001 /**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018 package org.apache.hadoop.security;
019
020
021 import java.io.File;
022 import java.io.IOException;
023 import java.lang.reflect.UndeclaredThrowableException;
024 import java.security.AccessControlContext;
025 import java.security.AccessController;
026 import java.security.Principal;
027 import java.security.PrivilegedAction;
028 import java.security.PrivilegedActionException;
029 import java.security.PrivilegedExceptionAction;
030 import java.util.Arrays;
031 import java.util.Collection;
032 import java.util.Collections;
033 import java.util.HashMap;
034 import java.util.Iterator;
035 import java.util.List;
036 import java.util.Map;
037 import java.util.Set;
038
039 import javax.security.auth.Subject;
040 import javax.security.auth.callback.CallbackHandler;
041 import javax.security.auth.kerberos.KerberosKey;
042 import javax.security.auth.kerberos.KerberosPrincipal;
043 import javax.security.auth.kerberos.KerberosTicket;
044 import javax.security.auth.login.AppConfigurationEntry;
045 import javax.security.auth.login.LoginContext;
046 import javax.security.auth.login.LoginException;
047 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
048 import javax.security.auth.spi.LoginModule;
049
050 import org.apache.commons.logging.Log;
051 import org.apache.commons.logging.LogFactory;
052 import org.apache.hadoop.classification.InterfaceAudience;
053 import org.apache.hadoop.classification.InterfaceStability;
054 import org.apache.hadoop.conf.Configuration;
055 import org.apache.hadoop.io.Text;
056 import org.apache.hadoop.metrics2.annotation.Metric;
057 import org.apache.hadoop.metrics2.annotation.Metrics;
058 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
059 import org.apache.hadoop.metrics2.lib.MutableRate;
060 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
061 import org.apache.hadoop.security.authentication.util.KerberosUtil;
062 import org.apache.hadoop.security.token.Token;
063 import org.apache.hadoop.security.token.TokenIdentifier;
064 import org.apache.hadoop.util.Shell;
065 import org.apache.hadoop.util.Time;
066 import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
067
068 import com.google.common.annotations.VisibleForTesting;
069
070 /**
071 * User and group information for Hadoop.
072 * This class wraps around a JAAS Subject and provides methods to determine the
073 * user's username and groups. It supports both the Windows, Unix and Kerberos
074 * login modules.
075 */
076 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "HBase", "Hive", "Oozie"})
077 @InterfaceStability.Evolving
078 public class UserGroupInformation {
079 private static final Log LOG = LogFactory.getLog(UserGroupInformation.class);
080 /**
081 * Percentage of the ticket window to use before we renew ticket.
082 */
083 private static final float TICKET_RENEW_WINDOW = 0.80f;
084 static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
085 static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
086
087 /**
088 * UgiMetrics maintains UGI activity statistics
089 * and publishes them through the metrics interfaces.
090 */
091 @Metrics(about="User and group related metrics", context="ugi")
092 static class UgiMetrics {
093 @Metric("Rate of successful kerberos logins and latency (milliseconds)")
094 MutableRate loginSuccess;
095 @Metric("Rate of failed kerberos logins and latency (milliseconds)")
096 MutableRate loginFailure;
097
098 static UgiMetrics create() {
099 return DefaultMetricsSystem.instance().register(new UgiMetrics());
100 }
101 }
102
103 /**
104 * A login module that looks at the Kerberos, Unix, or Windows principal and
105 * adds the corresponding UserName.
106 */
107 @InterfaceAudience.Private
108 public static class HadoopLoginModule implements LoginModule {
109 private Subject subject;
110
111 @Override
112 public boolean abort() throws LoginException {
113 return true;
114 }
115
116 private <T extends Principal> T getCanonicalUser(Class<T> cls) {
117 for(T user: subject.getPrincipals(cls)) {
118 return user;
119 }
120 return null;
121 }
122
123 @Override
124 public boolean commit() throws LoginException {
125 if (LOG.isDebugEnabled()) {
126 LOG.debug("hadoop login commit");
127 }
128 // if we already have a user, we are done.
129 if (!subject.getPrincipals(User.class).isEmpty()) {
130 if (LOG.isDebugEnabled()) {
131 LOG.debug("using existing subject:"+subject.getPrincipals());
132 }
133 return true;
134 }
135 Principal user = null;
136 // if we are using kerberos, try it out
137 if (isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
138 user = getCanonicalUser(KerberosPrincipal.class);
139 if (LOG.isDebugEnabled()) {
140 LOG.debug("using kerberos user:"+user);
141 }
142 }
143 //If we don't have a kerberos user and security is disabled, check
144 //if user is specified in the environment or properties
145 if (!isSecurityEnabled() && (user == null)) {
146 String envUser = System.getenv(HADOOP_USER_NAME);
147 if (envUser == null) {
148 envUser = System.getProperty(HADOOP_USER_NAME);
149 }
150 user = envUser == null ? null : new User(envUser);
151 }
152 // use the OS user
153 if (user == null) {
154 user = getCanonicalUser(OS_PRINCIPAL_CLASS);
155 if (LOG.isDebugEnabled()) {
156 LOG.debug("using local user:"+user);
157 }
158 }
159 // if we found the user, add our principal
160 if (user != null) {
161 subject.getPrincipals().add(new User(user.getName()));
162 return true;
163 }
164 LOG.error("Can't find user in " + subject);
165 throw new LoginException("Can't find user name");
166 }
167
168 @Override
169 public void initialize(Subject subject, CallbackHandler callbackHandler,
170 Map<String, ?> sharedState, Map<String, ?> options) {
171 this.subject = subject;
172 }
173
174 @Override
175 public boolean login() throws LoginException {
176 if (LOG.isDebugEnabled()) {
177 LOG.debug("hadoop login");
178 }
179 return true;
180 }
181
182 @Override
183 public boolean logout() throws LoginException {
184 if (LOG.isDebugEnabled()) {
185 LOG.debug("hadoop logout");
186 }
187 return true;
188 }
189 }
190
191 /** Metrics to track UGI activity */
192 static UgiMetrics metrics = UgiMetrics.create();
193 /** The auth method to use */
194 private static AuthenticationMethod authenticationMethod;
195 /** Server-side groups fetching service */
196 private static Groups groups;
197 /** The configuration to use */
198 private static Configuration conf;
199
200
201 /** Leave 10 minutes between relogin attempts. */
202 private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L;
203
204 /**Environment variable pointing to the token cache file*/
205 public static final String HADOOP_TOKEN_FILE_LOCATION =
206 "HADOOP_TOKEN_FILE_LOCATION";
207
208 /**
209 * A method to initialize the fields that depend on a configuration.
