001 /**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements. See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership. The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License. You may obtain a copy of the License at
009 *
010 * http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018 package org.apache.hadoop.security;
019
020
021 import java.io.File;
022 import java.io.IOException;
023 import java.lang.reflect.UndeclaredThrowableException;
024 import java.security.AccessControlContext;
025 import java.security.AccessController;
026 import java.security.Principal;
027 import java.security.PrivilegedAction;
028 import java.security.PrivilegedActionException;
029 import java.security.PrivilegedExceptionAction;
030 import java.util.Arrays;
031 import java.util.Collection;
032 import java.util.Collections;
033 import java.util.HashMap;
034 import java.util.Iterator;
035 import java.util.List;
036 import java.util.Map;
037 import java.util.Set;
038
039 import javax.security.auth.Subject;
040 import javax.security.auth.callback.CallbackHandler;
041 import javax.security.auth.kerberos.KerberosKey;
042 import javax.security.auth.kerberos.KerberosPrincipal;
043 import javax.security.auth.kerberos.KerberosTicket;
044 import javax.security.auth.login.AppConfigurationEntry;
045 import javax.security.auth.login.LoginContext;
046 import javax.security.auth.login.LoginException;
047 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
048 import javax.security.auth.spi.LoginModule;
049
050 import org.apache.commons.logging.Log;
051 import org.apache.commons.logging.LogFactory;
052 import org.apache.hadoop.classification.InterfaceAudience;
053 import org.apache.hadoop.classification.InterfaceStability;
054 import org.apache.hadoop.conf.Configuration;
055 import org.apache.hadoop.io.Text;
056 import org.apache.hadoop.metrics2.annotation.Metric;
057 import org.apache.hadoop.metrics2.annotation.Metrics;
058 import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
059 import org.apache.hadoop.metrics2.lib.MutableRate;
060 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
061 import org.apache.hadoop.security.authentication.util.KerberosUtil;
062 import org.apache.hadoop.security.token.Token;
063 import org.apache.hadoop.security.token.TokenIdentifier;
064 import org.apache.hadoop.util.Shell;
065 import org.apache.hadoop.util.Time;
066 import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
067
068 import com.google.common.annotations.VisibleForTesting;
069
070 /**
071 * User and group information for Hadoop.
072 * This class wraps around a JAAS Subject and provides methods to determine the
073 * user's username and groups. It supports both the Windows, Unix and Kerberos
074 * login modules.
075 */
076 @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "HBase", "Hive", "Oozie"})
077 @InterfaceStability.Evolving
078 public class UserGroupInformation {
079 private static final Log LOG = LogFactory.getLog(UserGroupInformation.class);
080 /**
081 * Percentage of the ticket window to use before we renew ticket.
082 */
083 private static final float TICKET_RENEW_WINDOW = 0.80f;
084 static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
085 static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
086
087 /**
088 * UgiMetrics maintains UGI activity statistics
089 * and publishes them through the metrics interfaces.
090 */
091 @Metrics(about="User and group related metrics", context="ugi")
092 static class UgiMetrics {
093 @Metric("Rate of successful kerberos logins and latency (milliseconds)")
094 MutableRate loginSuccess;
095 @Metric("Rate of failed kerberos logins and latency (milliseconds)")
096 MutableRate loginFailure;
097
098 static UgiMetrics create() {
099 return DefaultMetricsSystem.instance().register(new UgiMetrics());
100 }
101 }
102
103 /**
104 * A login module that looks at the Kerberos, Unix, or Windows principal and
105 * adds the corresponding UserName.
106 */
107 @InterfaceAudience.Private
108 public static class HadoopLoginModule implements LoginModule {
109 private Subject subject;
110
111 @Override
112 public boolean abort() throws LoginException {
113 return true;
114 }
115
116 private <T extends Principal> T getCanonicalUser(Class<T> cls) {
117 for(T user: subject.getPrincipals(cls)) {
118 return user;
119 }
120 return null;
121 }
122
123 @Override
124 public boolean commit() throws LoginException {
125 if (LOG.isDebugEnabled()) {
126 LOG.debug("hadoop login commit");
127 }
128 // if we already have a user, we are done.
129 if (!subject.getPrincipals(User.class).isEmpty()) {
130 if (LOG.isDebugEnabled()) {
131 LOG.debug("using existing subject:"+subject.getPrincipals());
132 }
133 return true;
134 }
135 Principal user = null;
136 // if we are using kerberos, try it out
137 if (isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
138 user = getCanonicalUser(KerberosPrincipal.class);
139 if (LOG.isDebugEnabled()) {
140 LOG.debug("using kerberos user:"+user);
141 }
142 }
143 //If we don't have a kerberos user and security is disabled, check
144 //if user is specified in the environment or properties
145 if (!isSecurityEnabled() && (user == null)) {
146 String envUser = System.getenv(HADOOP_USER_NAME);
147 if (envUser == null) {
148 envUser = System.getProperty(HADOOP_USER_NAME);
149 }
150 user = envUser == null ? null : new User(envUser);
151 }
152 // use the OS user
153 if (user == null) {
154 user = getCanonicalUser(OS_PRINCIPAL_CLASS);
155 if (LOG.isDebugEnabled()) {
156 LOG.debug("using local user:"+user);
157 }
158 }
159 // if we found the user, add our principal
160 if (user != null) {
161 subject.getPrincipals().add(new User(user.getName()));
162 return true;
163 }
164 LOG.error("Can't find user in " + subject);
165 throw new LoginException("Can't find user name");
166 }
167
168 @Override
169 public void initialize(Subject subject, CallbackHandler callbackHandler,
170 Map<String, ?> sharedState, Map<String, ?> options) {
171 this.subject = subject;
172 }
173
174 @Override
175 public boolean login() throws LoginException {
176 if (LOG.isDebugEnabled()) {
177 LOG.debug("hadoop login");
178 }
179 return true;
180 }
181
182 @Override
183 public boolean logout() throws LoginException {
184 if (LOG.isDebugEnabled()) {
185 LOG.debug("hadoop logout");
186 }
187 return true;
188 }
189 }
190
191 /** Metrics to track UGI activity */
192 static UgiMetrics metrics = UgiMetrics.create();
193 /** The auth method to use */
194 private static AuthenticationMethod authenticationMethod;
195 /** Server-side groups fetching service */
196 private static Groups groups;
197 /** The configuration to use */
198 private static Configuration conf;
199
200
201 /** Leave 10 minutes between relogin attempts. */
202 private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L;
203
204 /**Environment variable pointing to the token cache file*/
205 public static final String HADOOP_TOKEN_FILE_LOCATION =
206 "HADOOP_TOKEN_FILE_LOCATION";
207
208 // mapr_extensibility
209 public static final String USER_TICKET_FILE_LOCATION = "MAPR_TICKETFILE_LOCATION";
210
211 /**
212 * A method to initialize the fields that depend on a configuration.
