下面列出了org.apache.hadoop.hbase.security.UserProvider#login ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
public static UserProvider login(Map conf, Configuration hbaseConfig) throws IOException {
UserProvider provider = UserProvider.instantiate(hbaseConfig);
if (UserGroupInformation.isSecurityEnabled()) {
String keytab = (String) conf.get(STORM_KEYTAB_FILE_KEY);
if (keytab != null) {
hbaseConfig.set(STORM_KEYTAB_FILE_KEY, keytab);
}
String userName = (String) conf.get(STORM_USER_NAME_KEY);
if (userName != null) {
hbaseConfig.set(STORM_USER_NAME_KEY, userName);
}
provider.login(STORM_KEYTAB_FILE_KEY, STORM_USER_NAME_KEY,
InetAddress.getLocalHost().getCanonicalHostName());
}
return provider;
}
/**
* For compatibility, if failed with regionserver credentials, try the master one
*/
@Override
protected void login(UserProvider user, String host) throws IOException {
try {
super.login(user, host);
} catch (IOException ie) {
user.login(SecurityConstants.MASTER_KRB_KEYTAB_FILE,
SecurityConstants.MASTER_KRB_PRINCIPAL, host);
}
}
private static Pair<FilterHolder, Class<? extends ServletContainer>> loginServerPrincipal(
UserProvider userProvider, Configuration conf) throws Exception {
Class<? extends ServletContainer> containerClass = ServletContainer.class;
if (userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled()) {
String machineName = Strings.domainNamePointerToHostName(
DNS.getDefaultHost(conf.get(REST_DNS_INTERFACE, "default"),
conf.get(REST_DNS_NAMESERVER, "default")));
String keytabFilename = conf.get(REST_KEYTAB_FILE);
Preconditions.checkArgument(keytabFilename != null && !keytabFilename.isEmpty(),
REST_KEYTAB_FILE + " should be set if security is enabled");
String principalConfig = conf.get(REST_KERBEROS_PRINCIPAL);
Preconditions.checkArgument(principalConfig != null && !principalConfig.isEmpty(),
REST_KERBEROS_PRINCIPAL + " should be set if security is enabled");
// Hook for unit tests, this will log out any other user and mess up tests.
if (!conf.getBoolean(SKIP_LOGIN_KEY, false)) {
userProvider.login(REST_KEYTAB_FILE, REST_KERBEROS_PRINCIPAL, machineName);
}
if (conf.get(REST_AUTHENTICATION_TYPE) != null) {
containerClass = RESTServletContainer.class;
FilterHolder authFilter = new FilterHolder();
authFilter.setClassName(AuthFilter.class.getName());
authFilter.setName("AuthenticationFilter");
return new Pair<>(authFilter,containerClass);
}
}
return new Pair<>(null, containerClass);
}
private static User loginFromKeytabAndReturnUser(UserProvider provider) throws IOException {
try {
provider.login(HBASE_CLIENT_KEYTAB_FILE, HBASE_CLIENT_KERBEROS_PRINCIPAL);
} catch (IOException ioe) {
LOG.error("Error while trying to login as user {} through {}, with message: {}.",
HBASE_CLIENT_KERBEROS_PRINCIPAL, HBASE_CLIENT_KEYTAB_FILE,
ioe.getMessage());
throw ioe;
}
return provider.getCurrent();
}
protected void setupParamters() throws IOException {
// login the server principal (if using secure Hadoop)
UserProvider userProvider = UserProvider.instantiate(conf);
securityEnabled = userProvider.isHadoopSecurityEnabled()
&& userProvider.isHBaseSecurityEnabled();
if (securityEnabled) {
host = Strings.domainNamePointerToHostName(DNS.getDefaultHost(
conf.get(THRIFT_DNS_INTERFACE_KEY, "default"),
conf.get(THRIFT_DNS_NAMESERVER_KEY, "default")));
userProvider.login(THRIFT_KEYTAB_FILE_KEY, THRIFT_KERBEROS_PRINCIPAL_KEY, host);
// Setup the SPNEGO user for HTTP if configured
String spnegoPrincipal = getSpengoPrincipal(conf, host);
String spnegoKeytab = getSpnegoKeytab(conf);
UserGroupInformation.setConfiguration(conf);
// login the SPNEGO principal using UGI to avoid polluting the login user
this.httpUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(spnegoPrincipal,
spnegoKeytab);
}
this.serviceUGI = userProvider.getCurrent().getUGI();
if (httpUGI == null) {
this.httpUGI = serviceUGI;
}
this.listenPort = conf.getInt(PORT_CONF_KEY, DEFAULT_LISTEN_PORT);
this.metrics = createThriftMetrics(conf);
this.pauseMonitor = new JvmPauseMonitor(conf, this.metrics.getSource());
this.hbaseServiceHandler = createHandler(conf, userProvider);
this.hbaseServiceHandler.initMetrics(metrics);
this.processor = createProcessor();
httpEnabled = conf.getBoolean(USE_HTTP_CONF_KEY, false);
doAsEnabled = conf.getBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, false);
if (doAsEnabled && !httpEnabled) {
LOG.warn("Fail to enable the doAs feature. " + USE_HTTP_CONF_KEY + " is not configured");
}
String strQop = conf.get(THRIFT_QOP_KEY);
if (strQop != null) {
this.qop = SaslUtil.getQop(strQop);
}
if (qop != null) {
if (qop != SaslUtil.QualityOfProtection.AUTHENTICATION &&
qop != SaslUtil.QualityOfProtection.INTEGRITY &&
qop != SaslUtil.QualityOfProtection.PRIVACY) {
throw new IOException(String.format("Invalid %s: It must be one of %s, %s, or %s.",
THRIFT_QOP_KEY,
SaslUtil.QualityOfProtection.AUTHENTICATION.name(),
SaslUtil.QualityOfProtection.INTEGRITY.name(),
SaslUtil.QualityOfProtection.PRIVACY.name()));
}
checkHttpSecurity(qop, conf);
if (!securityEnabled) {
throw new IOException("Thrift server must run in secure mode to support authentication");
}
}
registerFilters(conf);
pauseMonitor.start();
}
protected void login(UserProvider user, String host) throws IOException {
user.login(SecurityConstants.REGIONSERVER_KRB_KEYTAB_FILE,
SecurityConstants.REGIONSERVER_KRB_PRINCIPAL, host);
}