210 * Must be called before useKerberos or groups is used.
211 */
212 private static synchronized void ensureInitialized() {
213 if (conf == null) {
214 initialize(new Configuration(), false);
215 }
216 }
217
218 /**
219 * Initialize UGI and related classes.
220 * @param conf the configuration to use
221 */
222 private static synchronized void initialize(Configuration conf,
223 boolean overrideNameRules) {
224 authenticationMethod = SecurityUtil.getAuthenticationMethod(conf);
225 if (overrideNameRules || !HadoopKerberosName.hasRulesBeenSet()) {
226 try {
227 HadoopKerberosName.setConfiguration(conf);
228 } catch (IOException ioe) {
229 throw new RuntimeException(
230 "Problem with Kerberos auth_to_local name configuration", ioe);
231 }
232 }
233 // If we haven't set up testing groups, use the configuration to find it
234 if (!(groups instanceof TestingGroups)) {
235 groups = Groups.getUserToGroupsMappingService(conf);
236 }
237 UserGroupInformation.conf = conf;
238 }
239
240 /**
241 * Set the static configuration for UGI.
242 * In particular, set the security authentication mechanism and the
243 * group look up service.
244 * @param conf the configuration to use
245 */
246 @InterfaceAudience.Public
247 @InterfaceStability.Evolving
248 public static void setConfiguration(Configuration conf) {
249 initialize(conf, true);
250 }
251
252 @InterfaceAudience.Private
253 @VisibleForTesting
254 static void reset() {
255 authenticationMethod = null;
256 conf = null;
257 groups = null;
258 setLoginUser(null);
259 HadoopKerberosName.setRules(null);
260 }
261
262 /**
263 * Determine if UserGroupInformation is using Kerberos to determine
264 * user identities or is relying on simple authentication
265 *
266 * @return true if UGI is working in a secure environment
267 */
268 public static boolean isSecurityEnabled() {
269 return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
270 }
271
272 @InterfaceAudience.Private
273 @InterfaceStability.Evolving
274 private static boolean isAuthenticationMethodEnabled(AuthenticationMethod method) {
275 ensureInitialized();
276 return (authenticationMethod == method);
277 }
278
279 /**
280 * Information about the logged in user.
281 */
282 private static UserGroupInformation loginUser = null;
283 private static String keytabPrincipal = null;
284 private static String keytabFile = null;
285
286 private final Subject subject;
287 // All non-static fields must be read-only caches that come from the subject.
288 private final User user;
289 private final boolean isKeytab;
290 private final boolean isKrbTkt;
291
292 private static String OS_LOGIN_MODULE_NAME;
293 private static Class<? extends Principal> OS_PRINCIPAL_CLASS;
294
295 private static final boolean windows =
296 System.getProperty("os.name").startsWith("Windows");
297 private static final boolean is64Bit =
298 System.getProperty("os.arch").contains("64");
299 private static final boolean aix = System.getProperty("os.name").equals("AIX");
300
301 /* Return the OS login module class name */
302 private static String getOSLoginModuleName() {
303 if (IBM_JAVA) {
304 if (windows) {
305 return is64Bit ? "com.ibm.security.auth.module.Win64LoginModule"
306 : "com.ibm.security.auth.module.NTLoginModule";
307 } else if (aix) {
308 return is64Bit ? "com.ibm.security.auth.module.AIX64LoginModule"
309 : "com.ibm.security.auth.module.AIXLoginModule";
310 } else {
311 return "com.ibm.security.auth.module.LinuxLoginModule";
312 }
313 } else {
314 return windows ? "com.sun.security.auth.module.NTLoginModule"
315 : "com.sun.security.auth.module.UnixLoginModule";
316 }
317 }
318
319 /* Return the OS principal class */
320 @SuppressWarnings("unchecked")
321 private static Class<? extends Principal> getOsPrincipalClass() {
322 ClassLoader cl = ClassLoader.getSystemClassLoader();
323 try {
324 String principalClass = null;
325 if (IBM_JAVA) {
326 if (is64Bit) {
327 principalClass = "com.ibm.security.auth.UsernamePrincipal";
328 } else {
329 if (windows) {
330 principalClass = "com.ibm.security.auth.NTUserPrincipal";
331 } else if (aix) {
332 principalClass = "com.ibm.security.auth.AIXPrincipal";
333 } else {
334 principalClass = "com.ibm.security.auth.LinuxPrincipal";
335 }
336 }
337 } else {
338 principalClass = windows ? "com.sun.security.auth.NTUserPrincipal"
339 : "com.sun.security.auth.UnixPrincipal";
340 }
341 return (Class<? extends Principal>) cl.loadClass(principalClass);
342 } catch (ClassNotFoundException e) {
343 LOG.error("Unable to find JAAS classes:" + e.getMessage());
344 }
345 return null;
346 }
347 static {
348 OS_LOGIN_MODULE_NAME = getOSLoginModuleName();
349 OS_PRINCIPAL_CLASS = getOsPrincipalClass();
350 }
351
352 private static class RealUser implements Principal {
353 private final UserGroupInformation realUser;
354
355 RealUser(UserGroupInformation realUser) {
356 this.realUser = realUser;
357 }
358
359 @Override
360 public String getName() {
361 return realUser.getUserName();
362 }
363
364 public UserGroupInformation getRealUser() {
365 return realUser;
366 }
367
368 @Override
369 public boolean equals(Object o) {
370 if (this == o) {
371 return true;
372 } else if (o == null || getClass() != o.getClass()) {
373 return false;
374 } else {
375 return realUser.equals(((RealUser) o).realUser);
376 }
377 }
378
379 @Override
380 public int hashCode() {
381 return realUser.hashCode();
382 }
383
384 @Override
385 public String toString() {
386 return realUser.toString();
387 }
388 }
389
390 /**
391 * A JAAS configuration that defines the login modules that we want
392 * to use for login.
