@InterfaceAudience.Public @InterfaceStability.Evolving public class UserGroupInformation extends Object
Modifier and Type | Class and Description |
---|---|
static class |
UserGroupInformation.AuthenticationMethod
existing types of authentications' methods
|
Modifier and Type | Field and Description |
---|---|
static String |
HADOOP_TOKEN_FILE_LOCATION
Environment variable pointing to the token cache file
|
Modifier and Type | Method and Description |
---|---|
void |
addCredentials(Credentials credentials)
Add the given Credentials to this user.
|
boolean |
addToken(Text alias,
Token<? extends TokenIdentifier> token)
Add a named token to this UGI
|
boolean |
addToken(Token<? extends TokenIdentifier> token)
Add a token to this UGI
|
boolean |
addTokenIdentifier(TokenIdentifier tokenId)
Add a TokenIdentifier to this UGI.
|
void |
checkTGTAndReloginFromKeytab()
Re-login a user from keytab if TGT is expired or is close to expiry.
|
static UserGroupInformation |
createProxyUser(String user,
UserGroupInformation realUser)
Create a proxy user using username of the effective user and the ugi of the
real user.
|
static UserGroupInformation |
createProxyUserForTesting(String user,
UserGroupInformation realUser,
String[] userGroups)
Create a proxy user UGI for testing HDFS and MapReduce
|
static UserGroupInformation |
createRemoteUser(String user)
Create a user from a login name.
|
static UserGroupInformation |
createRemoteUser(String user,
org.apache.hadoop.security.SaslRpcServer.AuthMethod authMethod)
Create a user from a login name.
|
static UserGroupInformation |
createUserForTesting(String user,
String[] userGroups)
Create a UGI for testing HDFS and MapReduce
|
<T> T |
doAs(PrivilegedAction<T> action)
Run the given action as the user.
|
<T> T |
doAs(PrivilegedExceptionAction<T> action)
Run the given action as the user, potentially throwing an exception.
|
boolean |
equals(Object o)
Compare the subjects to see if they are equal to each other.
|
void |
forceReloginFromKeytab()
Force re-Login a user in from a keytab file irrespective of the last login
time.
|
UserGroupInformation.AuthenticationMethod |
getAuthenticationMethod()
Get the authentication method from the subject
|
static UserGroupInformation |
getBestUGI(String ticketCachePath,
String user)
Find the most appropriate UserGroupInformation to use
|
Credentials |
getCredentials()
Obtain the tokens in credentials form associated with this user.
|
static UserGroupInformation |
getCurrentUser()
Return the current user, including any doAs in the current stack.
|
String[] |
getGroupNames()
Get the group names for this user.
|
List<String> |
getGroups()
Get the group names for this user.
|
static UserGroupInformation |
getLoginUser()
Get the currently logged in user.
|
String |
getPrimaryGroupName() |
UserGroupInformation.AuthenticationMethod |
getRealAuthenticationMethod()
Get the authentication method from the real user's subject.
|
static UserGroupInformation.AuthenticationMethod |
getRealAuthenticationMethod(UserGroupInformation ugi)
Returns the authentication method of a ugi.
|
UserGroupInformation |
getRealUser()
get RealUser (vs.
|
String |
getShortUserName()
Get the user's login name.
|
protected Subject |
getSubject()
Get the underlying subject from this ugi.
|
Set<TokenIdentifier> |
getTokenIdentifiers()
Get the set of TokenIdentifiers belonging to this UGI
|
Collection<Token<? extends TokenIdentifier>> |
getTokens()
Obtain the collection of tokens associated with this user.
|
static UserGroupInformation |
getUGIFromSubject(Subject subject)
Create a UserGroupInformation from a Subject with Kerberos principal.
|
static UserGroupInformation |
getUGIFromTicketCache(String ticketCache,
String user)
Create a UserGroupInformation from a Kerberos ticket cache.
|
String |
getUserName()
Get the user's full principal name.
|
int |
hashCode()
Return the hash of the subject.
|
boolean |
hasKerberosCredentials()
checks if logged in using kerberos
|
boolean |
isFromKeytab()
Is this user logged in from a keytab file managed by the UGI?
