340
341 RealUser(UserGroupInformation realUser) {
342 this.realUser = realUser;
343 }
344
345 public String getName() {
346 return realUser.getUserName();
347 }
348
349 public UserGroupInformation getRealUser() {
350 return realUser;
351 }
352
353 @Override
354 public boolean equals(Object o) {
355 if (this == o) {
356 return true;
357 } else if (o == null || getClass() != o.getClass()) {
358 return false;
359 } else {
360 return realUser.equals(((RealUser) o).realUser);
361 }
362 }
363
364 @Override
365 public int hashCode() {
366 return realUser.hashCode();
367 }
368
369 @Override
370 public String toString() {
371 return realUser.toString();
372 }
373 }
374
375 /**
376 * A JAAS configuration that defines the login modules that we want
377 * to use for login.
378 */
379 private static class HadoopConfiguration
380 extends javax.security.auth.login.Configuration {
381 private static final String SIMPLE_CONFIG_NAME = "hadoop-simple";
382 private static final String USER_KERBEROS_CONFIG_NAME =
383 "hadoop-user-kerberos";
384 private static final String KEYTAB_KERBEROS_CONFIG_NAME =
385 "hadoop-keytab-kerberos";
386
387 private static final Map<String, String> BASIC_JAAS_OPTIONS =
388 new HashMap<String,String>();
389 static {
390 String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG");
391 if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) {
392 BASIC_JAAS_OPTIONS.put("debug", "true");
393 }
394 }
395
396 private static final AppConfigurationEntry OS_SPECIFIC_LOGIN =
397 new AppConfigurationEntry(OS_LOGIN_MODULE_NAME,
398 LoginModuleControlFlag.REQUIRED,
399 BASIC_JAAS_OPTIONS);
400 private static final AppConfigurationEntry HADOOP_LOGIN =
401 new AppConfigurationEntry(HadoopLoginModule.class.getName(),
402 LoginModuleControlFlag.REQUIRED,
403 BASIC_JAAS_OPTIONS);
404 private static final Map<String,String> USER_KERBEROS_OPTIONS =
405 new HashMap<String,String>();
406 static {
407 USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
408 USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
409 USER_KERBEROS_OPTIONS.put("renewTGT", "true");
410 String ticketCache = System.getenv("KRB5CCNAME");
411 if (ticketCache != null) {
412 USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache);
413 }
414 USER_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
415 }
416 private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
417 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
418 LoginModuleControlFlag.OPTIONAL,
419 USER_KERBEROS_OPTIONS);
420 private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS =
421 new HashMap<String,String>();
422 static {
423 KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
424 KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
425 KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
426 KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
427 KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
428 }
429 private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
430 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
431 LoginModuleControlFlag.REQUIRED,
432 KEYTAB_KERBEROS_OPTIONS);
433
434 private static final AppConfigurationEntry[] SIMPLE_CONF =
435 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, HADOOP_LOGIN};
436
437 private static final AppConfigurationEntry[] USER_KERBEROS_CONF =
438 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN,
439 HADOOP_LOGIN};
440
441 private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
442 new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
443
444 @Override
445 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
446 if (SIMPLE_CONFIG_NAME.equals(appName)) {
447 return SIMPLE_CONF;
448 } else if (USER_KERBEROS_CONFIG_NAME.equals(appName)) {
449 return USER_KERBEROS_CONF;
450 } else if (KEYTAB_KERBEROS_CONFIG_NAME.equals(appName)) {
451 KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
452 KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
453 return KEYTAB_KERBEROS_CONF;
454 }
455 return null;
456 }
457 }
458
459 private static LoginContext
460 newLoginContext(String appName, Subject subject) throws LoginException {
461 // Temporarily switch the thread's ContextClassLoader to match this
462 // class's classloader, so that we can properly load HadoopLoginModule
463 // from the JAAS libraries.