393 */
394 private static class HadoopConfiguration
395 extends javax.security.auth.login.Configuration {
396 private static final String SIMPLE_CONFIG_NAME = "hadoop-simple";
397 private static final String USER_KERBEROS_CONFIG_NAME =
398 "hadoop-user-kerberos";
399 private static final String KEYTAB_KERBEROS_CONFIG_NAME =
400 "hadoop-keytab-kerberos";
401
402 private static final Map<String, String> BASIC_JAAS_OPTIONS =
403 new HashMap<String,String>();
404 static {
405 String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG");
406 if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) {
407 BASIC_JAAS_OPTIONS.put("debug", "true");
408 }
409 }
410
411 private static final AppConfigurationEntry OS_SPECIFIC_LOGIN =
412 new AppConfigurationEntry(OS_LOGIN_MODULE_NAME,
413 LoginModuleControlFlag.REQUIRED,
414 BASIC_JAAS_OPTIONS);
415 private static final AppConfigurationEntry HADOOP_LOGIN =
416 new AppConfigurationEntry(HadoopLoginModule.class.getName(),
417 LoginModuleControlFlag.REQUIRED,
418 BASIC_JAAS_OPTIONS);
419 private static final Map<String,String> USER_KERBEROS_OPTIONS =
420 new HashMap<String,String>();
421 static {
422 if (IBM_JAVA) {
423 USER_KERBEROS_OPTIONS.put("useDefaultCcache", "true");
424 } else {
425 USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
426 USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
427 }
428 String ticketCache = System.getenv("KRB5CCNAME");
429 if (ticketCache != null) {
430 if (IBM_JAVA) {
431 // The first value searched when "useDefaultCcache" is used.
432 System.setProperty("KRB5CCNAME", ticketCache);
433 } else {
434 USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache);
435 }
436 }
437 USER_KERBEROS_OPTIONS.put("renewTGT", "true");
438 USER_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
439 }
440 private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
441 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
442 LoginModuleControlFlag.OPTIONAL,
443 USER_KERBEROS_OPTIONS);
444 private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS =
445 new HashMap<String,String>();
446 static {
447 if (IBM_JAVA) {
448 KEYTAB_KERBEROS_OPTIONS.put("credsType", "both");
449 } else {
450 KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
451 KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
452 KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
453 }
454 KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
455 KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
456 }
457 private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
458 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
459 LoginModuleControlFlag.REQUIRED,
460 KEYTAB_KERBEROS_OPTIONS);
461
462 private static final AppConfigurationEntry[] SIMPLE_CONF =
463 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, HADOOP_LOGIN};
464
465 private static final AppConfigurationEntry[] USER_KERBEROS_CONF =
466 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN,
467 HADOOP_LOGIN};
468
469 private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
470 new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
471
472 @Override
473 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
474 if (SIMPLE_CONFIG_NAME.equals(appName)) {
475 return SIMPLE_CONF;
476 } else if (USER_KERBEROS_CONFIG_NAME.equals(appName)) {
477 return USER_KERBEROS_CONF;
478 } else if (KEYTAB_KERBEROS_CONFIG_NAME.equals(appName)) {
479 if (IBM_JAVA) {
480 KEYTAB_KERBEROS_OPTIONS.put("useKeytab",
481 prependFileAuthority(keytabFile));
482 } else {
483 KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
484 }
485 KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
486 return KEYTAB_KERBEROS_CONF;
487 }
488 return null;
489 }
490 }
491
492 private static String prependFileAuthority(String keytabPath) {
493 return keytabPath.startsWith("file://") ? keytabPath
494 : "file://" + keytabPath;
495 }
496
497 /**
498 * Represents a javax.security configuration that is created at runtime.
499 */
500 private static class DynamicConfiguration
501 extends javax.security.auth.login.Configuration {
502 private AppConfigurationEntry[] ace;
503
504 DynamicConfiguration(AppConfigurationEntry[] ace) {
505 this.ace = ace;
506 }
507
508 @Override
509 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
510 return ace;
511 }
512 }
513
514 private static LoginContext
515 newLoginContext(String appName, Subject subject,
516 javax.security.auth.login.Configuration loginConf)
517 throws LoginException {
518 // Temporarily switch the thread's ContextClassLoader to match this
519 // class's classloader, so that we can properly load HadoopLoginModule
520 // from the JAAS libraries.
521 Thread t = Thread.currentThread();
522 ClassLoader oldCCL = t.getContextClassLoader();
523 t.setContextClassLoader(HadoopLoginModule.class.getClassLoader());
524 try {
525 return new LoginContext(appName, subject, null, loginConf);
526 } finally {
527 t.setContextClassLoader(oldCCL);
528 }
529 }
530
531 private LoginContext getLogin() {
532 return user.getLogin();
533 }
534
535 private void setLogin(LoginContext login) {
536 user.setLogin(login);
537 }
538
539 /**
540 * Create a UserGroupInformation for the given subject.
541 * This does not change the subject or acquire new credentials.
542 * @param subject the user's subject
543 */
544 UserGroupInformation(Subject subject) {
545 this.subject = subject;
546 this.user = subject.getPrincipals(User.class).iterator().next();
547 this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
548 this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
549 }
550
551 /**
552 * checks if logged in using kerberos
553 * @return true if the subject logged via keytab or has a Kerberos TGT
554 */
555 public boolean hasKerberosCredentials() {
556 return isKeytab || isKrbTkt;
557 }
558
559 /**
560 * Return the current user, including any doAs in the current stack.
561 * @return the current user
562 * @throws IOException if login fails
563 */
564 @InterfaceAudience.Public
565 @InterfaceStability.Evolving
566 public synchronized
567 static UserGroupInformation getCurrentUser() throws IOException {
568 AccessControlContext context = AccessController.getContext();
569 Subject subject = Subject.getSubject(context);
570 if (subject == null || subject.getPrincipals(User.class).isEmpty()) {
571 return getLoginUser();
572 } else {
573 return new UserGroupInformation(subject);
574 }
575 }
576
577 /**
578 * Find the most appropriate UserGroupInformation to use
579 *
580 * @param ticketCachePath The Kerberos ticket cache path, or NULL
581 * if none is specfied
582 * @param user The user name, or NULL if none is specified.
583 *
584 * @return The most appropriate UserGroupInformation
585 */
586 public static UserGroupInformation getBestUGI(
587 String ticketCachePath, String user) throws IOException {
588 if (ticketCachePath != null) {
589 return getUGIFromTicketCache(ticketCachePath, user);
590 } else if (user == null) {
591 return getCurrentUser();
592 } else {
593 return createRemoteUser(user);
594 }
595 }
596
597 /**
598 * Create a UserGroupInformation from a Kerberos ticket cache.