213 * Must be called before useKerberos or groups is used.
214 */
215 private static synchronized void ensureInitialized() {
216 if (conf == null) {
217 initialize(new Configuration(), false);
218 }
219 }
220
221 /**
222 * Initialize UGI and related classes.
223 * @param conf the configuration to use
224 */
225 private static synchronized void initialize(Configuration conf,
226 boolean overrideNameRules) {
227 authenticationMethod = SecurityUtil.getAuthenticationMethod(conf);
228 if (overrideNameRules || !HadoopKerberosName.hasRulesBeenSet()) {
229 try {
230 HadoopKerberosName.setConfiguration(conf);
231 } catch (IOException ioe) {
232 throw new RuntimeException(
233 "Problem with Kerberos auth_to_local name configuration", ioe);
234 }
235 }
236 // If we haven't set up testing groups, use the configuration to find it
237 if (!(groups instanceof TestingGroups)) {
238 groups = Groups.getUserToGroupsMappingService(conf);
239 }
240 UserGroupInformation.conf = conf;
241 }
242
243 /**
244 * Set the static configuration for UGI.
245 * In particular, set the security authentication mechanism and the
246 * group look up service.
247 * @param conf the configuration to use
248 */
249 @InterfaceAudience.Public
250 @InterfaceStability.Evolving
251 public static void setConfiguration(Configuration conf) {
252 initialize(conf, true);
253 }
254
255 @InterfaceAudience.Private
256 @VisibleForTesting
257 static void reset() {
258 authenticationMethod = null;
259 conf = null;
260 groups = null;
261 setLoginUser(null);
262 HadoopKerberosName.setRules(null);
263 }
264
265 /**
266 * Determine if UserGroupInformation is using Kerberos to determine
267 * user identities or is relying on simple authentication
268 *
269 * @return true if UGI is working in a secure environment
270 */
271 public static boolean isSecurityEnabled() {
272 return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
273 }
274
275 @InterfaceAudience.Private
276 @InterfaceStability.Evolving
277 private static boolean isAuthenticationMethodEnabled(AuthenticationMethod method) {
278 ensureInitialized();
279 return (authenticationMethod == method);
280 }
281
282 /**
283 * Information about the logged in user.
284 */
285 private static UserGroupInformation loginUser = null;
286 private static String keytabPrincipal = null;
287 private static String keytabFile = null;
288
289 private final Subject subject;
290 // All non-static fields must be read-only caches that come from the subject.
291 private final User user;
292 private final boolean isKeytab;
293 private final boolean isKrbTkt;
294
295 private static String OS_LOGIN_MODULE_NAME;
296 private static Class<? extends Principal> OS_PRINCIPAL_CLASS;
297
298 private static final boolean windows =
299 System.getProperty("os.name").startsWith("Windows");
300 private static final boolean is64Bit =
301 System.getProperty("os.arch").contains("64");
302 private static final boolean aix = System.getProperty("os.name").equals("AIX");
303
304 /* Return the OS login module class name */
305 private static String getOSLoginModuleName() {
306 if (IBM_JAVA) {
307 if (windows) {
308 return is64Bit ? "com.ibm.security.auth.module.Win64LoginModule"
309 : "com.ibm.security.auth.module.NTLoginModule";
310 } else if (aix) {
311 return is64Bit ? "com.ibm.security.auth.module.AIX64LoginModule"
312 : "com.ibm.security.auth.module.AIXLoginModule";
313 } else {
314 return "com.ibm.security.auth.module.LinuxLoginModule";
315 }
316 } else {
317 return windows ? "com.sun.security.auth.module.NTLoginModule"
318 : "com.sun.security.auth.module.UnixLoginModule";
319 }
320 }
321
322 /* Return the OS principal class */
323 @SuppressWarnings("unchecked")
324 private static Class<? extends Principal> getOsPrincipalClass() {
325 ClassLoader cl = ClassLoader.getSystemClassLoader();
326 try {
327 String principalClass = null;
328 if (IBM_JAVA) {
329 if (is64Bit) {
330 principalClass = "com.ibm.security.auth.UsernamePrincipal";
331 } else {
332 if (windows) {
333 principalClass = "com.ibm.security.auth.NTUserPrincipal";
334 } else if (aix) {
335 principalClass = "com.ibm.security.auth.AIXPrincipal";
336 } else {
337 principalClass = "com.ibm.security.auth.LinuxPrincipal";
338 }
339 }
340 } else {
341 principalClass = windows ? "com.sun.security.auth.NTUserPrincipal"
342 : "com.sun.security.auth.UnixPrincipal";
343 }
344 return (Class<? extends Principal>) cl.loadClass(principalClass);
345 } catch (ClassNotFoundException e) {
346 LOG.error("Unable to find JAAS classes:" + e.getMessage());
347 }
348 return null;
349 }
350 static {
351 OS_LOGIN_MODULE_NAME = getOSLoginModuleName();
352 OS_PRINCIPAL_CLASS = getOsPrincipalClass();
353 }
354
355 private static class RealUser implements Principal {
356 private final UserGroupInformation realUser;
357
358 RealUser(UserGroupInformation realUser) {
359 this.realUser = realUser;
360 }
361
362 @Override
363 public String getName() {
364 return realUser.getUserName();
365 }
366
367 public UserGroupInformation getRealUser() {
368 return realUser;
369 }
370
371 @Override
372 public boolean equals(Object o) {
373 if (this == o) {
374 return true;
375 } else if (o == null || getClass() != o.getClass()) {
376 return false;
377 } else {
378 return realUser.equals(((RealUser) o).realUser);
379 }
380 }
381
382 @Override
383 public int hashCode() {
384 return realUser.hashCode();
385 }
386
387 @Override
388 public String toString() {
389 return realUser.toString();
390 }
391 }
392
393 /**
394 * A JAAS configuration that defines the login modules that we want
395 * to use for login.
