SecurityUtil (Hadoop 1.0.4 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.hadoop.security
Class SecurityUtil

java.lang.Object
  org.apache.hadoop.security.SecurityUtil

public class SecurityUtil
extends Object
extends Object

Nested Class Summary
`protected static class`	`SecurityUtil.QualifiedHostResolver` This an alternate resolver with important properties that the standard java resolver lacks: 1) The hostname is fully qualified.

Field Summary
`static String`	`HOSTNAME_PATTERN`
`static org.apache.commons.logging.Log`	`LOG`

Constructor Summary
`SecurityUtil()`

Method Summary
`static String`	`buildDTServiceName(URI uri, int defPort)` create the service name for a Delegation token
`static Text`	`buildTokenService(InetSocketAddress addr)` Construct the service key for a token
`static void`	`fetchServiceTicket(URL remoteHost)` Explicitly pull the service ticket for the specified host.
`static AccessControlList`	`getAdminAcls(Configuration conf, String configKey)` Get the ACL object representing the cluster administrators The user who starts the daemon is automatically added as an admin
`static InetAddress`	`getByName(String hostname)` Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip.
`static String`	`getHostFromPrincipal(String principalName)` Get the host name from the principal name of format /host@realm.
`static String`	`getServerPrincipal(String principalConfig, InetAddress addr)` Convert Kerberos principal name pattern to valid Kerberos principal names.
`static String`	`getServerPrincipal(String principalConfig, String hostname)` Convert Kerberos principal name pattern to valid Kerberos principal names.
`static InetSocketAddress`	`getTokenServiceAddr(Token<?> token)` Decode the given token's service field into an InetAddress
`protected static boolean`	`isOriginalTGT(String name)`
`static void`	`login(Configuration conf, String keytabFileKey, String userNameKey)` If a keytab has been provided, login as that user.
`static void`	`login(Configuration conf, String keytabFileKey, String userNameKey, String hostname)` If a keytab has been provided, login as that user.
`static void`	`setTokenService(Token<?> token, InetSocketAddress addr)` Set the given token's service to the format expected by the RPC client

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

LOG

public static final org.apache.commons.logging.Log LOG

HOSTNAME_PATTERN

public static final String HOSTNAME_PATTERN

See Also:: Constant Field Values

Constructor Detail

SecurityUtil

public SecurityUtil()

Method Detail

isOriginalTGT

protected static boolean isOriginalTGT(String name)

fetchServiceTicket

public static void fetchServiceTicket(URL remoteHost)
                               throws IOException

Explicitly pull the service ticket for the specified host. This solves a problem with Java's Kerberos SSL problem where the client cannot authenticate against a cross-realm service. It is necessary for clients making kerberized https requests to call this method on the target URL to ensure that in a cross-realm environment the remote host will be successfully authenticated. This method is internal to Hadoop and should not be used by other applications. This method should not be considered stable or open: it will be removed when the Java behavior is changed.

Parameters:: remoteHost - Target URL the krb-https client will access
Throws:: IOException - if a service ticket is not available

getServerPrincipal

public static String getServerPrincipal(String principalConfig,
                                        String hostname)
                                 throws IOException

Convert Kerberos principal name pattern to valid Kerberos principal names. It replaces hostname pattern with hostname, which should be fully-qualified domain name. If hostname is null or "0.0.0.0", it uses dynamically looked-up fqdn of the current host instead.

Parameters:: principalConfig - the Kerberos principal name conf value to convert; hostname - the fully-qualified domain name used for substitution
Returns:: converted Kerberos principal name
Throws:: IOException - if the service ticket cannot be retrieved

getServerPrincipal

public static String getServerPrincipal(String principalConfig,
                                        InetAddress addr)
                                 throws IOException

Convert Kerberos principal name pattern to valid Kerberos principal names. This method is similar to getServerPrincipal(String, String), except 1) the reverse DNS lookup from addr to hostname is done only when necessary, 2) param addr can't be null (no default behavior of using local hostname when addr is null).

Parameters:: principalConfig - Kerberos principal name pattern to convert; addr - InetAddress of the host used for substitution
Returns:: converted Kerberos principal name
Throws:: IOException - if the client address cannot be determined

login

public static void login(Configuration conf,
                         String keytabFileKey,
                         String userNameKey)
                  throws IOException

If a keytab has been provided, login as that user. Substitute $host in user's Kerberos principal name with a dynamically looked-up fully-qualified domain name of the current host.

Parameters:: conf - conf to use; keytabFileKey - the key to look for keytab file in conf; userNameKey - the key to look for user's Kerberos principal name in conf
Throws:: IOException - if the client address cannot be determined

login

public static void login(Configuration conf,
                         String keytabFileKey,
                         String userNameKey,
                         String hostname)
                  throws IOException

If a keytab has been provided, login as that user. Substitute $host in user's Kerberos principal name with hostname.

Parameters:: conf - conf to use; keytabFileKey - the key to look for keytab file in conf; userNameKey - the key to look for user's Kerberos principal name in conf; hostname - hostname to use for substitution
Throws:: IOException - if login fails

getTokenServiceAddr

public static InetSocketAddress getTokenServiceAddr(Token<?> token)

Decode the given token's service field into an InetAddress

Parameters:: token - from which to obtain the service
Returns:: InetAddress for the service

setTokenService

public static void setTokenService(Token<?> token,
                                   InetSocketAddress addr)

Set the given token's service to the format expected by the RPC client

Parameters:: token - a delegation token; addr - the socket for the rpc connection

buildTokenService

public static Text buildTokenService(InetSocketAddress addr)

Construct the service key for a token

Parameters:: addr - InetSocketAddress of remote connection with a token
Returns:: "ip:port" or "host:port" depending on the value of hadoop.security.token.service.use_ip

buildDTServiceName

public static String buildDTServiceName(URI uri,
                                        int defPort)

create the service name for a Delegation token

Parameters:: uri - of the service; defPort - is used if the uri lacks a port
Returns:: the token service, or null if no authority
See Also:: buildTokenService(InetSocketAddress)

getAdminAcls

public static AccessControlList getAdminAcls(Configuration conf,
                                             String configKey)

Get the ACL object representing the cluster administrators The user who starts the daemon is automatically added as an admin

Parameters:: conf -; configKey - the key that holds the ACL string in its value
Returns:: AccessControlList instance

getHostFromPrincipal

public static String getHostFromPrincipal(String principalName)

Get the host name from the principal name of format /host@realm.

Parameters:: principalName - principal name of format as described above
Returns:: host name if the the string conforms to the above format, else null

getByName

public static InetAddress getByName(String hostname)
                             throws UnknownHostException

Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip.

Parameters:: hostname - host or ip to resolve
Returns:: a resolved host
Throws:: UnknownHostException - if the host doesn't exist

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.hadoop.security Class SecurityUtil

LOG

HOSTNAME_PATTERN

SecurityUtil

isOriginalTGT

fetchServiceTicket

getServerPrincipal

getServerPrincipal

login

login

getTokenServiceAddr

setTokenService

buildTokenService

buildDTServiceName

getAdminAcls

getHostFromPrincipal

getByName

org.apache.hadoop.security
Class SecurityUtil