599 *
600 * @param user The principal name to load from the ticket
601 * cache
602 * @param ticketCachePath the path to the ticket cache file
603 *
604 * @throws IOException if the kerberos login fails
605 */
606 @InterfaceAudience.Public
607 @InterfaceStability.Evolving
608 public static UserGroupInformation getUGIFromTicketCache(
609 String ticketCache, String user) throws IOException {
610 if (!isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
611 return getBestUGI(null, user);
612 }
613 try {
614 Map<String,String> krbOptions = new HashMap<String,String>();
615 if (IBM_JAVA) {
616 krbOptions.put("useDefaultCcache", "true");
617 // The first value searched when "useDefaultCcache" is used.
618 System.setProperty("KRB5CCNAME", ticketCache);
619 } else {
620 krbOptions.put("doNotPrompt", "true");
621 krbOptions.put("useTicketCache", "true");
622 krbOptions.put("useKeyTab", "false");
623 krbOptions.put("ticketCache", ticketCache);
624 }
625 krbOptions.put("renewTGT", "false");
626 krbOptions.putAll(HadoopConfiguration.BASIC_JAAS_OPTIONS);
627 AppConfigurationEntry ace = new AppConfigurationEntry(
628 KerberosUtil.getKrb5LoginModuleName(),
629 LoginModuleControlFlag.REQUIRED,
630 krbOptions);
631 DynamicConfiguration dynConf =
632 new DynamicConfiguration(new AppConfigurationEntry[]{ ace });
633 LoginContext login = newLoginContext(
634 HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, null, dynConf);
635 login.login();
636
637 Subject loginSubject = login.getSubject();
638 Set<Principal> loginPrincipals = loginSubject.getPrincipals();
639 if (loginPrincipals.isEmpty()) {
640 throw new RuntimeException("No login principals found!");
641 }
642 if (loginPrincipals.size() != 1) {
643 LOG.warn("found more than one principal in the ticket cache file " +
644 ticketCache);
645 }
646 User ugiUser = new User(loginPrincipals.iterator().next().getName(),
647 AuthenticationMethod.KERBEROS, login);
648 loginSubject.getPrincipals().add(ugiUser);
649 UserGroupInformation ugi = new UserGroupInformation(loginSubject);
650 ugi.setLogin(login);
651 ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
652 return ugi;
653 } catch (LoginException le) {
654 throw new IOException("failure to login using ticket cache file " +
655 ticketCache, le);
656 }
657 }
658
659 /**
660 * Get the currently logged in user.
661 * @return the logged in user
662 * @throws IOException if login fails
663 */
664 @InterfaceAudience.Public
665 @InterfaceStability.Evolving
666 public synchronized
667 static UserGroupInformation getLoginUser() throws IOException {
668 if (loginUser == null) {
669 ensureInitialized();
670 try {
671 Subject subject = new Subject();
672 LoginContext login =
673 newLoginContext(authenticationMethod.getLoginAppName(),
674 subject, new HadoopConfiguration());
675 login.login();
676 UserGroupInformation realUser = new UserGroupInformation(subject);
677 realUser.setLogin(login);
678 realUser.setAuthenticationMethod(authenticationMethod);
679 realUser = new UserGroupInformation(login.getSubject());
680 // If the HADOOP_PROXY_USER environment variable or property
681 // is specified, create a proxy user as the logged in user.
682 String proxyUser = System.getenv(HADOOP_PROXY_USER);
683 if (proxyUser == null) {
684 proxyUser = System.getProperty(HADOOP_PROXY_USER);
685 }
686 loginUser = proxyUser == null ? realUser : createProxyUser(proxyUser, realUser);
687
688 String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
689 if (fileLocation != null) {
690 // Load the token storage file and put all of the tokens into the
691 // user. Don't use the FileSystem API for reading since it has a lock
692 // cycle (HADOOP-9212).
693 Credentials cred = Credentials.readTokenStorageFile(
694 new File(fileLocation), conf);
695 loginUser.addCredentials(cred);
696 }
697 loginUser.spawnAutoRenewalThreadForUserCreds();
698 } catch (LoginException le) {
699 LOG.debug("failure to login", le);
700 throw new IOException("failure to login", le);
701 }
702 if (LOG.isDebugEnabled()) {
703 LOG.debug("UGI loginUser:"+loginUser);
704 }
705 }
706 return loginUser;
707 }
708
709 @InterfaceAudience.Private
710 @InterfaceStability.Unstable
711 @VisibleForTesting
712 public synchronized static void setLoginUser(UserGroupInformation ugi) {
713 // if this is to become stable, should probably logout the currently
714 // logged in ugi if it's different
715 loginUser = ugi;
716 }
717
718 /**
719 * Is this user logged in from a keytab file?
720 * @return true if the credentials are from a keytab file.
721 */
722 public boolean isFromKeytab() {
723 return isKeytab;
724 }
725
726 /**
727 * Get the Kerberos TGT
728 * @return the user's TGT or null if none was found
729 */
730 private synchronized KerberosTicket getTGT() {
731 Set<KerberosTicket> tickets = subject
732 .getPrivateCredentials(KerberosTicket.class);
733 for (KerberosTicket ticket : tickets) {
734 if (SecurityUtil.isOriginalTGT(ticket)) {
735 if (LOG.isDebugEnabled()) {
736 LOG.debug("Found tgt " + ticket);
737 }
738 return ticket;
739 }
740 }
741 return null;
742 }
743
744 private long getRefreshTime(KerberosTicket tgt) {
745 long start = tgt.getStartTime().getTime();
746 long end = tgt.getEndTime().getTime();
747 return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
748 }
749
750 /**Spawn a thread to do periodic renewals of kerberos credentials*/
751 private void spawnAutoRenewalThreadForUserCreds() {
752 if (isSecurityEnabled()) {
753 //spawn thread only if we have kerb credentials
754 if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS &&
755 !isKeytab) {
756 Thread t = new Thread(new Runnable() {
757
758 @Override
759 public void run() {
760 String cmd = conf.get("hadoop.kerberos.kinit.command",
761 "kinit");
762 KerberosTicket tgt = getTGT();
763 if (tgt == null) {
764 return;
765 }
766 long nextRefresh = getRefreshTime(tgt);
767 while (true) {
768 try {
769 long now = Time.now();
770 if(LOG.isDebugEnabled()) {
771 LOG.debug("Current time is " + now);
772 LOG.debug("Next refresh is " + nextRefresh);
773 }
774 if (now < nextRefresh) {
775 Thread.sleep(nextRefresh - now);
776 }
777 Shell.execCommand(cmd, "-R");
778 if(LOG.isDebugEnabled()) {
779 LOG.debug("renewed ticket");
780 }
781 reloginFromTicketCache();
782 tgt = getTGT();
783 if (tgt == null) {
784 LOG.warn("No TGT after renewal. Aborting renew thread for " +
785 getUserName());
786 return;
787 }
788 nextRefresh = Math.max(getRefreshTime(tgt),
789 now + MIN_TIME_BEFORE_RELOGIN);
790 } catch (InterruptedException ie) {
791 LOG.warn("Terminating renewal thread");
792 return;
793 } catch (IOException ie) {
794 LOG.warn("Exception encountered while running the" +
795 " renewal command. Aborting renew thread. " + ie);
796 return;
797 }
798 }
799 }
800 });
801 t.setDaemon(true);
802 t.setName("TGT Renewer for " + getUserName());
803 t.start();
804 }
805 }
806 }
807 /**
808 * Log a user in from a keytab file. Loads a user identity from a keytab
809 * file and logs them in. They become the currently logged-in user.