396 */
397 private static class HadoopConfiguration
398 extends javax.security.auth.login.Configuration {
399 private static final String SIMPLE_CONFIG_NAME = "hadoop-simple";
400 private static final String USER_KERBEROS_CONFIG_NAME =
401 "hadoop-user-kerberos";
402 private static final String KEYTAB_KERBEROS_CONFIG_NAME =
403 "hadoop-keytab-kerberos";
404
405 private static final Map<String, String> BASIC_JAAS_OPTIONS =
406 new HashMap<String,String>();
407 static {
408 String jaasEnvVar = System.getenv("HADOOP_JAAS_DEBUG");
409 if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) {
410 BASIC_JAAS_OPTIONS.put("debug", "true");
411 }
412 }
413
414 private static final AppConfigurationEntry OS_SPECIFIC_LOGIN =
415 new AppConfigurationEntry(OS_LOGIN_MODULE_NAME,
416 LoginModuleControlFlag.REQUIRED,
417 BASIC_JAAS_OPTIONS);
418 private static final AppConfigurationEntry HADOOP_LOGIN =
419 new AppConfigurationEntry(HadoopLoginModule.class.getName(),
420 LoginModuleControlFlag.REQUIRED,
421 BASIC_JAAS_OPTIONS);
422 private static final Map<String,String> USER_KERBEROS_OPTIONS =
423 new HashMap<String,String>();
424 static {
425 if (IBM_JAVA) {
426 USER_KERBEROS_OPTIONS.put("useDefaultCcache", "true");
427 } else {
428 USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
429 USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
430 }
431 String ticketCache = System.getenv("KRB5CCNAME");
432 if (ticketCache != null) {
433 if (IBM_JAVA) {
434 // The first value searched when "useDefaultCcache" is used.
435 System.setProperty("KRB5CCNAME", ticketCache);
436 } else {
437 USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache);
438 }
439 }
440 USER_KERBEROS_OPTIONS.put("renewTGT", "true");
441 USER_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
442 }
443 private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
444 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
445 LoginModuleControlFlag.OPTIONAL,
446 USER_KERBEROS_OPTIONS);
447 private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS =
448 new HashMap<String,String>();
449 static {
450 if (IBM_JAVA) {
451 KEYTAB_KERBEROS_OPTIONS.put("credsType", "both");
452 } else {
453 KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
454 KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
455 KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
456 }
457 KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
458 KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
459 }
460 private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
461 new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
462 LoginModuleControlFlag.REQUIRED,
463 KEYTAB_KERBEROS_OPTIONS);
464
465 private static final AppConfigurationEntry[] SIMPLE_CONF =
466 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, HADOOP_LOGIN};
467
468 private static final AppConfigurationEntry[] USER_KERBEROS_CONF =
469 new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN,
470 HADOOP_LOGIN};
471
472 private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
473 new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
474
475 @Override
476 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
477 if (SIMPLE_CONFIG_NAME.equals(appName)) {
478 return SIMPLE_CONF;
479 } else if (USER_KERBEROS_CONFIG_NAME.equals(appName)) {
480 return USER_KERBEROS_CONF;
481 } else if (KEYTAB_KERBEROS_CONFIG_NAME.equals(appName)) {
482 if (IBM_JAVA) {
483 KEYTAB_KERBEROS_OPTIONS.put("useKeytab",
484 prependFileAuthority(keytabFile));
485 } else {
486 KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
487 }
488 KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
489 return KEYTAB_KERBEROS_CONF;
490 }
491 return null;
492 }
493 }
494
495 private static String prependFileAuthority(String keytabPath) {
496 return keytabPath.startsWith("file://") ? keytabPath
497 : "file://" + keytabPath;
498 }
499
500 /**
501 * Represents a javax.security configuration that is created at runtime.
502 */
503 private static class DynamicConfiguration
504 extends javax.security.auth.login.Configuration {
505 private AppConfigurationEntry[] ace;
506
507 DynamicConfiguration(AppConfigurationEntry[] ace) {
508 this.ace = ace;
509 }
510
511 @Override
512 public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
513 return ace;
514 }
515 }
516
517 private static LoginContext
518 newLoginContext(String appName, Subject subject,
519 javax.security.auth.login.Configuration loginConf)
520 throws LoginException {
521 // Temporarily switch the thread's ContextClassLoader to match this
522 // class's classloader, so that we can properly load HadoopLoginModule
523 // from the JAAS libraries.
524 Thread t = Thread.currentThread();
525 ClassLoader oldCCL = t.getContextClassLoader();
526 t.setContextClassLoader(HadoopLoginModule.class.getClassLoader());
527 try {
528 return new LoginContext(appName, subject, null, loginConf);
529 } finally {
530 t.setContextClassLoader(oldCCL);
531 }
532 }
533
534 private LoginContext getLogin() {
535 return user.getLogin();
536 }
537
538 private void setLogin(LoginContext login) {
539 user.setLogin(login);
540 }
541
542 /**
543 * Create a UserGroupInformation for the given subject.
544 * This does not change the subject or acquire new credentials.
545 * @param subject the user's subject
546 */
547 UserGroupInformation(Subject subject) {
548 this.subject = subject;
549 this.user = subject.getPrincipals(User.class).iterator().next();
550 this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
551 this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
552 }
553
554 /**
555 * checks if logged in using kerberos
556 * @return true if the subject logged via keytab or has a Kerberos TGT
557 */
558 public boolean hasKerberosCredentials() {
559 return isKeytab || isKrbTkt;
560 }
561
562 /**
563 * Return the current user, including any doAs in the current stack.
564 * @return the current user
565 * @throws IOException if login fails
566 */
567 @InterfaceAudience.Public
568 @InterfaceStability.Evolving
569 public synchronized
570 static UserGroupInformation getCurrentUser() throws IOException {
571 AccessControlContext context = AccessController.getContext();
572 Subject subject = Subject.getSubject(context);
573 if (subject == null || subject.getPrincipals(User.class).isEmpty()) {
574 return getLoginUser();
575 } else {
576 return new UserGroupInformation(subject);
577 }
578 }
579
580 /**
581 * Find the most appropriate UserGroupInformation to use
582 *
583 * @param ticketCachePath The Kerberos ticket cache path, or NULL
584 * if none is specfied
585 * @param user The user name, or NULL if none is specified.
586 *
587 * @return The most appropriate UserGroupInformation
588 */
589 public static UserGroupInformation getBestUGI(
590 String ticketCachePath, String user) throws IOException {
591 if (ticketCachePath != null) {
592 return getUGIFromTicketCache(ticketCachePath, user);
593 } else if (user == null) {
594 return getCurrentUser();
595 } else {
596 return createRemoteUser(user);
597 }
598 }
599
600 /**
601 * Create a UserGroupInformation from a Kerberos ticket cache.
