Package org.apache.hadoop.security

Class SecurityUtil

java.lang.Object

org.apache.hadoop.security.SecurityUtil

@Public
@Evolving
public final class SecurityUtil
extends java.lang.Object

Security Utils.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static class	SecurityUtil.QualifiedHostResolver	This an alternate resolver with important properties that the standard java resolver lacks: 1) The hostname is fully qualified.
static class	SecurityUtil.TruststoreKeystore	Helper class to contain the Truststore/Keystore paths for the ZK client connection over SSL/TLS.

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	FAILED_TO_GET_UGI_MSG_HEADER
static java.lang.String	HOSTNAME_PATTERN
static org.slf4j.Logger	LOG

Method Summary

Modifier and Type	Method	Description
static java.lang.String	buildDTServiceName(java.net.URI uri, int defPort)	create the service name for a Delegation token
static Text	buildTokenService(java.net.InetSocketAddress addr)	Construct the service key for a token
static Text	buildTokenService(java.net.URI uri)	Construct the service key for a token
static <T> T	doAsCurrentUser(java.security.PrivilegedExceptionAction<T> action)	Perform the given action as the daemon's current user.
static <T> T	doAsLoginUser(java.security.PrivilegedExceptionAction<T> action)	Perform the given action as the daemon's login user.
static <T> T	doAsLoginUserOrFatal(java.security.PrivilegedAction<T> action)	Perform the given action as the daemon's login user.
static UserGroupInformation.AuthenticationMethod	getAuthenticationMethod(Configuration conf)
static java.net.InetAddress	getByName(java.lang.String hostname)	Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip.
static java.lang.String	getClientPrincipal(java.lang.Class<?> protocol, Configuration conf)	Look up the client principal for a given protocol.
static java.lang.Class<? extends java.security.Principal>	getCustomAuthPrincipal(Configuration conf)
static java.lang.Class<? extends RpcAuthMethod>	getCustomRpcAuthMethod(Configuration conf)
static java.lang.String	getHostFromPrincipal(java.lang.String principalName)	Get the host name from the principal name of format <service >/host@realm.
static KerberosInfo	getKerberosInfo(java.lang.Class<?> protocol, Configuration conf)	Look up the KerberosInfo for a given protocol.
static org.apache.hadoop.security.authentication.client.Authenticator	getMaprAuthenticator()
static java.lang.String	getServerPrincipal(java.lang.String principalConfig, java.lang.String hostname)	Convert Kerberos principal name pattern to valid Kerberos principal names.
static java.lang.String	getServerPrincipal(java.lang.String principalConfig, java.net.InetAddress addr)	Convert Kerberos principal name pattern to valid Kerberos principal names.
static TokenInfo	getTokenInfo(java.lang.Class<?> protocol, Configuration conf)	Look up the TokenInfo for a given protocol.
static java.net.InetSocketAddress	getTokenServiceAddr(Token<?> token)	Decode the given token's service field into an InetAddress
static java.util.List<ZKUtil.ZKAuthInfo>	getZKAuthInfos(Configuration conf, java.lang.String configKey)	Utility method to fetch ZK auth info from the configuration.
protected static boolean	isOriginalTGT(javax.security.auth.kerberos.KerberosTicket ticket)	Check whether the server principal is the TGS's principal
static boolean	isPrivilegedPort(int port)
static void	login(Configuration conf, java.lang.String keytabFileKey, java.lang.String userNameKey)	Login as a principal specified in config.
static void	login(Configuration conf, java.lang.String keytabFileKey, java.lang.String userNameKey, java.lang.String hostname)	Login as a principal specified in config.
static void	setAuthenticationMethod(UserGroupInformation.AuthenticationMethod authenticationMethod, Configuration conf)
static void	setConfiguration(Configuration conf)
static void	setSecurityInfoProviders(SecurityInfo... providers)	Test setup method to register additional providers.
static void	setSslConfiguration(org.apache.zookeeper.client.ZKClientConfig zkClientConfig, SecurityUtil.TruststoreKeystore truststoreKeystore)	Configure ZooKeeper Client with SSL/TLS connection.
static void	setSslConfiguration(org.apache.zookeeper.client.ZKClientConfig zkClientConfig, SecurityUtil.TruststoreKeystore truststoreKeystore, org.apache.zookeeper.common.ClientX509Util x509Util)
static void	setTokenService(Token<?> token, java.net.InetSocketAddress addr)	Set the given token's service to the format expected by the RPC client
static void	setTokenServiceUseIp(boolean flag)	For use only by tests and initialization.
static void	validateSslConfiguration(SecurityUtil.TruststoreKeystore truststoreKeystore)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

public static final org.slf4j.Logger LOG

HOSTNAME_PATTERN

public static final java.lang.String HOSTNAME_PATTERN

See Also:

Constant Field Values

FAILED_TO_GET_UGI_MSG_HEADER

public static final java.lang.String FAILED_TO_GET_UGI_MSG_HEADER

See Also:

Constant Field Values

Method Detail

setConfiguration

@Public
@Evolving
public static void setConfiguration(Configuration conf)

setTokenServiceUseIp

@Private
@VisibleForTesting
public static void setTokenServiceUseIp(boolean flag)

For use only by tests and initialization.