464 Thread t = Thread.currentThread();
465 ClassLoader oldCCL = t.getContextClassLoader();
466 t.setContextClassLoader(HadoopLoginModule.class.getClassLoader());
467 try {
468 return new LoginContext(appName, subject, null, new HadoopConfiguration());
469 } finally {
470 t.setContextClassLoader(oldCCL);
471 }
472 }
473
474 private LoginContext getLogin() {
475 return user.getLogin();
476 }
477
478 private void setLogin(LoginContext login) {
479 user.setLogin(login);
480 }
481
482 /**
483 * Create a UserGroupInformation for the given subject.
484 * This does not change the subject or acquire new credentials.
485 * @param subject the user's subject
486 */
487 UserGroupInformation(Subject subject) {
488 this.subject = subject;
489 this.user = subject.getPrincipals(User.class).iterator().next();
490 this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
491 this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
492 }
493
494 /**
495 * checks if logged in using kerberos
496 * @return true if the subject logged via keytab or has a Kerberos TGT
497 */
498 public boolean hasKerberosCredentials() {
499 return isKeytab || isKrbTkt;
500 }
501
502 /**
503 * Return the current user, including any doAs in the current stack.
504 * @return the current user
505 * @throws IOException if login fails
506 */
507 public synchronized
508 static UserGroupInformation getCurrentUser() throws IOException {
509 AccessControlContext context = AccessController.getContext();
510 Subject subject = Subject.getSubject(context);
511 if (subject == null || subject.getPrincipals(User.class).isEmpty()) {
512 return getLoginUser();
513 } else {
514 return new UserGroupInformation(subject);
515 }
516 }
517
518 /**
519 * Get the currently logged in user.
520 * @return the logged in user
521 * @throws IOException if login fails
522 */
523 public synchronized
524 static UserGroupInformation getLoginUser() throws IOException {
525 if (loginUser == null) {
526 try {
527 Subject subject = new Subject();
528 LoginContext login;
529 if (isSecurityEnabled()) {
530 login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
531 subject);
532 } else {
533 login = newLoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME,
534 subject);
535 }
536 login.login();
537 UserGroupInformation realUser = new UserGroupInformation(subject);
538 realUser.setLogin(login);
539 realUser.setAuthenticationMethod(isSecurityEnabled() ?
540 AuthenticationMethod.KERBEROS :
541 AuthenticationMethod.SIMPLE);
542 realUser = new UserGroupInformation(login.getSubject());
543 // If the HADOOP_PROXY_USER environment variable or property
544 // is specified, create a proxy user as the logged in user.
545 String proxyUser = System.getenv(HADOOP_PROXY_USER);
546 if (proxyUser == null) {
547 proxyUser = System.getProperty(HADOOP_PROXY_USER);
548 }
549 setLoginUser(proxyUser == null ? realUser : createProxyUser(proxyUser, realUser));
550
551 String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
552 if (fileLocation != null) {
553 // Load the token storage file and put all of the tokens into the
554 // user. Don't use the FileSystem API for reading since it has a lock
555 // cycle (HADOOP-9212).
556 Credentials cred = Credentials.readTokenStorageFile(
557 new File(fileLocation), conf);
558 loginUser.addCredentials(cred);
559 }
560 loginUser.spawnAutoRenewalThreadForUserCreds();
561 } catch (LoginException le) {
562 throw new IOException("failure to login", le);
563 }
564 if (LOG.isDebugEnabled()) {
565 LOG.debug("UGI loginUser:"+loginUser);
566 }
567 }
568 return loginUser;
569 }
570
571 @InterfaceAudience.Private
572 @InterfaceStability.Unstable
573 @VisibleForTesting
574 public synchronized static void setLoginUser(UserGroupInformation ugi) {
575 // if this is to become stable, should probably logout the currently
576 // logged in ugi if it's different
577 loginUser = ugi;
578 }
579
580 /**
581 * Is this user logged in from a keytab file?
582 * @return true if the credentials are from a keytab file.