|
static boolean |
isInitialized() |
static boolean |
isLoginKeytabBased()
Did the login happen via keytab
|
static boolean |
isLoginTicketBased()
Did the login happen via ticket cache
|
static boolean |
isSecurityEnabled()
Determine if UserGroupInformation is using Kerberos to determine
user identities or is relying on simple authentication
|
static void |
logAllUserInfo(UserGroupInformation ugi)
Log all (current, real, login) UGI and token info into UGI debug log.
|
static void |
loginUserFromKeytab(String user,
String path)
Log a user in from a keytab file.
|
static UserGroupInformation |
loginUserFromKeytabAndReturnUGI(String user,
String path)
Log a user in from a keytab file.
|
static void |
loginUserFromSubject(Subject subject)
Log in a user using the given subject
|
void |
logoutUserFromKeytab()
Log the current user out who previously logged in using keytab.
|
static void |
main(String[] args)
A test method to print out the current user's UGI.
|
static void |
reattachMetrics()
Reattach the class's metrics to a new metric system.
|
void |
reloginFromKeytab()
Re-Login a user in from a keytab file.
|
void |
reloginFromTicketCache()
Re-Login a user in from the ticket cache.
|
void |
setAuthenticationMethod(org.apache.hadoop.security.SaslRpcServer.AuthMethod authMethod)
Sets the authentication method in the subject
|
void |
setAuthenticationMethod(UserGroupInformation.AuthenticationMethod authMethod)
Sets the authentication method in the subject
|
static void |
setConfiguration(Configuration conf)
Set the static configuration for UGI.
|
static void |
setShouldRenewImmediatelyForTests(boolean immediate)
For the purposes of unit tests, we want to test login
from keytab and don't want to wait until the renew
window (controlled by TICKET_RENEW_WINDOW).
|
String |
toString()
Return the username.
|
static String |
trimLoginMethod(String userName)
remove the login method that is followed by a space from the username
e.g.
|
public static final String HADOOP_TOKEN_FILE_LOCATION
public static void setShouldRenewImmediatelyForTests(boolean immediate)
immediate
- true if we should login without waiting for ticket windowpublic static void reattachMetrics()
public static boolean isInitialized()
@InterfaceAudience.Public @InterfaceStability.Evolving public static void setConfiguration(Configuration conf)
conf
- the configuration to usepublic static boolean isSecurityEnabled()
public boolean hasKerberosCredentials()
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getCurrentUser() throws IOException
IOException
- if login failspublic static UserGroupInformation getBestUGI(String ticketCachePath, String user) throws IOException
ticketCachePath
- The Kerberos ticket cache path, or NULL
if none is specfieduser
- The user name, or NULL if none is specified.IOException
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getUGIFromTicketCache(String ticketCache, String user) throws IOException
user
- The principal name to load from the ticket
cacheticketCache
- the path to the ticket cache fileIOException
- if the kerberos login failspublic static UserGroupInformation getUGIFromSubject(Subject subject) throws IOException
subject
- The KerberosPrincipal to use in UGI.
The creator of subject is responsible for
renewing credentials.IOException
KerberosAuthException
- if the kerberos login fails@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation getLoginUser() throws IOException
IOException
- if login failspublic static String trimLoginMethod(String userName)
userName
- @InterfaceAudience.Public @InterfaceStability.Evolving public static void loginUserFromSubject(Subject subject) throws IOException
subject
- the subject to use when logging in a user, or null to
create a new subject.
If subject is not null, the creator of subject is responsible for renewing
credentials.IOException
- if login failspublic boolean isFromKeytab()
@InterfaceAudience.Public @InterfaceStability.Evolving public static void loginUserFromKeytab(String user, String path) throws IOException
user
- the principal name to load from the keytabpath
- the path to the keytab fileIOException
KerberosAuthException
- if it's a kerberos login exception.@InterfaceAudience.Public @InterfaceStability.Evolving public void logoutUserFromKeytab() throws IOException
loginUserFromKeytab(String, String)
.IOException
KerberosAuthException
- if a failure occurred in logout,
or if the user did not log in by invoking loginUserFromKeyTab() before.public void checkTGTAndReloginFromKeytab() throws IOException
IOException
KerberosAuthException
- if it's a kerberos login exception.@InterfaceAudience.Public @InterfaceStability.Evolving public void reloginFromKeytab() throws IOException
loginUserFromKeytab(String, String)
had
happened already.