Parameters:

flag - flag.

isOriginalTGT

protected static boolean isOriginalTGT(javax.security.auth.kerberos.KerberosTicket ticket)

Check whether the server principal is the TGS's principal

Parameters:

ticket - the original TGT (the ticket that is obtained when a kinit is done)

Returns:

true or false

getServerPrincipal

@Public
@Evolving
public static java.lang.String getServerPrincipal(java.lang.String principalConfig,
                                                  java.lang.String hostname)
                                           throws java.io.IOException

Convert Kerberos principal name pattern to valid Kerberos principal names. It replaces hostname pattern with hostname, which should be fully-qualified domain name. If hostname is null or "0.0.0.0", it uses dynamically looked-up fqdn of the current host instead.

Parameters:

principalConfig - the Kerberos principal name conf value to convert

hostname - the fully-qualified domain name used for substitution

Returns:

converted Kerberos principal name

Throws:

java.io.IOException - if the client address cannot be determined

getServerPrincipal

@Public
@Evolving
public static java.lang.String getServerPrincipal(java.lang.String principalConfig,
                                                  java.net.InetAddress addr)
                                           throws java.io.IOException

Convert Kerberos principal name pattern to valid Kerberos principal names. This method is similar to getServerPrincipal(String, String), except 1) the reverse DNS lookup from addr to hostname is done only when necessary, 2) param addr can't be null (no default behavior of using local hostname when addr is null).

Parameters:

principalConfig - Kerberos principal name pattern to convert

addr - InetAddress of the host used for substitution

Returns:

converted Kerberos principal name

Throws:

java.io.IOException - if the client address cannot be determined

login

@Public
@Evolving
public static void login(Configuration conf,
                         java.lang.String keytabFileKey,
                         java.lang.String userNameKey)
                  throws java.io.IOException

Login as a principal specified in config. Substitute $host in user's Kerberos principal name with a dynamically looked-up fully-qualified domain name of the current host.

Parameters:

conf - conf to use

keytabFileKey - the key to look for keytab file in conf

userNameKey - the key to look for user's Kerberos principal name in conf

Throws:

java.io.IOException - if login fails

login

@Public
@Evolving
public static void login(Configuration conf,
                         java.lang.String keytabFileKey,
                         java.lang.String userNameKey,
                         java.lang.String hostname)
                  throws java.io.IOException

Login as a principal specified in config. Substitute $host in user's Kerberos principal name with hostname. If non-secure mode - return. If no keytab available - bail out with an exception

Parameters:

conf - conf to use

keytabFileKey - the key to look for keytab file in conf

userNameKey - the key to look for user's Kerberos principal name in conf

hostname - hostname to use for substitution

Throws:

java.io.IOException - if the config doesn't specify a keytab

buildDTServiceName

public static java.lang.String buildDTServiceName(java.net.URI uri,
                                                  int defPort)

create the service name for a Delegation token

Parameters:

uri - of the service

defPort - is used if the uri lacks a port

Returns:

the token service, or null if no authority

See Also:

buildTokenService(InetSocketAddress)

getHostFromPrincipal

public static java.lang.String getHostFromPrincipal(java.lang.String principalName)

Get the host name from the principal name of format <service >/host@realm.

Parameters:

principalName - principal name of format as described above

Returns:

host name if the the string conforms to the above format, else null

setSecurityInfoProviders

@Private
public static void setSecurityInfoProviders(SecurityInfo... providers)

Test setup method to register additional providers.

Parameters:

providers - a list of high priority providers to use

getKerberosInfo

public static KerberosInfo getKerberosInfo(java.lang.Class<?> protocol,
                                           Configuration conf)

Look up the KerberosInfo for a given protocol. It searches all known SecurityInfo providers.

Parameters:

protocol - the protocol class to get the information for

conf - configuration object

Returns:

the KerberosInfo or null if it has no KerberosInfo defined

getClientPrincipal

public static java.lang.String getClientPrincipal(java.lang.Class<?> protocol,
                                                  Configuration conf)

Look up the client principal for a given protocol. It searches all known SecurityInfo providers.

Parameters:

protocol - the protocol class to get the information for

conf - configuration object

Returns:

client principal or null if it has no client principal defined.

getTokenInfo

public static TokenInfo getTokenInfo(java.lang.Class<?> protocol,
                                     Configuration conf)

Look up the TokenInfo for a given protocol. It searches all known SecurityInfo providers.