602 *
603 * @param user The principal name to load from the ticket
604 * cache
605 * @param ticketCachePath the path to the ticket cache file
606 *
607 * @throws IOException if the kerberos login fails
608 */
609 @InterfaceAudience.Public
610 @InterfaceStability.Evolving
611 public static UserGroupInformation getUGIFromTicketCache(
612 String ticketCache, String user) throws IOException {
613 if (!isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
614 return getBestUGI(null, user);
615 }
616 try {
617 Map<String,String> krbOptions = new HashMap<String,String>();
618 if (IBM_JAVA) {
619 krbOptions.put("useDefaultCcache", "true");
620 // The first value searched when "useDefaultCcache" is used.
621 System.setProperty("KRB5CCNAME", ticketCache);
622 } else {
623 krbOptions.put("doNotPrompt", "true");
624 krbOptions.put("useTicketCache", "true");
625 krbOptions.put("useKeyTab", "false");
626 krbOptions.put("ticketCache", ticketCache);
627 }
628 krbOptions.put("renewTGT", "false");
629 krbOptions.putAll(HadoopConfiguration.BASIC_JAAS_OPTIONS);
630 AppConfigurationEntry ace = new AppConfigurationEntry(
631 KerberosUtil.getKrb5LoginModuleName(),
632 LoginModuleControlFlag.REQUIRED,
633 krbOptions);
634 DynamicConfiguration dynConf =
635 new DynamicConfiguration(new AppConfigurationEntry[]{ ace });
636 LoginContext login = newLoginContext(
637 HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, null, dynConf);
638 login.login();
639
640 Subject loginSubject = login.getSubject();
641 Set<Principal> loginPrincipals = loginSubject.getPrincipals();
642 if (loginPrincipals.isEmpty()) {
643 throw new RuntimeException("No login principals found!");
644 }
645 if (loginPrincipals.size() != 1) {
646 LOG.warn("found more than one principal in the ticket cache file " +
647 ticketCache);
648 }
649 User ugiUser = new User(loginPrincipals.iterator().next().getName(),
650 AuthenticationMethod.KERBEROS, login);
651 loginSubject.getPrincipals().add(ugiUser);
652 UserGroupInformation ugi = new UserGroupInformation(loginSubject);
653 ugi.setLogin(login);
654 ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
655 return ugi;
656 } catch (LoginException le) {
657 throw new IOException("failure to login using ticket cache file " +
658 ticketCache, le);
659 }
660 }
661
662 /**
663 * Get the currently logged in user.
664 * @return the logged in user
665 * @throws IOException if login fails
666 */
667 @InterfaceAudience.Public
668 @InterfaceStability.Evolving
669 public synchronized
670 static UserGroupInformation getLoginUser() throws IOException {
671 if (loginUser == null) {
672 ensureInitialized();
673 try {
674 Subject subject = new Subject();
675 LoginContext login =
676 newLoginContext(authenticationMethod.getLoginAppName(),
677 subject, new HadoopConfiguration());
678 login.login();
679 UserGroupInformation realUser = new UserGroupInformation(subject);
680 realUser.setLogin(login);
681 realUser.setAuthenticationMethod(authenticationMethod);
682 realUser = new UserGroupInformation(login.getSubject());
683 // If the HADOOP_PROXY_USER environment variable or property
684 // is specified, create a proxy user as the logged in user.
685 String proxyUser = System.getenv(HADOOP_PROXY_USER);
686 if (proxyUser == null) {
687 proxyUser = System.getProperty(HADOOP_PROXY_USER);
688 }
689 loginUser = proxyUser == null ? realUser : createProxyUser(proxyUser, realUser);
690
691 String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
692 if (fileLocation != null) {
693 // Load the token storage file and put all of the tokens into the
694 // user. Don't use the FileSystem API for reading since it has a lock
695 // cycle (HADOOP-9212).
696 Credentials cred = Credentials.readTokenStorageFile(
697 new File(fileLocation), conf);
698 loginUser.addCredentials(cred);
699 }
700 loginUser.spawnAutoRenewalThreadForUserCreds();
701 } catch (LoginException le) {
702 LOG.debug("failure to login", le);
703 throw new IOException("failure to login", le);
704 }
705 if (LOG.isDebugEnabled()) {
706 LOG.debug("UGI loginUser:"+loginUser);
707 }
708 }
709 return loginUser;
710 }
711
712 @InterfaceAudience.Private
713 @InterfaceStability.Unstable
714 @VisibleForTesting
715 public synchronized static void setLoginUser(UserGroupInformation ugi) {
716 // if this is to become stable, should probably logout the currently
717 // logged in ugi if it's different
718 loginUser = ugi;
719 }
720
721 /**
722 * Is this user logged in from a keytab file?
723 * @return true if the credentials are from a keytab file.
724 */
725 public boolean isFromKeytab() {
726 return isKeytab;
727 }
728
729 /**
730 * Get the Kerberos TGT
731 * @return the user's TGT or null if none was found
732 */
733 private synchronized KerberosTicket getTGT() {
734 Set<KerberosTicket> tickets = subject
735 .getPrivateCredentials(KerberosTicket.class);
736 for (KerberosTicket ticket : tickets) {
737 if (SecurityUtil.isOriginalTGT(ticket)) {
738 if (LOG.isDebugEnabled()) {
739 LOG.debug("Found tgt " + ticket);
740 }
741 return ticket;
742 }
743 }
744 return null;
745 }
746
747 private long getRefreshTime(KerberosTicket tgt) {
748 long start = tgt.getStartTime().getTime();
749 long end = tgt.getEndTime().getTime();
750 return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
751 }
752
753 /**Spawn a thread to do periodic renewals of kerberos credentials*/
754 private void spawnAutoRenewalThreadForUserCreds() {
755 if (isSecurityEnabled()) {
756 //spawn thread only if we have kerb credentials
757 if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS &&
758 !isKeytab) {
759 Thread t = new Thread(new Runnable() {
760
761 @Override
762 public void run() {
763 String cmd = conf.get("hadoop.kerberos.kinit.command",
764 "kinit");
765 KerberosTicket tgt = getTGT();
766 if (tgt == null) {
767 return;
768 }
769 long nextRefresh = getRefreshTime(tgt);
770 while (true) {
771 try {
772 long now = Time.now();
773 if(LOG.isDebugEnabled()) {
774 LOG.debug("Current time is " + now);
775 LOG.debug("Next refresh is " + nextRefresh);
776 }
777 if (now < nextRefresh) {
778 Thread.sleep(nextRefresh - now);
779 }
780 Shell.execCommand(cmd, "-R");
781 if(LOG.isDebugEnabled()) {
782 LOG.debug("renewed ticket");
783 }
784 reloginFromTicketCache();
785 tgt = getTGT();
786 if (tgt == null) {
787 LOG.warn("No TGT after renewal. Aborting renew thread for " +
788 getUserName());
789 return;
790 }
791 nextRefresh = Math.max(getRefreshTime(tgt),
792 now + MIN_TIME_BEFORE_RELOGIN);
793 } catch (InterruptedException ie) {
794 LOG.warn("Terminating renewal thread");
795 return;
796 } catch (IOException ie) {
797 LOG.warn("Exception encountered while running the" +
798 " renewal command. Aborting renew thread. " + ie);
799 return;
800 }
801 }
802 }
803 });
804 t.setDaemon(true);
805 t.setName("TGT Renewer for " + getUserName());
806 t.start();
807 }
808 }
809 }
810 /**
811 * Log a user in from a keytab file. Loads a user identity from a keytab
812 * file and logs them in. They become the currently logged-in user.
