org.apache.hadoop.hbase.security
Class User

java.lang.Object
  org.apache.hadoop.hbase.security.User

@InterfaceAudience.Public
@InterfaceStability.Stable
public abstract class User
extends Object

Wrapper to abstract out usage of user and group information in HBase.

This class provides a common interface for interacting with user and group information across changing APIs in different versions of Hadoop. It only provides access to the common set of functionality in UserGroupInformation currently needed by HBase, but can be extended as needs change.

Field Summary

static String	HBASE_SECURITY_AUTHORIZATION_CONF_KEY
static String	HBASE_SECURITY_CONF_KEY
protected org.apache.hadoop.security.UserGroupInformation	ugi

Constructor Summary

User()

Method Summary

void	addToken(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token) Adds the given Token to the user's credentials.
static User	create(org.apache.hadoop.security.UserGroupInformation ugi) Wraps an underlying UserGroupInformation instance.
static User	createUserForTesting(org.apache.hadoop.conf.Configuration conf, String name, String[] groups) Generates a new User instance specifically for use in test code.
boolean	equals(Object o)
static User	getCurrent() Returns the User instance within current execution context.
String[]	getGroupNames() Returns the list of groups of which this user is a member.
String	getName() Returns the full user name.
abstract String	getShortName() Returns the shortened version of the user name -- the portion that maps to an operating system user name.
org.apache.hadoop.security.token.Token<?>	getToken(String kind, String service) Returns the Token of the specified kind associated with this user, or null if the Token is not present.
Collection<org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier>>	getTokens() Returns all the tokens stored in the user's credentials.
org.apache.hadoop.security.UserGroupInformation	getUGI()
int	hashCode()
static boolean	isHBaseSecurityEnabled(org.apache.hadoop.conf.Configuration conf) Returns whether or not secure authentication is enabled for HBase.
static boolean	isSecurityEnabled() Returns whether or not Kerberos authentication is configured for Hadoop.
static void	login(org.apache.hadoop.conf.Configuration conf, String fileConfKey, String principalConfKey, String localhost) Log in the current process using the given configuration keys for the credential file and login principal.
abstract void	obtainAuthTokenForJob(org.apache.hadoop.conf.Configuration conf, org.apache.hadoop.mapreduce.Job job) Deprecated. Use TokenUtil.obtainAuthTokenForJob(HConnection,User,Job) instead.
abstract void	obtainAuthTokenForJob(org.apache.hadoop.mapred.JobConf job) Deprecated. Use TokenUtil.obtainAuthTokenForJob(HConnection,JobConf,User) instead.
abstract <T> T	runAs(PrivilegedAction<T> action) Executes the given action within the context of this user.
abstract <T> T	runAs(PrivilegedExceptionAction<T> action) Executes the given action within the context of this user.
static <T> T	runAsLoginUser(PrivilegedExceptionAction<T> action) Executes the given action as the login user
String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

HBASE_SECURITY_CONF_KEY

public static final String HBASE_SECURITY_CONF_KEY

See Also:

Constant Field Values

HBASE_SECURITY_AUTHORIZATION_CONF_KEY

public static final String HBASE_SECURITY_AUTHORIZATION_CONF_KEY

See Also:

Constant Field Values

ugi

protected org.apache.hadoop.security.UserGroupInformation ugi

Constructor Detail

User

public User()

Method Detail

getUGI

public org.apache.hadoop.security.UserGroupInformation getUGI()

getName

public String getName()

Returns the full user name. For Kerberos principals this will include the host and realm portions of the principal name.

Returns:

User full name.

getGroupNames

public String[] getGroupNames()

Returns the list of groups of which this user is a member. On secure Hadoop this returns the group information for the user as resolved on the server. For 0.20 based Hadoop, the group names are passed from the client.

getShortName

public abstract String getShortName()

Returns the shortened version of the user name -- the portion that maps to an operating system user name.

Returns:

Short name

runAs

public abstract <T> T runAs(PrivilegedAction<T> action)

Executes the given action within the context of this user.

runAs

public abstract <T> T runAs(PrivilegedExceptionAction<T> action)
                 throws IOException,
                        InterruptedException

Executes the given action within the context of this user.

Throws:

IOException

InterruptedException

obtainAuthTokenForJob

@Deprecated
public abstract void obtainAuthTokenForJob(org.apache.hadoop.conf.Configuration conf,
                                                      org.apache.hadoop.mapreduce.Job job)
                                    throws IOException,
                                           InterruptedException

Deprecated. Use TokenUtil.obtainAuthTokenForJob(HConnection,User,Job) instead.

Requests an authentication token for this user and stores it in the user's credentials.

Throws:

IOException

InterruptedException

obtainAuthTokenForJob

@Deprecated
public abstract void obtainAuthTokenForJob(org.apache.hadoop.mapred.JobConf job)
                                    throws IOException,
                                           InterruptedException

Deprecated. Use TokenUtil.obtainAuthTokenForJob(HConnection,JobConf,User) instead.

Requests an authentication token for this user and stores it in the user's credentials.

Throws:

IOException

InterruptedException

getToken

public org.apache.hadoop.security.token.Token<?> getToken(String kind,
                                                          String service)
                                                   throws IOException

Returns the Token of the specified kind associated with this user, or null if the Token is not present.

Parameters:

kind - the kind of token

service - service on which the token is supposed to be used

Returns:

the token of the specified kind.

Throws:

IOException

getTokens

public Collection<org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier>> getTokens()

Returns all the tokens stored in the user's credentials.

addToken

public void addToken(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token)

Adds the given Token to the user's credentials.

Parameters:

token - the token to add

equals

public boolean equals(Object o)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

toString

public String toString()

Overrides:

toString in class Object

getCurrent

public static User getCurrent()
                       throws IOException

Returns the User instance within current execution context.

Throws:

IOException

runAsLoginUser

public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action)
                        throws IOException

Executes the given action as the login user

Parameters:

action -

Returns:

Throws:

IOException

InterruptedException

create

public static User create(org.apache.hadoop.security.UserGroupInformation ugi)

Wraps an underlying UserGroupInformation instance.

Parameters:

ugi - The base Hadoop user

Returns:

User

createUserForTesting

public static User createUserForTesting(org.apache.hadoop.conf.Configuration conf,
                                        String name,
                                        String[] groups)

Generates a new User instance specifically for use in test code.

Parameters:

name - the full username

groups - the group names to which the test user will belong

Returns:

a new User instance

login

public static void login(org.apache.hadoop.conf.Configuration conf,
                         String fileConfKey,
                         String principalConfKey,
                         String localhost)
                  throws IOException

Log in the current process using the given configuration keys for the credential file and login principal.

This is only applicable when running on secure Hadoop -- see org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String). On regular Hadoop (without security features), this will safely be ignored.

Parameters:

conf - The configuration data to use

fileConfKey - Property key used to configure path to the credential file

principalConfKey - Property key used to configure login principal

localhost - Current hostname to use in any credentials

Throws:

IOException - underlying exception from SecurityUtil.login() call

isSecurityEnabled

public static boolean isSecurityEnabled()

Returns whether or not Kerberos authentication is configured for Hadoop. For non-secure Hadoop, this always returns false. For secure Hadoop, it will return the value from UserGroupInformation.isSecurityEnabled().

isHBaseSecurityEnabled

public static boolean isHBaseSecurityEnabled(org.apache.hadoop.conf.Configuration conf)

Returns whether or not secure authentication is enabled for HBase. Note that HBase security requires HDFS security to provide any guarantees, so it is recommended that secure HBase should run on secure HDFS.