Parameters:

protocol - The protocol class to get the information for.

conf - Configuration object

Returns:

the TokenInfo or null if it has no KerberosInfo defined

getTokenServiceAddr

public static java.net.InetSocketAddress getTokenServiceAddr(Token<?> token)

Decode the given token's service field into an InetAddress

Parameters:

token - from which to obtain the service

Returns:

InetAddress for the service

setTokenService

public static void setTokenService(Token<?> token,
                                   java.net.InetSocketAddress addr)

Set the given token's service to the format expected by the RPC client

Parameters:

token - a delegation token

addr - the socket for the rpc connection

buildTokenService

public static Text buildTokenService(java.net.InetSocketAddress addr)

Construct the service key for a token

Parameters:

addr - InetSocketAddress of remote connection with a token

Returns:

"ip:port" or "host:port" depending on the value of hadoop.security.token.service.use_ip

buildTokenService

public static Text buildTokenService(java.net.URI uri)

Construct the service key for a token

Parameters:

uri - of remote connection with a token

Returns:

"ip:port" or "host:port" depending on the value of hadoop.security.token.service.use_ip

doAsLoginUserOrFatal

public static <T> T doAsLoginUserOrFatal(java.security.PrivilegedAction<T> action)

Perform the given action as the daemon's login user. If the login user cannot be determined, this will log a FATAL error and exit the whole JVM.

Type Parameters:

T - generic type T.

Parameters:

action - action.

Returns:

generic type T.

doAsLoginUser

public static <T> T doAsLoginUser(java.security.PrivilegedExceptionAction<T> action)
                           throws java.io.IOException

Perform the given action as the daemon's login user. If an InterruptedException is thrown, it is converted to an IOException.

Type Parameters:

T - Generics Type T.

Parameters:

action - the action to perform

Returns:

the result of the action

Throws:

java.io.IOException - in the event of error

doAsCurrentUser

public static <T> T doAsCurrentUser(java.security.PrivilegedExceptionAction<T> action)
                             throws java.io.IOException

Perform the given action as the daemon's current user. If an InterruptedException is thrown, it is converted to an IOException.

Type Parameters:

T - generic type T.

Parameters:

action - the action to perform

Returns:

the result of the action

Throws:

java.io.IOException - in the event of error

getByName

@Private
public static java.net.InetAddress getByName(java.lang.String hostname)
                                      throws java.net.UnknownHostException

Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip. Optionally logs slow resolutions.

Parameters:

hostname - host or ip to resolve

Returns:

a resolved host

Throws:

java.net.UnknownHostException - if the host doesn't exist

getAuthenticationMethod

public static UserGroupInformation.AuthenticationMethod getAuthenticationMethod(Configuration conf)

setAuthenticationMethod

public static void setAuthenticationMethod(UserGroupInformation.AuthenticationMethod authenticationMethod,
                                           Configuration conf)

isPrivilegedPort

public static boolean isPrivilegedPort(int port)

getZKAuthInfos

public static java.util.List<ZKUtil.ZKAuthInfo> getZKAuthInfos(Configuration conf,
                                                               java.lang.String configKey)
                                                        throws java.io.IOException

Utility method to fetch ZK auth info from the configuration.

Parameters:

conf - configuration.

configKey - config key.

Returns:

ZKAuthInfo List.

Throws:

java.io.IOException - if the Zookeeper ACLs configuration file cannot be read

ZKUtil.BadAuthFormatException - if the auth format is invalid

validateSslConfiguration

public static void validateSslConfiguration(SecurityUtil.TruststoreKeystore truststoreKeystore)
                                     throws javax.naming.ConfigurationException

Throws:

javax.naming.ConfigurationException

setSslConfiguration

public static void setSslConfiguration(org.apache.zookeeper.client.ZKClientConfig zkClientConfig,
                                       SecurityUtil.TruststoreKeystore truststoreKeystore)
                                throws javax.naming.ConfigurationException

Configure ZooKeeper Client with SSL/TLS connection.

Parameters:

zkClientConfig - ZooKeeper Client configuration

truststoreKeystore - truststore keystore, that we use to set the SSL configurations

Throws:

javax.naming.ConfigurationException - if the SSL configs are empty

setSslConfiguration

public static void setSslConfiguration(org.apache.zookeeper.client.ZKClientConfig zkClientConfig,
                                       SecurityUtil.TruststoreKeystore truststoreKeystore,
                                       org.apache.zookeeper.common.ClientX509Util x509Util)
                                throws javax.naming.ConfigurationException

Throws:

javax.naming.ConfigurationException

getCustomAuthPrincipal

public static java.lang.Class<? extends java.security.Principal> getCustomAuthPrincipal(Configuration conf)

getCustomRpcAuthMethod

public static java.lang.Class<? extends RpcAuthMethod> getCustomRpcAuthMethod(Configuration conf)

getMaprAuthenticator

public static org.apache.hadoop.security.authentication.client.Authenticator getMaprAuthenticator()
                                                                                           throws java.lang.InstantiationException,
                                                                                                  java.lang.IllegalAccessException

Throws:

java.lang.InstantiationException

java.lang.IllegalAccessException