813 * @param user the principal name to load from the keytab
814 * @param path the path to the keytab file
815 * @throws IOException if the keytab file can't be read
816 */
817 @InterfaceAudience.Public
818 @InterfaceStability.Evolving
819 public synchronized
820 static void loginUserFromKeytab(String user,
821 String path
822 ) throws IOException {
823 if (!isSecurityEnabled())
824 return;
825
826 keytabFile = path;
827 keytabPrincipal = user;
828 Subject subject = new Subject();
829 LoginContext login;
830 long start = 0;
831 try {
832 login = newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
833 subject, new HadoopConfiguration());
834 start = Time.now();
835 login.login();
836 metrics.loginSuccess.add(Time.now() - start);
837 loginUser = new UserGroupInformation(subject);
838 loginUser.setLogin(login);
839 loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
840 } catch (LoginException le) {
841 if (start > 0) {
842 metrics.loginFailure.add(Time.now() - start);
843 }
844 throw new IOException("Login failure for " + user + " from keytab " +
845 path, le);
846 }
847 LOG.info("Login successful for user " + keytabPrincipal
848 + " using keytab file " + keytabFile);
849 }
850
851 /**
852 * Re-login a user from keytab if TGT is expired or is close to expiry.
853 *
854 * @throws IOException
855 */
856 public synchronized void checkTGTAndReloginFromKeytab() throws IOException {
857 if (!isSecurityEnabled()
858 || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
859 || !isKeytab)
860 return;
861 KerberosTicket tgt = getTGT();
862 if (tgt != null && Time.now() < getRefreshTime(tgt)) {
863 return;
864 }
865 reloginFromKeytab();
866 }
867
868 /**
869 * Re-Login a user in from a keytab file. Loads a user identity from a keytab
870 * file and logs them in. They become the currently logged-in user. This
871 * method assumes that {@link #loginUserFromKeytab(String, String)} had
872 * happened already.
873 * The Subject field of this UserGroupInformation object is updated to have
874 * the new credentials.
875 * @throws IOException on a failure
876 */
877 @InterfaceAudience.Public
878 @InterfaceStability.Evolving
879 public synchronized void reloginFromKeytab()
880 throws IOException {
881 if (!isSecurityEnabled() ||
882 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
883 !isKeytab)
884 return;
885
886 long now = Time.now();
887 if (!hasSufficientTimeElapsed(now)) {
888 return;
889 }
890
891 KerberosTicket tgt = getTGT();
892 //Return if TGT is valid and is not going to expire soon.
893 if (tgt != null && now < getRefreshTime(tgt)) {
894 return;
895 }
896
897 LoginContext login = getLogin();
898 if (login == null || keytabFile == null) {
899 throw new IOException("loginUserFromKeyTab must be done first");
900 }
901
902 long start = 0;
903 // register most recent relogin attempt
904 user.setLastLogin(now);
905 try {
906 LOG.info("Initiating logout for " + getUserName());
907 synchronized (UserGroupInformation.class) {
908 // clear up the kerberos state. But the tokens are not cleared! As per
909 // the Java kerberos login module code, only the kerberos credentials
910 // are cleared
911 login.logout();
912 // login and also update the subject field of this instance to
913 // have the new credentials (pass it to the LoginContext constructor)
914 login = newLoginContext(
915 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject(),
916 new HadoopConfiguration());
917 LOG.info("Initiating re-login for " + keytabPrincipal);
918 start = Time.now();
919 login.login();
920 metrics.loginSuccess.add(Time.now() - start);
921 setLogin(login);
922 }
923 } catch (LoginException le) {
924 if (start > 0) {
925 metrics.loginFailure.add(Time.now() - start);
926 }
927 throw new IOException("Login failure for " + keytabPrincipal +
928 " from keytab " + keytabFile, le);
929 }
930 }
931
932 /**
933 * Re-Login a user in from the ticket cache. This
934 * method assumes that login had happened already.
935 * The Subject field of this UserGroupInformation object is updated to have
936 * the new credentials.
937 * @throws IOException on a failure
938 */
939 @InterfaceAudience.Public
940 @InterfaceStability.Evolving
941 public synchronized void reloginFromTicketCache()
942 throws IOException {
943 if (!isSecurityEnabled() ||
944 user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
945 !isKrbTkt)
946 return;
947 LoginContext login = getLogin();
948 if (login == null) {
949 throw new IOException("login must be done first");
950 }
951 long now = Time.now();
952 if (!hasSufficientTimeElapsed(now)) {
953 return;
954 }
955 // register most recent relogin attempt
956 user.setLastLogin(now);
957 try {
958 LOG.info("Initiating logout for " + getUserName());
959 //clear up the kerberos state. But the tokens are not cleared! As per
960 //the Java kerberos login module code, only the kerberos credentials
961 //are cleared
962 login.logout();
963 //login and also update the subject field of this instance to
964 //have the new credentials (pass it to the LoginContext constructor)
965 login =
966 newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
967 getSubject(), new HadoopConfiguration());
968 LOG.info("Initiating re-login for " + getUserName());
969 login.login();
970 setLogin(login);
971 } catch (LoginException le) {
972 throw new IOException("Login failure for " + getUserName(), le);
973 }
974 }
975
976
977 /**
978 * Log a user in from a keytab file. Loads a user identity from a keytab
979 * file and login them in. This new user does not affect the currently
980 * logged-in user.