583 */
584 public boolean isFromKeytab() {
585 return isKeytab;
586 }
587
588 /**
589 * Get the Kerberos TGT
590 * @return the user's TGT or null if none was found
591 */
592 private synchronized KerberosTicket getTGT() {
593 Set<KerberosTicket> tickets = subject
594 .getPrivateCredentials(KerberosTicket.class);
595 for (KerberosTicket ticket : tickets) {
596 if (SecurityUtil.isOriginalTGT(ticket)) {
597 if (LOG.isDebugEnabled()) {
598 LOG.debug("Found tgt " + ticket);
599 }
600 return ticket;
601 }
602 }
603 return null;
604 }
605
606 private long getRefreshTime(KerberosTicket tgt) {
607 long start = tgt.getStartTime().getTime();
608 long end = tgt.getEndTime().getTime();
609 return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
610 }
611
612 /**Spawn a thread to do periodic renewals of kerberos credentials*/
613 private void spawnAutoRenewalThreadForUserCreds() {
614 if (isSecurityEnabled()) {
615 //spawn thread only if we have kerb credentials
616 if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS &&
617 !isKeytab) {
618 Thread t = new Thread(new Runnable() {
619
620 public void run() {
621 String cmd = conf.get("hadoop.kerberos.kinit.command",
622 "kinit");
623 KerberosTicket tgt = getTGT();
624 if (tgt == null) {
625 return;
626 }
627 long nextRefresh = getRefreshTime(tgt);
628 while (true) {
629 try {
630 long now = System.currentTimeMillis();
631 if(LOG.isDebugEnabled()) {
632 LOG.debug("Current time is " + now);
633 LOG.debug("Next refresh is " + nextRefresh);
634 }
635 if (now < nextRefresh) {
636 Thread.sleep(nextRefresh - now);
637 }
638 Shell.execCommand(cmd, "-R");
639 if(LOG.isDebugEnabled()) {
640 LOG.debug("renewed ticket");
641 }
642 reloginFromTicketCache();
643 tgt = getTGT();
644 if (tgt == null) {
645 LOG.warn("No TGT after renewal. Aborting renew thread for " +
646 getUserName());
647 return;
648 }
649 nextRefresh = Math.max(getRefreshTime(tgt),
650 now + MIN_TIME_BEFORE_RELOGIN);
651 } catch (InterruptedException ie) {
652 LOG.warn("Terminating renewal thread");
653 return;
654 } catch (IOException ie) {
655 LOG.warn("Exception encountered while running the" +
656 " renewal command. Aborting renew thread. " + ie);
657 return;
658 }
659 }
660 }
661 });
662 t.setDaemon(true);
663 t.setName("TGT Renewer for " + getUserName());
664 t.start();
665 }
666 }
667 }
668 /**
669 * Log a user in from a keytab file. Loads a user identity from a keytab
670 * file and logs them in. They become the currently logged-in user.
671 * @param user the principal name to load from the keytab
672 * @param path the path to the keytab file
673 * @throws IOException if the keytab file can't be read
674 */
675 public synchronized
676 static void loginUserFromKeytab(String user,
677 String path
678 ) throws IOException {
679 if (!isSecurityEnabled())
680 return;
681
682 keytabFile = path;
683 keytabPrincipal = user;
684 Subject subject = new Subject();
685 LoginContext login;
686 long start = 0;
687 try {
688 login =
689 newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
690 start = System.currentTimeMillis();
691 login.login();
692 metrics.loginSuccess.add(System.currentTimeMillis() - start);
693 setLoginUser(new UserGroupInformation(subject));
694 loginUser.setLogin(login);
695 loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
696 } catch (LoginException le) {
697 if (start > 0) {
698 metrics.loginFailure.add(System.currentTimeMillis() - start);
699 }
700 throw new IOException("Login failure for " + user + " from keytab " +
701 path, le);
702 }
703 LOG.info("Login successful for user " + keytabPrincipal
704 + " using keytab file " + keytabFile);
705 }
706
707 /**
708 * Re-login a user from keytab if TGT is expired or is close to expiry.