810 * @param user the principal name to load from the keytab
811 * @param path the path to the keytab file
812 * @throws IOException if the keytab file can't be read
813 */
814 @InterfaceAudience.Public
815 @InterfaceStability.Evolving
816 public synchronized
817 static void loginUserFromKeytab(String user,
818 String path
819 ) throws IOException {
820 if (!isSecurityEnabled())
821 return;
822
823 keytabFile = path;
824 keytabPrincipal = user;
825 Subject subject = new Subject();
826 LoginContext login;
827 long start = 0;
828 try {
829 login = newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
830 subject, new HadoopConfiguration());
831 start = Time.now();
832 login.login();
833 metrics.loginSuccess.add(Time.now() - start);
834 loginUser = new UserGroupInformation(subject);
835 loginUser.setLogin(login);
836 loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
837 } catch (LoginException le) {
838 if (start > 0) {
839 metrics.loginFailure.add(Time.now() - start);
840 }
841 throw new IOException("Login failure for " + user + " from keytab " +
842 path, le);
843 }
844 LOG.info("Login successful for user " + keytabPrincipal
845 + " using keytab file " + keytabFile);
846 }
847
848 /**
849 * Re-login a user from keytab if TGT is expired or is close to expiry.
850 *
851 * @throws IOException
852 */
853 public synchronized void checkTGTAndReloginFromKeytab() throws IOException {
854 if (!isSecurityEnabled()
855 || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
856 || !isKeytab)
857 return;
858 KerberosTicket tgt = getTGT();
859 if (tgt != null && Time.now() < getRefreshTime(tgt)) {
860 return;
861 }
862 reloginFromKeytab();
863 }
864
865 /**
866 * Re-Login a user in from a keytab file. Loads a user identity from a keytab
867 * file and logs them in. They become the currently logged-in user. This
868 * method assumes that {@link #loginUserFromKeytab(String, String)} had
869 * happened already.
870 * The Subject field of this UserGroupInformation object is updated to have
871 * the new credentials.
872 * @throws IOException on a failure
873 */
874 @InterfaceAudience.Public
875 @InterfaceStability.Evolving
876 public synchronized void reloginFromKeytab()
877 throws IOException {
878 if (!isSecurityEnabled() ||
879 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
880 !isKeytab)
881 return;
882
883 long now = Time.now();
884 if (!hasSufficientTimeElapsed(now)) {
885 return;
886 }
887
888 KerberosTicket tgt = getTGT();
889 //Return if TGT is valid and is not going to expire soon.
890 if (tgt != null && now < getRefreshTime(tgt)) {
891 return;
892 }
893
894 LoginContext login = getLogin();
895 if (login == null || keytabFile == null) {
896 throw new IOException("loginUserFromKeyTab must be done first");
897 }
898
899 long start = 0;
900 // register most recent relogin attempt
901 user.setLastLogin(now);
902 try {
903 LOG.info("Initiating logout for " + getUserName());
904 synchronized (UserGroupInformation.class) {
905 // clear up the kerberos state. But the tokens are not cleared! As per
906 // the Java kerberos login module code, only the kerberos credentials
907 // are cleared
908 login.logout();
909 // login and also update the subject field of this instance to
910 // have the new credentials (pass it to the LoginContext constructor)
911 login = newLoginContext(
912 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject(),
913 new HadoopConfiguration());
914 LOG.info("Initiating re-login for " + keytabPrincipal);
915 start = Time.now();
916 login.login();
917 metrics.loginSuccess.add(Time.now() - start);
918 setLogin(login);
919 }
920 } catch (LoginException le) {
921 if (start > 0) {
922 metrics.loginFailure.add(Time.now() - start);
923 }
924 throw new IOException("Login failure for " + keytabPrincipal +
925 " from keytab " + keytabFile, le);
926 }
927 }
928
929 /**
930 * Re-Login a user in from the ticket cache. This
931 * method assumes that login had happened already.
932 * The Subject field of this UserGroupInformation object is updated to have
933 * the new credentials.
934 * @throws IOException on a failure
935 */
936 @InterfaceAudience.Public
937 @InterfaceStability.Evolving
938 public synchronized void reloginFromTicketCache()
939 throws IOException {
940 if (!isSecurityEnabled() ||
941 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
942 !isKrbTkt)
943 return;
944 LoginContext login = getLogin();
945 if (login == null) {
946 throw new IOException("login must be done first");
947 }
948 long now = Time.now();
949 if (!hasSufficientTimeElapsed(now)) {
950 return;
951 }
952 // register most recent relogin attempt
953 user.setLastLogin(now);
954 try {
955 LOG.info("Initiating logout for " + getUserName());
956 //clear up the kerberos state. But the tokens are not cleared! As per
957 //the Java kerberos login module code, only the kerberos credentials
958 //are cleared
959 login.logout();
960 //login and also update the subject field of this instance to
961 //have the new credentials (pass it to the LoginContext constructor)
962 login =
963 newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
964 getSubject(), new HadoopConfiguration());
965 LOG.info("Initiating re-login for " + getUserName());
966 login.login();
967 setLogin(login);
968 } catch (LoginException le) {
969 throw new IOException("Login failure for " + getUserName(), le);
970 }
971 }
972
973
974 /**
975 * Log a user in from a keytab file. Loads a user identity from a keytab
976 * file and login them in. This new user does not affect the currently
977 * logged-in user.
