@InterfaceAudience.Public @InterfaceStability.Evolving public final class SecurityUtil extends Object
Modifier and Type | Class and Description |
---|---|
protected static class |
SecurityUtil.QualifiedHostResolver
This an alternate resolver with important properties that the standard
java resolver lacks:
1) The hostname is fully qualified.
|
Modifier and Type | Field and Description |
---|---|
static String |
FAILED_TO_GET_UGI_MSG_HEADER |
static String |
HOSTNAME_PATTERN |
static org.apache.commons.logging.Log |
LOG |
Modifier and Type | Method and Description |
---|---|
static String |
buildDTServiceName(URI uri,
int defPort)
create the service name for a Delegation token
|
static Text |
buildTokenService(InetSocketAddress addr)
Construct the service key for a token
|
static Text |
buildTokenService(URI uri)
Construct the service key for a token
|
static <T> T |
doAsCurrentUser(PrivilegedExceptionAction<T> action)
Perform the given action as the daemon's current user.
|
static <T> T |
doAsLoginUser(PrivilegedExceptionAction<T> action)
Perform the given action as the daemon's login user.
|
static <T> T |
doAsLoginUserOrFatal(PrivilegedAction<T> action)
Perform the given action as the daemon's login user.
|
static UserGroupInformation.AuthenticationMethod |
getAuthenticationMethod(Configuration conf) |
static String |
getHostFromPrincipal(String principalName)
Get the host name from the principal name of format
|
static org.apache.hadoop.security.KerberosInfo |
getKerberosInfo(Class<?> protocol,
Configuration conf)
Look up the KerberosInfo for a given protocol.
|
static String |
getServerPrincipal(String principalConfig,
InetAddress addr)
Convert Kerberos principal name pattern to valid Kerberos principal names.
|
static String |
getServerPrincipal(String principalConfig,
String hostname)
Convert Kerberos principal name pattern to valid Kerberos principal
names.
|
static TokenInfo |
getTokenInfo(Class<?> protocol,
Configuration conf)
Look up the TokenInfo for a given protocol.
|
static InetSocketAddress |
getTokenServiceAddr(Token<?> token)
Decode the given token's service field into an InetAddress
|
protected static boolean |
isOriginalTGT(KerberosTicket ticket)
Check whether the server principal is the TGS's principal
|
static boolean |
isPrivilegedPort(int port) |
static void |
login(Configuration conf,
String keytabFileKey,
String userNameKey)
Login as a principal specified in config.
|
static void |
login(Configuration conf,
String keytabFileKey,
String userNameKey,
String hostname)
Login as a principal specified in config.
|
static void |
setAuthenticationMethod(UserGroupInformation.AuthenticationMethod authenticationMethod,
Configuration conf) |
static void |
setTokenService(Token<?> token,
InetSocketAddress addr)
Set the given token's service to the format expected by the RPC client
|
public static final org.apache.commons.logging.Log LOG
public static final String HOSTNAME_PATTERN
public static final String FAILED_TO_GET_UGI_MSG_HEADER
protected static boolean isOriginalTGT(KerberosTicket ticket)
ticket
- the original TGT (the ticket that is obtained when a
kinit is done)@InterfaceAudience.Public @InterfaceStability.Evolving public static String getServerPrincipal(String principalConfig, String hostname) throws IOException
principalConfig
- the Kerberos principal name conf value to converthostname
- the fully-qualified domain name used for substitutionIOException
- if the client address cannot be determined@InterfaceAudience.Public @InterfaceStability.Evolving public static String getServerPrincipal(String principalConfig, InetAddress addr) throws IOException
getServerPrincipal(String, String)
,
except 1) the reverse DNS lookup from addr to hostname is done only when
necessary, 2) param addr can't be null (no default behavior of using local
hostname when addr is null).principalConfig
- Kerberos principal name pattern to convertaddr
- InetAddress of the host used for substitutionIOException
- if the client address cannot be determined@InterfaceAudience.Public @InterfaceStability.Evolving public static void login(Configuration conf, String keytabFileKey, String userNameKey) throws IOException
conf
- conf to usekeytabFileKey
- the key to look for keytab file in confuserNameKey
- the key to look for user's Kerberos principal name in confIOException
- if login fails@InterfaceAudience.Public @InterfaceStability.Evolving public static void login(Configuration conf, String keytabFileKey, String userNameKey, String hostname) throws IOException
conf
- conf to usekeytabFileKey
- the key to look for keytab file in confuserNameKey
- the key to look for user's Kerberos principal name in confhostname
- hostname to use for substitutionIOException
- if the config doesn't specify a keytabpublic static String buildDTServiceName(URI uri, int defPort)
uri
- of the servicedefPort
- is used if the uri lacks a portbuildTokenService(InetSocketAddress)
public static String getHostFromPrincipal(String principalName)
principalName
- principal name of format as described abovepublic static org.apache.hadoop.security.KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf)
protocol
- the protocol class to get the information forconf
- configuration objectpublic static TokenInfo getTokenInfo(Class<?> protocol, Configuration conf)
protocol
- The protocol class to get the information for.conf
- Configuration objectpublic static InetSocketAddress getTokenServiceAddr(Token<?> token)
token
- from which to obtain the servicepublic static void setTokenService(Token<?> token, InetSocketAddress addr)
token
- a delegation tokenaddr
- the socket for the rpc connectionpublic static Text buildTokenService(InetSocketAddress addr)
addr
- InetSocketAddress of remote connection with a tokenpublic static Text buildTokenService(URI uri)
uri
- of remote connection with a tokenpublic static <T> T doAsLoginUserOrFatal(PrivilegedAction<T> action)
public static <T> T doAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException
action
- the action to performIOException
- in the event of errorpublic static <T> T doAsCurrentUser(PrivilegedExceptionAction<T> action) throws IOException
action
- the action to performIOException
- in the event of errorpublic static UserGroupInformation.AuthenticationMethod getAuthenticationMethod(Configuration conf)
public static void setAuthenticationMethod(UserGroupInformation.AuthenticationMethod authenticationMethod, Configuration conf)
public static boolean isPrivilegedPort(int port)
Copyright © 2017 Apache Software Foundation. All Rights Reserved.