The Subject field of this UserGroupInformation object is updated to have
the new credentials.IOException
KerberosAuthException
- on a failure@InterfaceAudience.Public @InterfaceStability.Evolving public void forceReloginFromKeytab() throws IOException
loginUserFromKeytab(String, String)
had happened already. The
Subject field of this UserGroupInformation object is updated to have the
new credentials.IOException
KerberosAuthException
- on a failure@InterfaceAudience.Public @InterfaceStability.Evolving public void reloginFromTicketCache() throws IOException
IOException
KerberosAuthException
- on a failurepublic static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user, String path) throws IOException
user
- the principal name to load from the keytabpath
- the path to the keytab fileIOException
- if the keytab file can't be read@InterfaceAudience.Public @InterfaceStability.Evolving public static boolean isLoginKeytabBased() throws IOException
IOException
public static boolean isLoginTicketBased() throws IOException
IOException
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createRemoteUser(String user)
user
- the full user principal name, must not be empty or null@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createRemoteUser(String user, org.apache.hadoop.security.SaslRpcServer.AuthMethod authMethod)
user
- the full user principal name, must not be empty or null@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createProxyUser(String user, UserGroupInformation realUser)
user
- realUser
- @InterfaceAudience.Public @InterfaceStability.Evolving public UserGroupInformation getRealUser()
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createUserForTesting(String user, String[] userGroups)
user
- the full user principal nameuserGroups
- the names of the groups that the user belongs topublic static UserGroupInformation createProxyUserForTesting(String user, UserGroupInformation realUser, String[] userGroups)
user
- the full user principal name for effective userrealUser
- UGI of the real useruserGroups
- the names of the groups that the user belongs topublic String getShortUserName()
public String getPrimaryGroupName() throws IOException
IOException
@InterfaceAudience.Public @InterfaceStability.Evolving public String getUserName()
public boolean addTokenIdentifier(TokenIdentifier tokenId)
tokenId
- tokenIdentifier to be addedpublic Set<TokenIdentifier> getTokenIdentifiers()
public boolean addToken(Token<? extends TokenIdentifier> token)
token
- Token to be addedpublic boolean addToken(Text alias, Token<? extends TokenIdentifier> token)
alias
- Name of the tokentoken
- Token to be addedpublic Collection<Token<? extends TokenIdentifier>> getTokens()
public Credentials getCredentials()
public void addCredentials(Credentials credentials)
credentials
- of tokens and secretspublic String[] getGroupNames()
getGroups()
is less
expensive alternative when checking for a contained element.public List<String> getGroups()
public void setAuthenticationMethod(UserGroupInformation.AuthenticationMethod authMethod)
authMethod
- public void setAuthenticationMethod(org.apache.hadoop.security.SaslRpcServer.AuthMethod authMethod)
authMethod
- public UserGroupInformation.AuthenticationMethod getAuthenticationMethod()
public UserGroupInformation.AuthenticationMethod getRealAuthenticationMethod()
public static UserGroupInformation.AuthenticationMethod getRealAuthenticationMethod(UserGroupInformation ugi)
ugi
- public boolean equals(Object o)
protected Subject getSubject()
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedAction<T> action)
T
- the return type of the run methodaction
- the method to execute@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
T
- the return type of the run methodaction
- the method to executeIOException
- if the action throws an IOExceptionError
- if the action throws an ErrorRuntimeException
- if the action throws a RuntimeExceptionInterruptedException
- if the action throws an InterruptedExceptionUndeclaredThrowableException
- if the action throws something elsepublic static void logAllUserInfo(UserGroupInformation ugi) throws IOException
ugi
- - UGIIOException
Copyright © 2022 Apache Software Foundation. All rights reserved.