978 * @param user the principal name to load from the keytab
979 * @param path the path to the keytab file
980 * @throws IOException if the keytab file can't be read
981 */
982 public synchronized
983 static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
984 String path
985 ) throws IOException {
986 if (!isSecurityEnabled())
987 return UserGroupInformation.getCurrentUser();
988 String oldKeytabFile = null;
989 String oldKeytabPrincipal = null;
990
991 long start = 0;
992 try {
993 oldKeytabFile = keytabFile;
994 oldKeytabPrincipal = keytabPrincipal;
995 keytabFile = path;
996 keytabPrincipal = user;
997 Subject subject = new Subject();
998
999 LoginContext login = newLoginContext(
1000 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject,
1001 new HadoopConfiguration());
1002
1003 start = Time.now();
1004 login.login();
1005 metrics.loginSuccess.add(Time.now() - start);
1006 UserGroupInformation newLoginUser = new UserGroupInformation(subject);
1007 newLoginUser.setLogin(login);
1008 newLoginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
1009
1010 return newLoginUser;
1011 } catch (LoginException le) {
1012 if (start > 0) {
1013 metrics.loginFailure.add(Time.now() - start);
1014 }
1015 throw new IOException("Login failure for " + user + " from keytab " +
1016 path, le);
1017 } finally {
1018 if(oldKeytabFile != null) keytabFile = oldKeytabFile;
1019 if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal;
1020 }
1021 }
1022
1023 private boolean hasSufficientTimeElapsed(long now) {
1024 if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) {
1025 LOG.warn("Not attempting to re-login since the last re-login was " +
1026 "attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+
1027 " before.");
1028 return false;
1029 }
1030 return true;
1031 }
1032
1033 /**
1034 * Did the login happen via keytab
1035 * @return true or false
1036 */
1037 @InterfaceAudience.Public
1038 @InterfaceStability.Evolving
1039 public synchronized static boolean isLoginKeytabBased() throws IOException {
1040 return getLoginUser().isKeytab;
1041 }
1042
1043 /**
1044 * Create a user from a login name. It is intended to be used for remote
1045 * users in RPC, since it won't have any credentials.
1046 * @param user the full user principal name, must not be empty or null
1047 * @return the UserGroupInformation for the remote user.
1048 */
1049 @InterfaceAudience.Public
1050 @InterfaceStability.Evolving
1051 public static UserGroupInformation createRemoteUser(String user) {
1052 if (user == null || user.isEmpty()) {
1053 throw new IllegalArgumentException("Null user");
1054 }
1055 Subject subject = new Subject();
1056 subject.getPrincipals().add(new User(user));
1057 UserGroupInformation result = new UserGroupInformation(subject);
1058 result.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
1059 return result;
1060 }
1061
1062 /**
1063 * existing types of authentications' methods
1064 */
1065 @InterfaceAudience.Public
1066 @InterfaceStability.Evolving
1067 public static enum AuthenticationMethod {
1068 // currently we support only one auth per method, but eventually a
1069 // subtype is needed to differentiate, ex. if digest is token or ldap
1070 SIMPLE(AuthMethod.SIMPLE,
1071 HadoopConfiguration.SIMPLE_CONFIG_NAME),
1072 KERBEROS(AuthMethod.KERBEROS,
1073 HadoopConfiguration.USER_KERBEROS_CONFIG_NAME),
1074 TOKEN(AuthMethod.TOKEN),
1075 CERTIFICATE(null),
1076 KERBEROS_SSL(null),
1077 PROXY(null);
1078
1079 private final AuthMethod authMethod;
1080 private final String loginAppName;
1081
1082 private AuthenticationMethod(AuthMethod authMethod) {
1083 this(authMethod, null);
1084 }
1085 private AuthenticationMethod(AuthMethod authMethod, String loginAppName) {
1086 this.authMethod = authMethod;
1087 this.loginAppName = loginAppName;
1088 }
1089
1090 public AuthMethod getAuthMethod() {
1091 return authMethod;
1092 }
1093
1094 String getLoginAppName() {
1095 if (loginAppName == null) {
1096 throw new UnsupportedOperationException(
1097 this + " login authentication is not supported");
1098 }
1099 return loginAppName;
1100 }
1101
1102 public static AuthenticationMethod valueOf(AuthMethod authMethod) {
1103 for (AuthenticationMethod value : values()) {
1104 if (value.getAuthMethod() == authMethod) {
1105 return value;
1106 }
1107 }
1108 throw new IllegalArgumentException(
1109 "no authentication method for " + authMethod);
1110 }
1111 };
1112
1113 /**
1114 * Create a proxy user using username of the effective user and the ugi of the
1115 * real user.
1116 * @param user
1117 * @param realUser
1118 * @return proxyUser ugi
1119 */
1120 @InterfaceAudience.Public
1121 @InterfaceStability.Evolving
1122 public static UserGroupInformation createProxyUser(String user,
1123 UserGroupInformation realUser) {
1124 if (user == null || user.isEmpty()) {
1125 throw new IllegalArgumentException("Null user");
1126 }
1127 if (realUser == null) {
1128 throw new IllegalArgumentException("Null real user");
1129 }
1130 Subject subject = new Subject();
1131 Set<Principal> principals = subject.getPrincipals();
1132 principals.add(new User(user));
1133 principals.add(new RealUser(realUser));
1134 UserGroupInformation result =new UserGroupInformation(subject);
1135 result.setAuthenticationMethod(AuthenticationMethod.PROXY);
1136 return result;
1137 }
1138
1139 /**
1140 * get RealUser (vs. EffectiveUser)
1141 * @return realUser running over proxy user
1142 */
1143 @InterfaceAudience.Public
1144 @InterfaceStability.Evolving
1145 public UserGroupInformation getRealUser() {
1146 for (RealUser p: subject.getPrincipals(RealUser.class)) {
1147 return p.getRealUser();
1148 }
1149 return null;
1150 }
1151
1152
1153
1154 /**
1155 * This class is used for storing the groups for testing. It stores a local
1156 * map that has the translation of usernames to groups.