981 * @param user the principal name to load from the keytab
982 * @param path the path to the keytab file
983 * @throws IOException if the keytab file can't be read
984 */
985 public synchronized
986 static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
987 String path
988 ) throws IOException {
989 if (!isSecurityEnabled())
990 return UserGroupInformation.getCurrentUser();
991 String oldKeytabFile = null;
992 String oldKeytabPrincipal = null;
993
994 long start = 0;
995 try {
996 oldKeytabFile = keytabFile;
997 oldKeytabPrincipal = keytabPrincipal;
998 keytabFile = path;
999 keytabPrincipal = user;
1000 Subject subject = new Subject();
1001
1002 LoginContext login = newLoginContext(
1003 HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject,
1004 new HadoopConfiguration());
1005
1006 start = Time.now();
1007 login.login();
1008 metrics.loginSuccess.add(Time.now() - start);
1009 UserGroupInformation newLoginUser = new UserGroupInformation(subject);
1010 newLoginUser.setLogin(login);
1011 newLoginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
1012
1013 return newLoginUser;
1014 } catch (LoginException le) {
1015 if (start > 0) {
1016 metrics.loginFailure.add(Time.now() - start);
1017 }
1018 throw new IOException("Login failure for " + user + " from keytab " +
1019 path, le);
1020 } finally {
1021 if(oldKeytabFile != null) keytabFile = oldKeytabFile;
1022 if(oldKeytabPrincipal != null) keytabPrincipal = oldKeytabPrincipal;
1023 }
1024 }
1025
1026 private boolean hasSufficientTimeElapsed(long now) {
1027 if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) {
1028 LOG.warn("Not attempting to re-login since the last re-login was " +
1029 "attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+
1030 " before.");
1031 return false;
1032 }
1033 return true;
1034 }
1035
1036 /**
1037 * Did the login happen via keytab
1038 * @return true or false
1039 */
1040 @InterfaceAudience.Public
1041 @InterfaceStability.Evolving
1042 public synchronized static boolean isLoginKeytabBased() throws IOException {
1043 return getLoginUser().isKeytab;
1044 }
1045
1046 /**
1047 * Create a user from a login name. It is intended to be used for remote
1048 * users in RPC, since it won't have any credentials.
1049 * @param user the full user principal name, must not be empty or null
1050 * @return the UserGroupInformation for the remote user.
1051 */
1052 @InterfaceAudience.Public
1053 @InterfaceStability.Evolving
1054 public static UserGroupInformation createRemoteUser(String user) {
1055 if (user == null || user.isEmpty()) {
1056 throw new IllegalArgumentException("Null user");
1057 }
1058 Subject subject = new Subject();
1059 subject.getPrincipals().add(new User(user));
1060 UserGroupInformation result = new UserGroupInformation(subject);
1061 result.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
1062 return result;
1063 }
1064
1065 /**
1066 * existing types of authentications' methods
1067 */
1068 @InterfaceAudience.Public
1069 @InterfaceStability.Evolving
1070 public static enum AuthenticationMethod {
1071 // currently we support only one auth per method, but eventually a
1072 // subtype is needed to differentiate, ex. if digest is token or ldap
1073 SIMPLE(AuthMethod.SIMPLE,
1074 HadoopConfiguration.SIMPLE_CONFIG_NAME),
1075 KERBEROS(AuthMethod.KERBEROS,
1076 HadoopConfiguration.USER_KERBEROS_CONFIG_NAME),
1077 TOKEN(AuthMethod.TOKEN),
1078 CERTIFICATE(null),
1079 KERBEROS_SSL(null),
1080 PROXY(null),
1081 // mapr_extensibility
1082 MAPRSEC(null);
1083
1084 private final AuthMethod authMethod;
1085 private final String loginAppName;
1086
1087 private AuthenticationMethod(AuthMethod authMethod) {
1088 this(authMethod, null);
1089 }
1090 private AuthenticationMethod(AuthMethod authMethod, String loginAppName) {
1091 this.authMethod = authMethod;
1092 this.loginAppName = loginAppName;
1093 }
1094
1095 public AuthMethod getAuthMethod() {
1096 return authMethod;
1097 }
1098
1099 String getLoginAppName() {
1100 if (loginAppName == null) {
1101 throw new UnsupportedOperationException(
1102 this + " login authentication is not supported");
1103 }
1104 return loginAppName;
1105 }
1106
1107 public static AuthenticationMethod valueOf(AuthMethod authMethod) {
1108 for (AuthenticationMethod value : values()) {
1109 if (value.getAuthMethod() == authMethod) {
1110 return value;
1111 }
1112 }
1113 throw new IllegalArgumentException(
1114 "no authentication method for " + authMethod);
1115 }
1116 };
1117
1118 /**
1119 * Create a proxy user using username of the effective user and the ugi of the
1120 * real user.
1121 * @param user
1122 * @param realUser
1123 * @return proxyUser ugi
1124 */
1125 @InterfaceAudience.Public
1126 @InterfaceStability.Evolving
1127 public static UserGroupInformation createProxyUser(String user,
1128 UserGroupInformation realUser) {
1129 if (user == null || user.isEmpty()) {
1130 throw new IllegalArgumentException("Null user");
1131 }
1132 if (realUser == null) {
1133 throw new IllegalArgumentException("Null real user");
1134 }
1135 Subject subject = new Subject();
1136 Set<Principal> principals = subject.getPrincipals();
1137 principals.add(new User(user));
1138 principals.add(new RealUser(realUser));
1139 UserGroupInformation result =new UserGroupInformation(subject);
1140 result.setAuthenticationMethod(AuthenticationMethod.PROXY);
1141 return result;
1142 }
1143
1144 /**
1145 * get RealUser (vs. EffectiveUser)
1146 * @return realUser running over proxy user
1147 */
1148 @InterfaceAudience.Public
1149 @InterfaceStability.Evolving
1150 public UserGroupInformation getRealUser() {
1151 for (RealUser p: subject.getPrincipals(RealUser.class)) {
1152 return p.getRealUser();
1153 }
1154 return null;
1155 }
1156
1157
1158
1159 /**
1160 * This class is used for storing the groups for testing. It stores a local
1161 * map that has the translation of usernames to groups.