709 *
710 * @throws IOException
711 */
712 public synchronized void checkTGTAndReloginFromKeytab() throws IOException {
713 if (!isSecurityEnabled()
714 || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
715 || !isKeytab)
716 return;
717 KerberosTicket tgt = getTGT();
718 if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) {
719 return;
720 }
721 reloginFromKeytab();
722 }
723
724 /**
725 * Re-Login a user in from a keytab file. Loads a user identity from a keytab
726 * file and logs them in. They become the currently logged-in user. This
727 * method assumes that {@link #loginUserFromKeytab(String, String)} had
728 * happened already.
729 * The Subject field of this UserGroupInformation object is updated to have
730 * the new credentials.
731 * @throws IOException on a failure
732 */
733 public synchronized void reloginFromKeytab()
734 throws IOException {
735 if (!isSecurityEnabled() ||
736 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
737 !isKeytab)
738 return;
739
740 long now = System.currentTimeMillis();
741 if (!hasSufficientTimeElapsed(now)) {
742 return;
743 }
744
745 KerberosTicket tgt = getTGT();
746 //Return if TGT is valid and is not going to expire soon.
747 if (tgt != null && now < getRefreshTime(tgt)) {
748 return;
749 }
750
751 LoginContext login = getLogin();
752 if (login == null || keytabFile == null) {
753 throw new IOException("loginUserFromKeyTab must be done first");
754 }
755
756 long start = 0;
757 // register most recent relogin attempt
758 user.setLastLogin(now);
759 try {
760 LOG.info("Initiating logout for " + getUserName());
761 synchronized (UserGroupInformation.class) {
762 // clear up the kerberos state. But the tokens are not cleared! As per
763 // the Java kerberos login module code, only the kerberos credentials
764 // are cleared
765 login.logout();
766 // login and also update the subject field of this instance to
767 // have the new credentials (pass it to the LoginContext constructor)
768 login = newLoginContext(
769 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject());
770 LOG.info("Initiating re-login for " + keytabPrincipal);
771 start = System.currentTimeMillis();
772 login.login();
773 metrics.loginSuccess.add(System.currentTimeMillis() - start);
774 setLogin(login);
775 }
776 } catch (LoginException le) {
777 if (start > 0) {
778 metrics.loginFailure.add(System.currentTimeMillis() - start);
779 }
780 throw new IOException("Login failure for " + keytabPrincipal +
781 " from keytab " + keytabFile, le);
782 }
783 }
784
785 /**
786 * Re-Login a user in from the ticket cache. This
787 * method assumes that login had happened already.
788 * The Subject field of this UserGroupInformation object is updated to have
789 * the new credentials.
790 * @throws IOException on a failure
791 */
792 public synchronized void reloginFromTicketCache()
793 throws IOException {
794 if (!isSecurityEnabled() ||
795 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
796 !isKrbTkt)
797 return;
798 LoginContext login = getLogin();
799 if (login == null) {
800 throw new IOException("login must be done first");
801 }
802 long now = System.currentTimeMillis();
803 if (!hasSufficientTimeElapsed(now)) {
804 return;
805 }
806 // register most recent relogin attempt
807 user.setLastLogin(now);
808 try {
809 LOG.info("Initiating logout for " + getUserName());
810 //clear up the kerberos state. But the tokens are not cleared! As per
811 //the Java kerberos login module code, only the kerberos credentials
812 //are cleared
813 login.logout();
814 //login and also update the subject field of this instance to
815 //have the new credentials (pass it to the LoginContext constructor)
816 login =
817 newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
818 getSubject());
819 LOG.info("Initiating re-login for " + getUserName());
820 login.login();
821 setLogin(login);
822 } catch (LoginException le) {
823 throw new IOException("Login failure for " + getUserName(), le);
824 }
825 }
826
827
828 /**
829 * Log a user in from a keytab file. Loads a user identity from a keytab
830 * file and login them in. This new user does not affect the currently
831 * logged-in user.