1157 */
1158 private static class TestingGroups extends Groups {
1159 private final Map<String, List<String>> userToGroupsMapping =
1160 new HashMap<String,List<String>>();
1161 private Groups underlyingImplementation;
1162
1163 private TestingGroups(Groups underlyingImplementation) {
1164 super(new org.apache.hadoop.conf.Configuration());
1165 this.underlyingImplementation = underlyingImplementation;
1166 }
1167
1168 @Override
1169 public List<String> getGroups(String user) throws IOException {
1170 List<String> result = userToGroupsMapping.get(user);
1171
1172 if (result == null) {
1173 result = underlyingImplementation.getGroups(user);
1174 }
1175
1176 return result;
1177 }
1178
1179 private void setUserGroups(String user, String[] groups) {
1180 userToGroupsMapping.put(user, Arrays.asList(groups));
1181 }
1182 }
1183
1184 /**
1185 * Create a UGI for testing HDFS and MapReduce
1186 * @param user the full user principal name
1187 * @param userGroups the names of the groups that the user belongs to
1188 * @return a fake user for running unit tests
1189 */
1190 @InterfaceAudience.Public
1191 @InterfaceStability.Evolving
1192 public static UserGroupInformation createUserForTesting(String user,
1193 String[] userGroups) {
1194 ensureInitialized();
1195 UserGroupInformation ugi = createRemoteUser(user);
1196 // make sure that the testing object is setup
1197 if (!(groups instanceof TestingGroups)) {
1198 groups = new TestingGroups(groups);
1199 }
1200 // add the user groups
1201 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
1202 return ugi;
1203 }
1204
1205
1206 /**
1207 * Create a proxy user UGI for testing HDFS and MapReduce
1208 *
1209 * @param user
1210 * the full user principal name for effective user
1211 * @param realUser
1212 * UGI of the real user
1213 * @param userGroups
1214 * the names of the groups that the user belongs to
1215 * @return a fake user for running unit tests
1216 */
1217 public static UserGroupInformation createProxyUserForTesting(String user,
1218 UserGroupInformation realUser, String[] userGroups) {
1219 ensureInitialized();
1220 UserGroupInformation ugi = createProxyUser(user, realUser);
1221 // make sure that the testing object is setup
1222 if (!(groups instanceof TestingGroups)) {
1223 groups = new TestingGroups(groups);
1224 }
1225 // add the user groups
1226 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
1227 return ugi;
1228 }
1229
1230 /**
1231 * Get the user's login name.
1232 * @return the user's name up to the first '/' or '@'.
1233 */
1234 public String getShortUserName() {
1235 for (User p: subject.getPrincipals(User.class)) {
1236 return p.getShortName();
1237 }
1238 return null;
1239 }
1240
1241 /**
1242 * Get the user's full principal name.
1243 * @return the user's full principal name.
1244 */
1245 @InterfaceAudience.Public
1246 @InterfaceStability.Evolving
1247 public String getUserName() {
1248 return user.getName();
1249 }
1250
1251 /**
1252 * Add a TokenIdentifier to this UGI. The TokenIdentifier has typically been
1253 * authenticated by the RPC layer as belonging to the user represented by this
1254 * UGI.
1255 *
1256 * @param tokenId
1257 * tokenIdentifier to be added
1258 * @return true on successful add of new tokenIdentifier
1259 */
1260 public synchronized boolean addTokenIdentifier(TokenIdentifier tokenId) {
1261 return subject.getPublicCredentials().add(tokenId);
1262 }
1263
1264 /**
1265 * Get the set of TokenIdentifiers belonging to this UGI
1266 *
1267 * @return the set of TokenIdentifiers belonging to this UGI
1268 */
1269 public synchronized Set<TokenIdentifier> getTokenIdentifiers() {
1270 return subject.getPublicCredentials(TokenIdentifier.class);
1271 }
1272
1273 /**
1274 * Add a token to this UGI
1275 *
1276 * @param token Token to be added
1277 * @return true on successful add of new token
1278 */
1279 public synchronized boolean addToken(Token<? extends TokenIdentifier> token) {
1280 return (token != null) ? addToken(token.getService(), token) : false;
1281 }
1282
1283 /**
1284 * Add a named token to this UGI
1285 *
1286 * @param alias Name of the token
1287 * @param token Token to be added
1288 * @return true on successful add of new token
1289 */
1290 public synchronized boolean addToken(Text alias,
1291 Token<? extends TokenIdentifier> token) {
1292 getCredentialsInternal().addToken(alias, token);
1293 return true;
1294 }
1295
1296 /**
1297 * Obtain the collection of tokens associated with this user.
1298 *
1299 * @return an unmodifiable collection of tokens associated with user
1300 */
1301 public synchronized
1302 Collection<Token<? extends TokenIdentifier>> getTokens() {
1303 return Collections.unmodifiableCollection(
1304 getCredentialsInternal().getAllTokens());
1305 }
1306
1307 /**
1308 * Obtain the tokens in credentials form associated with this user.
1309 *
1310 * @return Credentials of tokens associated with this user
1311 */
1312 public synchronized Credentials getCredentials() {
1313 Credentials creds = new Credentials(getCredentialsInternal());
1314 Iterator<Token<?>> iter = creds.getAllTokens().iterator();
1315 while (iter.hasNext()) {
1316 if (iter.next() instanceof Token.PrivateToken) {
1317 iter.remove();
1318 }
1319 }
1320 return creds;
1321 }
1322
1323 /**
1324 * Add the given Credentials to this user.
1325 * @param credentials of tokens and secrets
1326 */
1327 public synchronized void addCredentials(Credentials credentials) {
1328 getCredentialsInternal().addAll(credentials);
1329 }
1330
1331 private synchronized Credentials getCredentialsInternal() {
1332 final Credentials credentials;
1333 final Set<Credentials> credentialsSet =
1334 subject.getPrivateCredentials(Credentials.class);
1335 if (!credentialsSet.isEmpty()){
1336 credentials = credentialsSet.iterator().next();
1337 } else {
1338 credentials = new Credentials();
1339 subject.getPrivateCredentials().add(credentials);
1340 }
1341 return credentials;
1342 }
1343
1344 /**
1345 * Get the group names for this user.
1346 * @return the list of users with the primary group first. If the command
1347 * fails, it returns an empty list.
1348 */
1349 public synchronized String[] getGroupNames() {
1350 ensureInitialized();
1351 try {
1352 List<String> result = groups.getGroups(getShortUserName());
1353 return result.toArray(new String[result.size()]);
1354 } catch (IOException ie) {
1355 LOG.warn("No groups available for user " + getShortUserName());
1356 return new String[0];
1357 }
1358 }
1359
1360 /**
1361 * Return the username.