1162 */
1163 private static class TestingGroups extends Groups {
1164 private final Map<String, List<String>> userToGroupsMapping =
1165 new HashMap<String,List<String>>();
1166 private Groups underlyingImplementation;
1167
1168 private TestingGroups(Groups underlyingImplementation) {
1169 super(new org.apache.hadoop.conf.Configuration());
1170 this.underlyingImplementation = underlyingImplementation;
1171 }
1172
1173 @Override
1174 public List<String> getGroups(String user) throws IOException {
1175 List<String> result = userToGroupsMapping.get(user);
1176
1177 if (result == null) {
1178 result = underlyingImplementation.getGroups(user);
1179 }
1180
1181 return result;
1182 }
1183
1184 private void setUserGroups(String user, String[] groups) {
1185 userToGroupsMapping.put(user, Arrays.asList(groups));
1186 }
1187 }
1188
1189 /**
1190 * Create a UGI for testing HDFS and MapReduce
1191 * @param user the full user principal name
1192 * @param userGroups the names of the groups that the user belongs to
1193 * @return a fake user for running unit tests
1194 */
1195 @InterfaceAudience.Public
1196 @InterfaceStability.Evolving
1197 public static UserGroupInformation createUserForTesting(String user,
1198 String[] userGroups) {
1199 ensureInitialized();
1200 UserGroupInformation ugi = createRemoteUser(user);
1201 // make sure that the testing object is setup
1202 if (!(groups instanceof TestingGroups)) {
1203 groups = new TestingGroups(groups);
1204 }
1205 // add the user groups
1206 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
1207 return ugi;
1208 }
1209
1210
1211 /**
1212 * Create a proxy user UGI for testing HDFS and MapReduce
1213 *
1214 * @param user
1215 * the full user principal name for effective user
1216 * @param realUser
1217 * UGI of the real user
1218 * @param userGroups
1219 * the names of the groups that the user belongs to
1220 * @return a fake user for running unit tests
1221 */
1222 public static UserGroupInformation createProxyUserForTesting(String user,
1223 UserGroupInformation realUser, String[] userGroups) {
1224 ensureInitialized();
1225 UserGroupInformation ugi = createProxyUser(user, realUser);
1226 // make sure that the testing object is setup
1227 if (!(groups instanceof TestingGroups)) {
1228 groups = new TestingGroups(groups);
1229 }
1230 // add the user groups
1231 ((TestingGroups) groups).setUserGroups(ugi.getShortUserName(), userGroups);
1232 return ugi;
1233 }
1234
1235 /**
1236 * Get the user's login name.
1237 * @return the user's name up to the first '/' or '@'.
1238 */
1239 public String getShortUserName() {
1240 for (User p: subject.getPrincipals(User.class)) {
1241 return p.getShortName();
1242 }
1243 return null;
1244 }
1245
1246 /**
1247 * Get the user's full principal name.
1248 * @return the user's full principal name.
1249 */
1250 @InterfaceAudience.Public
1251 @InterfaceStability.Evolving
1252 public String getUserName() {
1253 return user.getName();
1254 }
1255
1256 /**
1257 * Add a TokenIdentifier to this UGI. The TokenIdentifier has typically been
1258 * authenticated by the RPC layer as belonging to the user represented by this
1259 * UGI.
1260 *
1261 * @param tokenId
1262 * tokenIdentifier to be added
1263 * @return true on successful add of new tokenIdentifier
1264 */
1265 public synchronized boolean addTokenIdentifier(TokenIdentifier tokenId) {
1266 return subject.getPublicCredentials().add(tokenId);
1267 }
1268
1269 /**
1270 * Get the set of TokenIdentifiers belonging to this UGI
1271 *
1272 * @return the set of TokenIdentifiers belonging to this UGI
1273 */
1274 public synchronized Set<TokenIdentifier> getTokenIdentifiers() {
1275 return subject.getPublicCredentials(TokenIdentifier.class);
1276 }
1277
1278 /**
1279 * Add a token to this UGI
1280 *
1281 * @param token Token to be added
1282 * @return true on successful add of new token
1283 */
1284 public synchronized boolean addToken(Token<? extends TokenIdentifier> token) {
1285 return (token != null) ? addToken(token.getService(), token) : false;
1286 }
1287
1288 /**
1289 * Add a named token to this UGI
1290 *
1291 * @param alias Name of the token
1292 * @param token Token to be added
1293 * @return true on successful add of new token
1294 */
1295 public synchronized boolean addToken(Text alias,
1296 Token<? extends TokenIdentifier> token) {
1297 getCredentialsInternal().addToken(alias, token);
1298 return true;
1299 }
1300
1301 /**
1302 * Obtain the collection of tokens associated with this user.
1303 *
1304 * @return an unmodifiable collection of tokens associated with user
1305 */
1306 public synchronized
1307 Collection<Token<? extends TokenIdentifier>> getTokens() {
1308 return Collections.unmodifiableCollection(
1309 getCredentialsInternal().getAllTokens());
1310 }
1311
1312 /**
1313 * Obtain the tokens in credentials form associated with this user.
1314 *
1315 * @return Credentials of tokens associated with this user
1316 */
1317 public synchronized Credentials getCredentials() {
1318 Credentials creds = new Credentials(getCredentialsInternal());
1319 Iterator<Token<?>> iter = creds.getAllTokens().iterator();
1320 while (iter.hasNext()) {
1321 if (iter.next() instanceof Token.PrivateToken) {
1322 iter.remove();
1323 }
1324 }
1325 return creds;
1326 }
1327
1328 /**
1329 * Add the given Credentials to this user.
1330 * @param credentials of tokens and secrets
1331 */
1332 public synchronized void addCredentials(Credentials credentials) {
1333 getCredentialsInternal().addAll(credentials);
1334 }
1335
1336 private synchronized Credentials getCredentialsInternal() {
1337 final Credentials credentials;
1338 final Set<Credentials> credentialsSet =
1339 subject.getPrivateCredentials(Credentials.class);
1340 if (!credentialsSet.isEmpty()){
1341 credentials = credentialsSet.iterator().next();
1342 } else {
1343 credentials = new Credentials();
1344 subject.getPrivateCredentials().add(credentials);
1345 }
1346 return credentials;
1347 }
1348
1349 /**
1350 * Get the group names for this user.
1351 * @return the list of users with the primary group first. If the command
1352 * fails, it returns an empty list.
1353 */
1354 public synchronized String[] getGroupNames() {
1355 ensureInitialized();
1356 try {
1357 List<String> result = groups.getGroups(getShortUserName());
1358 return result.toArray(new String[result.size()]);
1359 } catch (IOException ie) {
1360 LOG.warn("No groups available for user " + getShortUserName());
1361 return new String[0];
1362 }
1363 }
1364
1365 /**
1366 * Return the username.