832 * @param user the principal name to load from the keytab
833 * @param path the path to the keytab file
834 * @throws IOException if the keytab file can't be read
835 */
836 public synchronized
837 static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
838 String path
839 ) throws IOException {
840 if (!isSecurityEnabled())
841 return UserGroupInformation.getCurrentUser();
842 String oldKeytabFile = null;
843 String oldKeytabPrincipal = null;
844
845 long start = 0;
846 try {
847 oldKeytabFile = keytabFile;
848 oldKeytabPrincipal = keytabPrincipal;
849 keytabFile = path;
850 keytabPrincipal = user;
851 Subject subject = new Subject();
852
853 LoginContext login =
854 newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
855
856 start = System.currentTimeMillis();
857 login.login();
858 metrics.loginSuccess.add(System.currentTimeMillis() - start);
859 UserGroupInformation newLoginUser = new UserGroupInformation(subject);
860 newLoginUser.setLogin(login);
861 newLoginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
862
863 return newLoginUser;
864 } catch (LoginException le) {
865 if (start > 0) {
866 metrics.loginFailure.add(System.currentTimeMillis() - start);
867 }
868 throw new IOException("Login failure for " + user + " from keytab " +
869 path, le);
870 } finally {
871 if(oldKeytabFile != null) keytabFile = oldKeytabFile;
872 if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal;
873 }
874 }
875
876 private boolean hasSufficientTimeElapsed(long now) {
877 if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) {
878 LOG.warn("Not attempting to re-login since the last re-login was " +
879 "attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+
880 " before.");
881 return false;
882 }
883 return true;
884 }
885
886 /**
887 * Did the login happen via keytab
888 * @return true or false
889 */
890 public synchronized static boolean isLoginKeytabBased() throws IOException {
891 return getLoginUser().isKeytab;
892 }
893
894 /**
895 * Create a user from a login name. It is intended to be used for remote
896 * users in RPC, since it won't have any credentials.
897 * @param user the full user principal name, must not be empty or null
898 * @return the UserGroupInformation for the remote user.
899 */
900 public static UserGroupInformation createRemoteUser(String user) {
901 if (user == null || "".equals(user)) {
902 throw new IllegalArgumentException("Null user");
903 }
904 Subject subject = new Subject();
905 subject.getPrincipals().add(new User(user));
906 UserGroupInformation result = new UserGroupInformation(subject);
907 result.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
908 return result;
909 }
910
911 /**
912 * existing types of authentications' methods
913 */
914 @InterfaceStability.Evolving
915 public static enum AuthenticationMethod {
916 SIMPLE,
917 KERBEROS,
918 TOKEN,
919 CERTIFICATE,
920 KERBEROS_SSL,
921 PROXY;
922 }
923
924 /**
925 * Create a proxy user using username of the effective user and the ugi of the
926 * real user.
927 * @param user
928 * @param realUser
929 * @return proxyUser ugi
930 */
931 public static UserGroupInformation createProxyUser(String user,
932 UserGroupInformation realUser) {
933 if (user == null || "".equals(user)) {
934 throw new IllegalArgumentException("Null user");
935 }
936 if (realUser == null) {
937 throw new IllegalArgumentException("Null real user");
938 }
939 Subject subject = new Subject();
940 Set<Principal> principals = subject.getPrincipals();
941 principals.add(new User(user));
942 principals.add(new RealUser(realUser));
943 UserGroupInformation result =new UserGroupInformation(subject);
944 result.setAuthenticationMethod(AuthenticationMethod.PROXY);
945 return result;
946 }
947
948 /**
949 * get RealUser (vs. EffectiveUser)
950 * @return realUser running over proxy user
951 */
952 public UserGroupInformation getRealUser() {
953 for (RealUser p: subject.getPrincipals(RealUser.class)) {
954 return p.getRealUser();
955 }
956 return null;
957 }
958
959
960
961 /**
962 * This class is used for storing the groups for testing. It stores a local
963 * map that has the translation of usernames to groups.