1362 */
1363 @Override
1364 public String toString() {
1365 StringBuilder sb = new StringBuilder(getUserName());
1366 sb.append(" (auth:"+getAuthenticationMethod()+")");
1367 if (getRealUser() != null) {
1368 sb.append(" via ").append(getRealUser().toString());
1369 }
1370 return sb.toString();
1371 }
1372
1373 /**
1374 * Sets the authentication method in the subject
1375 *
1376 * @param authMethod
1377 */
1378 public synchronized
1379 void setAuthenticationMethod(AuthenticationMethod authMethod) {
1380 user.setAuthenticationMethod(authMethod);
1381 }
1382
1383 /**
1384 * Sets the authentication method in the subject
1385 *
1386 * @param authMethod
1387 */
1388 public void setAuthenticationMethod(AuthMethod authMethod) {
1389 user.setAuthenticationMethod(AuthenticationMethod.valueOf(authMethod));
1390 }
1391
1392 /**
1393 * Get the authentication method from the subject
1394 *
1395 * @return AuthenticationMethod in the subject, null if not present.
1396 */
1397 public synchronized AuthenticationMethod getAuthenticationMethod() {
1398 return user.getAuthenticationMethod();
1399 }
1400
1401 /**
1402 * Get the authentication method from the real user's subject. If there
1403 * is no real user, return the given user's authentication method.
1404 *
1405 * @return AuthenticationMethod in the subject, null if not present.
1406 */
1407 public synchronized AuthenticationMethod getRealAuthenticationMethod() {
1408 UserGroupInformation ugi = getRealUser();
1409 if (ugi == null) {
1410 ugi = this;
1411 }
1412 return ugi.getAuthenticationMethod();
1413 }
1414
1415 /**
1416 * Returns the authentication method of a ugi. If the authentication method is
1417 * PROXY, returns the authentication method of the real user.
1418 *
1419 * @param ugi
1420 * @return AuthenticationMethod
1421 */
1422 public static AuthenticationMethod getRealAuthenticationMethod(
1423 UserGroupInformation ugi) {
1424 AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
1425 if (authMethod == AuthenticationMethod.PROXY) {
1426 authMethod = ugi.getRealUser().getAuthenticationMethod();
1427 }
1428 return authMethod;
1429 }
1430
1431 /**
1432 * Compare the subjects to see if they are equal to each other.
1433 */
1434 @Override
1435 public boolean equals(Object o) {
1436 if (o == this) {
1437 return true;
1438 } else if (o == null || getClass() != o.getClass()) {
1439 return false;
1440 } else {
1441 return subject == ((UserGroupInformation) o).subject;
1442 }
1443 }
1444
1445 /**
1446 * Return the hash of the subject.
1447 */
1448 @Override
1449 public int hashCode() {
1450 return System.identityHashCode(subject);
1451 }
1452
1453 /**
1454 * Get the underlying subject from this ugi.
1455 * @return the subject that represents this user.
1456 */
1457 protected Subject getSubject() {
1458 return subject;
1459 }
1460
1461 /**
1462 * Run the given action as the user.
1463 * @param <T> the return type of the run method
1464 * @param action the method to execute
1465 * @return the value from the run method
1466 */
1467 @InterfaceAudience.Public
1468 @InterfaceStability.Evolving
1469 public <T> T doAs(PrivilegedAction<T> action) {
1470 logPrivilegedAction(subject, action);
1471 return Subject.doAs(subject, action);
1472 }
1473
1474 /**
1475 * Run the given action as the user, potentially throwing an exception.
1476 * @param <T> the return type of the run method
1477 * @param action the method to execute
1478 * @return the value from the run method
1479 * @throws IOException if the action throws an IOException
1480 * @throws Error if the action throws an Error
1481 * @throws RuntimeException if the action throws a RuntimeException
1482 * @throws InterruptedException if the action throws an InterruptedException
1483 * @throws UndeclaredThrowableException if the action throws something else
1484 */
1485 @InterfaceAudience.Public
1486 @InterfaceStability.Evolving
1487 public <T> T doAs(PrivilegedExceptionAction<T> action
1488 ) throws IOException, InterruptedException {
1489 try {
1490 logPrivilegedAction(subject, action);
1491 return Subject.doAs(subject, action);
1492 } catch (PrivilegedActionException pae) {
1493 Throwable cause = pae.getCause();
1494 LOG.error("PriviledgedActionException as:"+this+" cause:"+cause);
1495 if (cause instanceof IOException) {
1496 throw (IOException) cause;
1497 } else if (cause instanceof Error) {
1498 throw (Error) cause;
1499 } else if (cause instanceof RuntimeException) {
1500 throw (RuntimeException) cause;
1501 } else if (cause instanceof InterruptedException) {
1502 throw (InterruptedException) cause;
1503 } else {
1504 throw new UndeclaredThrowableException(cause);
1505 }
1506 }
1507 }
1508
1509 private void logPrivilegedAction(Subject subject, Object action) {
1510 if (LOG.isDebugEnabled()) {
1511 // would be nice if action included a descriptive toString()
1512 String where = new Throwable().getStackTrace()[2].toString();
1513 LOG.debug("PrivilegedAction as:"+this+" from:"+where);
1514 }
1515 }
1516
1517 private void print() throws IOException {
1518 System.out.println("User: " + getUserName());
1519 System.out.print("Group Ids: ");
1520 System.out.println();
1521 String[] groups = getGroupNames();
1522 System.out.print("Groups: ");
1523 for(int i=0; i < groups.length; i++) {
1524 System.out.print(groups[i] + " ");
1525 }
1526 System.out.println();
1527 }
1528
1529 /**
1530 * A test method to print out the current user's UGI.
1531 * @param args if there are two arguments, read the user from the keytab
1532 * and print it out.
1533 * @throws Exception
1534 */
1535 public static void main(String [] args) throws Exception {
1536 System.out.println("Getting UGI for current user");
1537 UserGroupInformation ugi = getCurrentUser();
1538 ugi.print();
1539 System.out.println("UGI: " + ugi);
1540 System.out.println("Auth method " + ugi.user.getAuthenticationMethod());
1541 System.out.println("Keytab " + ugi.isKeytab);
1542 System.out.println("============================================================");
1543
1544 if (args.length == 2) {
1545 System.out.println("Getting UGI from keytab....");
1546 loginUserFromKeytab(args[0], args[1]);
1547 getCurrentUser().print();
1548 System.out.println("Keytab: " + ugi);
1549 System.out.println("Auth method " + loginUser.user.getAuthenticationMethod());
1550 System.out.println("Keytab " + loginUser.isKeytab);
1551 }
1552 }
1553
1554 }