1367 */
1368 @Override
1369 public String toString() {
1370 StringBuilder sb = new StringBuilder(getUserName());
1371 sb.append(" (auth:"+getAuthenticationMethod()+")");
1372 if (getRealUser() != null) {
1373 sb.append(" via ").append(getRealUser().toString());
1374 }
1375 return sb.toString();
1376 }
1377
1378 /**
1379 * Sets the authentication method in the subject
1380 *
1381 * @param authMethod
1382 */
1383 public synchronized
1384 void setAuthenticationMethod(AuthenticationMethod authMethod) {
1385 user.setAuthenticationMethod(authMethod);
1386 }
1387
1388 /**
1389 * Sets the authentication method in the subject
1390 *
1391 * @param authMethod
1392 */
1393 public void setAuthenticationMethod(AuthMethod authMethod) {
1394 user.setAuthenticationMethod(AuthenticationMethod.valueOf(authMethod));
1395 }
1396
1397 /**
1398 * Get the authentication method from the subject
1399 *
1400 * @return AuthenticationMethod in the subject, null if not present.
1401 */
1402 public synchronized AuthenticationMethod getAuthenticationMethod() {
1403 return user.getAuthenticationMethod();
1404 }
1405
1406 /**
1407 * Get the authentication method from the real user's subject. If there
1408 * is no real user, return the given user's authentication method.
1409 *
1410 * @return AuthenticationMethod in the subject, null if not present.
1411 */
1412 public synchronized AuthenticationMethod getRealAuthenticationMethod() {
1413 UserGroupInformation ugi = getRealUser();
1414 if (ugi == null) {
1415 ugi = this;
1416 }
1417 return ugi.getAuthenticationMethod();
1418 }
1419
1420 /**
1421 * Returns the authentication method of a ugi. If the authentication method is
1422 * PROXY, returns the authentication method of the real user.
1423 *
1424 * @param ugi
1425 * @return AuthenticationMethod
1426 */
1427 public static AuthenticationMethod getRealAuthenticationMethod(
1428 UserGroupInformation ugi) {
1429 AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
1430 if (authMethod == AuthenticationMethod.PROXY) {
1431 authMethod = ugi.getRealUser().getAuthenticationMethod();
1432 }
1433 return authMethod;
1434 }
1435
1436 /**
1437 * Compare the subjects to see if they are equal to each other.
1438 */
1439 @Override
1440 public boolean equals(Object o) {
1441 if (o == this) {
1442 return true;
1443 } else if (o == null || getClass() != o.getClass()) {
1444 return false;
1445 } else {
1446 return subject == ((UserGroupInformation) o).subject;
1447 }
1448 }
1449
1450 /**
1451 * Return the hash of the subject.
1452 */
1453 @Override
1454 public int hashCode() {
1455 return System.identityHashCode(subject);
1456 }
1457
1458 /**
1459 * Get the underlying subject from this ugi.
1460 * @return the subject that represents this user.
1461 */
1462 protected Subject getSubject() {
1463 return subject;
1464 }
1465
1466 /**
1467 * Run the given action as the user.
1468 * @param <T> the return type of the run method
1469 * @param action the method to execute
1470 * @return the value from the run method
1471 */
1472 @InterfaceAudience.Public
1473 @InterfaceStability.Evolving
1474 public <T> T doAs(PrivilegedAction<T> action) {
1475 logPrivilegedAction(subject, action);
1476 return Subject.doAs(subject, action);
1477 }
1478
1479 /**
1480 * Run the given action as the user, potentially throwing an exception.
1481 * @param <T> the return type of the run method
1482 * @param action the method to execute
1483 * @return the value from the run method
1484 * @throws IOException if the action throws an IOException
1485 * @throws Error if the action throws an Error
1486 * @throws RuntimeException if the action throws a RuntimeException
1487 * @throws InterruptedException if the action throws an InterruptedException
1488 * @throws UndeclaredThrowableException if the action throws something else
1489 */
1490 @InterfaceAudience.Public
1491 @InterfaceStability.Evolving
1492 public <T> T doAs(PrivilegedExceptionAction<T> action
1493 ) throws IOException, InterruptedException {
1494 try {
1495 logPrivilegedAction(subject, action);
1496 return Subject.doAs(subject, action);
1497 } catch (PrivilegedActionException pae) {
1498 Throwable cause = pae.getCause();
1499 LOG.error("PriviledgedActionException as:"+this+" cause:"+cause);
1500 if (cause instanceof IOException) {
1501 throw (IOException) cause;
1502 } else if (cause instanceof Error) {
1503 throw (Error) cause;
1504 } else if (cause instanceof RuntimeException) {
1505 throw (RuntimeException) cause;
1506 } else if (cause instanceof InterruptedException) {
1507 throw (InterruptedException) cause;
1508 } else {
1509 throw new UndeclaredThrowableException(cause);
1510 }
1511 }
1512 }
1513
1514 private void logPrivilegedAction(Subject subject, Object action) {
1515 if (LOG.isDebugEnabled()) {
1516 // would be nice if action included a descriptive toString()
1517 String where = new Throwable().getStackTrace()[2].toString();
1518 LOG.debug("PrivilegedAction as:"+this+" from:"+where);
1519 }
1520 }
1521
1522 private void print() throws IOException {
1523 System.out.println("User: " + getUserName());
1524 System.out.print("Group Ids: ");
1525 System.out.println();
1526 String[] groups = getGroupNames();
1527 System.out.print("Groups: ");
1528 for(int i=0; i < groups.length; i++) {
1529 System.out.print(groups[i] + " ");
1530 }
1531 System.out.println();
1532 }
1533
1534 /**
1535 * A test method to print out the current user's UGI.
1536 * @param args if there are two arguments, read the user from the keytab
1537 * and print it out.
1538 * @throws Exception
1539 */
1540 public static void main(String [] args) throws Exception {
1541 System.out.println("Getting UGI for current user");
1542 UserGroupInformation ugi = getCurrentUser();
1543 ugi.print();
1544 System.out.println("UGI: " + ugi);
1545 System.out.println("Auth method " + ugi.user.getAuthenticationMethod());
1546 System.out.println("Keytab " + ugi.isKeytab);
1547 System.out.println("============================================================");
1548
1549 if (args.length == 2) {
1550 System.out.println("Getting UGI from keytab....");
1551 loginUserFromKeytab(args[0], args[1]);
1552 getCurrentUser().print();
1553 System.out.println("Keytab: " + ugi);
1554 System.out.println("Auth method " + loginUser.user.getAuthenticationMethod());
1555 System.out.println("Keytab " + loginUser.isKeytab);
1556 }
1557 }
1558
1559 }