964 */
965 private static class TestingGroups extends Groups {
966 private final Map<String, List<String>> userToGroupsMapping =
967 new HashMap<String,List<String>>();
968 private Groups underlyingImplementation;
969
970 private TestingGroups(Groups underlyingImplementation) {
971 super(new org.apache.hadoop.conf.Configuration());
972 this.underlyingImplementation = underlyingImplementation;
973 }
974
975 @Override
976 public List<String> getGroups(String user) throws IOException {
977 List<String> result = userToGroupsMapping.get(user);
978
979 if (result == null) {
980 result = underlyingImplementation.getGroups(user);
981 }
982
983 return result;
984 }
985
986 private void setUserGroups(String user, String[] groups) {
987 userToGroupsMapping.put(user, Arrays.asList(groups));
988 }
989 }
990
991 /**
992 * Create a UGI for testing HDFS and MapReduce
993 * @param user the full user principal name
994 * @param userGroups the names of the groups that the user belongs to
995 * @return a fake user for running unit tests
996 */
997 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
998 public static UserGroupInformation createUserForTesting(String user,
999 String[] userGroups) {
1000 ensureInitialized();
1001 UserGroupInformation ugi = createRemoteUser(user);
1002 // make sure that the testing object is setup
1003 if (!(groups instanceof TestingGroups)) {
1004 groups = new TestingGroups(groups);
1005 }
1006 // add the user groups
1007 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
1008 return ugi;
1009 }
1010
1011
1012 /**
1013 * Create a proxy user UGI for testing HDFS and MapReduce
1014 *
1015 * @param user
1016 * the full user principal name for effective user
1017 * @param realUser
1018 * UGI of the real user
1019 * @param userGroups
1020 * the names of the groups that the user belongs to
1021 * @return a fake user for running unit tests
1022 */
1023 @InterfaceAudience.LimitedPrivate( { "HDFS", "MapReduce" })
1024 public static UserGroupInformation createProxyUserForTesting(String user,
1025 UserGroupInformation realUser, String[] userGroups) {
1026 ensureInitialized();
1027 UserGroupInformation ugi = createProxyUser(user, realUser);
1028 // make sure that the testing object is setup
1029 if (!(groups instanceof TestingGroups)) {
1030 groups = new TestingGroups(groups);
1031 }
1032 // add the user groups
1033 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
1034 return ugi;
1035 }
1036
1037 /**
1038 * Get the user's login name.
1039 * @return the user's name up to the first '/' or '@'.
1040 */
1041 public String getShortUserName() {
1042 for (User p: subject.getPrincipals(User.class)) {
1043 return p.getShortName();
1044 }
1045 return null;
1046 }
1047
1048 /**
1049 * Get the user's full principal name.
1050 * @return the user's full principal name.
1051 */
1052 public String getUserName() {
1053 return user.getName();
1054 }
1055
1056 /**
1057 * Add a TokenIdentifier to this UGI. The TokenIdentifier has typically been
1058 * authenticated by the RPC layer as belonging to the user represented by this
1059 * UGI.
1060 *
1061 * @param tokenId
1062 * tokenIdentifier to be added
1063 * @return true on successful add of new tokenIdentifier
1064 */
1065 public synchronized boolean addTokenIdentifier(TokenIdentifier tokenId) {
1066 return subject.getPublicCredentials().add(tokenId);
1067 }
1068
1069 /**
1070 * Get the set of TokenIdentifiers belonging to this UGI
1071 *
1072 * @return the set of TokenIdentifiers belonging to this UGI
1073 */
1074 public synchronized Set<TokenIdentifier> getTokenIdentifiers() {
1075 return subject.getPublicCredentials(TokenIdentifier.class);
1076 }
1077
1078 /**
1079 * Add a token to this UGI
1080 *
1081 * @param token Token to be added
1082 * @return true on successful add of new token
1083 */
1084 public synchronized boolean addToken(Token<? extends TokenIdentifier> token) {
1085 return (token != null) ? addToken(token.getService(), token) : false;
1086 }
1087
1088 /**
1089 * Add a named token to this UGI
1090 *
1091 * @param alias Name of the token
1092 * @param token Token to be added
1093 * @return true on successful add of new token
1094 */
1095 public synchronized boolean addToken(Text alias,
1096 Token<? extends TokenIdentifier> token) {
1097 getCredentialsInternal().addToken(alias, token);
1098 return true;
1099 }
1100
1101 /**
1102 * Obtain the collection of tokens associated with this user.
1103 *
1104 * @return an unmodifiable collection of tokens associated with user
1105 */
1106 public synchronized
1107 Collection<Token<? extends TokenIdentifier>> getTokens() {
1108 return Collections.unmodifiableCollection(
1109 getCredentialsInternal().getAllTokens());
1110 }
1111
1112 /**
1113 * Obtain the tokens in credentials form associated with this user.
1114 *
1115 * @return Credentials of tokens associated with this user
1116 */
1117 public synchronized Credentials getCredentials() {
1118 return new Credentials(getCredentialsInternal());
1119 }
1120
1121 /**
1122 * Add the given Credentials to this user.
1123 * @param credentials of tokens and secrets
1124 */
1125 public synchronized void addCredentials(Credentials credentials) {
1126 getCredentialsInternal().addAll(credentials);
1127 }
1128
1129 private synchronized Credentials getCredentialsInternal() {
1130 final Credentials credentials;
1131 final Set<Credentials> credentialsSet =
1132 subject.getPrivateCredentials(Credentials.class);
1133 if (!credentialsSet.isEmpty()){
1134 credentials = credentialsSet.iterator().next();
1135 } else {
1136 credentials = new Credentials();
1137 subject.getPrivateCredentials().add(credentials);
1138 }
1139 return credentials;
1140 }
1141
1142 /**
1143 * Get the group names for this user.
1144 * @return the list of users with the primary group first. If the command
1145 * fails, it returns an empty list.
1146 */
1147 public synchronized String[] getGroupNames() {
1148 ensureInitialized();
1149 try {
1150 List<String> result = groups.getGroups(getShortUserName());
1151 return result.toArray(new String[result.size()]);
1152 } catch (IOException ie) {
1153 LOG.warn("No groups available for user " + getShortUserName());
1154 return new String[0];
1155 }
1156 }
1157
1158 /**
1159 * Return the username.
1160 */
1161 @Override
1162 public String toString() {
1163 StringBuilder sb = new StringBuilder(getUserName());
1164 sb.append(" (auth:"+getAuthenticationMethod()+")");
1165 if (getRealUser() != null) {
1166 sb.append(" via ").append(getRealUser().toString());
1167 }
1168 return sb.toString();
1169 }
1170
1171 /**
1172 * Sets the authentication method in the subject
1173 *
1174 * @param authMethod
1175 */
1176 public synchronized
1177 void setAuthenticationMethod(AuthenticationMethod authMethod) {
1178 user.setAuthenticationMethod(authMethod);
1179 }
1180
1181 /**
1182 * Get the authentication method from the subject
1183 *
1184 * @return AuthenticationMethod in the subject, null if not present.
1185 */
1186 public synchronized AuthenticationMethod getAuthenticationMethod() {
1187 return user.getAuthenticationMethod();
1188 }
1189
1190 /**
1191 * Returns the authentication method of a ugi. If the authentication method is
1192 * PROXY, returns the authentication method of the real user.
1193 *
1194 * @param ugi
1195 * @return AuthenticationMethod
1196 */
1197 public static AuthenticationMethod getRealAuthenticationMethod(
1198 UserGroupInformation ugi) {
1199 AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
1200 if (authMethod == AuthenticationMethod.PROXY) {
1201 authMethod = ugi.getRealUser().getAuthenticationMethod();
1202 }
1203 return authMethod;
1204 }
1205
1206 /**
1207 * Compare the subjects to see if they are equal to each other.
1208 */
1209 @Override
1210 public boolean equals(Object o) {
1211 if (o == this) {
1212 return true;
1213 } else if (o == null || getClass() != o.getClass()) {
1214 return false;
1215 } else {
1216 return subject == ((UserGroupInformation) o).subject;
1217 }
1218 }
1219
1220 /**
1221 * Return the hash of the subject.
1222 */
1223 @Override
1224 public int hashCode() {
1225 return System.identityHashCode(subject);
1226 }
1227
1228 /**
1229 * Get the underlying subject from this ugi.
1230 * @return the subject that represents this user.
1231 */
1232 protected Subject getSubject() {
1233 return subject;
1234 }
1235
1236 /**
1237 * Run the given action as the user.
1238 * @param <T> the return type of the run method
1239 * @param action the method to execute
1240 * @return the value from the run method
1241 */
1242 public <T> T doAs(PrivilegedAction<T> action) {
1243 logPrivilegedAction(subject, action);
1244 return Subject.doAs(subject, action);
1245 }
1246
1247 /**
1248 * Run the given action as the user, potentially throwing an exception.
1249 * @param <T> the return type of the run method
1250 * @param action the method to execute
1251 * @return the value from the run method
1252 * @throws IOException if the action throws an IOException
1253 * @throws Error if the action throws an Error
1254 * @throws RuntimeException if the action throws a RuntimeException
1255 * @throws InterruptedException if the action throws an InterruptedException
1256 * @throws UndeclaredThrowableException if the action throws something else
1257 */
1258 public <T> T doAs(PrivilegedExceptionAction<T> action
1259 ) throws IOException, InterruptedException {
1260 try {
1261 logPrivilegedAction(subject, action);
1262 return Subject.doAs(subject, action);
1263 } catch (PrivilegedActionException pae) {
1264 Throwable cause = pae.getCause();
1265 LOG.error("PriviledgedActionException as:"+this+" cause:"+cause);
1266 if (cause instanceof IOException) {
1267 throw (IOException) cause;
1268 } else if (cause instanceof Error) {
1269 throw (Error) cause;
1270 } else if (cause instanceof RuntimeException) {
1271 throw (RuntimeException) cause;
1272 } else if (cause instanceof InterruptedException) {
1273 throw (InterruptedException) cause;
1274 } else {
1275 throw new UndeclaredThrowableException(pae,"Unknown exception in doAs");
1276 }
1277 }
1278 }
1279
1280 private void logPrivilegedAction(Subject subject, Object action) {
1281 if (LOG.isDebugEnabled()) {
1282 // would be nice if action included a descriptive toString()
1283 String where = new Throwable().getStackTrace()[2].toString();
1284 LOG.debug("PrivilegedAction as:"+this+" from:"+where);
1285 }
1286 }
1287
1288 private void print() throws IOException {
1289 System.out.println("User: " + getUserName());
1290 System.out.print("Group Ids: ");
1291 System.out.println();
1292 String[] groups = getGroupNames();
1293 System.out.print("Groups: ");
1294 for(int i=0; i < groups.length; i++) {
1295 System.out.print(groups[i] + " ");
1296 }
1297 System.out.println();
1298 }
1299
1300 /**
1301 * A test method to print out the current user's UGI.
1302 * @param args if there are two arguments, read the user from the keytab
1303 * and print it out.
1304 * @throws Exception
1305 */
1306 public static void main(String [] args) throws Exception {
1307 System.out.println("Getting UGI for current user");
1308 UserGroupInformation ugi = getCurrentUser();
1309 ugi.print();
1310 System.out.println("UGI: " + ugi);
1311 System.out.println("Auth method " + ugi.user.getAuthenticationMethod());
1312 System.out.println("Keytab " + ugi.isKeytab);
1313 System.out.println("============================================================");
1314
1315 if (args.length == 2) {
1316 System.out.println("Getting UGI from keytab....");
1317 loginUserFromKeytab(args[0], args[1]);
1318 getCurrentUser().print();
1319 System.out.println("Keytab: " + ugi);
1320 System.out.println("Auth method " + loginUser.user.getAuthenticationMethod());
1321 System.out.println("Keytab " + loginUser.isKeytab);
1322 }
1323 }
1324
1325 }