Package org.apache.hadoop.security

Class SecurityUtil

java.lang.Object
org.apache.hadoop.security.SecurityUtil
@Public @Evolving public final class SecurityUtil extends Object
Security Utils.

  • Field Details

  • Method Details

    • setConfiguration

      @Public @Evolving public static void setConfiguration(Configuration conf)

    • setTokenServiceUseIp

      @Private @VisibleForTesting public static void setTokenServiceUseIp(boolean flag)
      For use only by tests and initialization.
      Parameters:
      flag - flag.

    • isOriginalTGT

      protected static boolean isOriginalTGT(KerberosTicket ticket)
      Check whether the server principal is the TGS's principal
      Parameters:
      ticket - the original TGT (the ticket that is obtained when a kinit is done)
      Returns:
      true or false

    • getServerPrincipal

      @Public @Evolving public static String getServerPrincipal(String principalConfig, String hostname) throws IOException
      Convert Kerberos principal name pattern to valid Kerberos principal names. It replaces hostname pattern with hostname, which should be fully-qualified domain name. If hostname is null or "0.0.0.0", it uses dynamically looked-up fqdn of the current host instead.
      Parameters:
      principalConfig - the Kerberos principal name conf value to convert
      hostname - the fully-qualified domain name used for substitution
      Returns:
      converted Kerberos principal name
      Throws:
      IOException - if the client address cannot be determined

    • getServerPrincipal

      @Public @Evolving public static String getServerPrincipal(String principalConfig, InetAddress addr) throws IOException
      Convert Kerberos principal name pattern to valid Kerberos principal names. This method is similar to getServerPrincipal(String, String), except 1) the reverse DNS lookup from addr to hostname is done only when necessary, 2) param addr can't be null (no default behavior of using local hostname when addr is null).
      Parameters:
      principalConfig - Kerberos principal name pattern to convert
      addr - InetAddress of the host used for substitution
      Returns:
      converted Kerberos principal name
      Throws:
      IOException - if the client address cannot be determined

    • login

      @Public @Evolving public static void login(Configuration conf, String keytabFileKey, String userNameKey) throws IOException
      Login as a principal specified in config. Substitute $host in user's Kerberos principal name with a dynamically looked-up fully-qualified domain name of the current host.
      Parameters:
      conf - conf to use
      keytabFileKey - the key to look for keytab file in conf
      userNameKey - the key to look for user's Kerberos principal name in conf
      Throws:
      IOException - if login fails

    • login

      @Public @Evolving public static void login(Configuration conf, String keytabFileKey, String userNameKey, String hostname) throws IOException
      Login as a principal specified in config. Substitute $host in user's Kerberos principal name with hostname. If non-secure mode - return. If no keytab available - bail out with an exception
      Parameters:
      conf - conf to use
      keytabFileKey - the key to look for keytab file in conf
      userNameKey - the key to look for user's Kerberos principal name in conf
      hostname - hostname to use for substitution
      Throws:
      IOException - if the config doesn't specify a keytab

    • buildDTServiceName

      public static String buildDTServiceName(URI uri, int defPort)
      create the service name for a Delegation token
      Parameters:
      uri - of the service
      defPort - is used if the uri lacks a port
      Returns:
      the token service, or null if no authority
      See Also:

    • getHostFromPrincipal

      public static String getHostFromPrincipal(String principalName)
      Get the host name from the principal name of format <service >/host@realm.
      Parameters:
      principalName - principal name of format as described above
      Returns:
      host name if the the string conforms to the above format, else null

    • setSecurityInfoProviders

      @Private public static void setSecurityInfoProviders(org.apache.hadoop.security.SecurityInfo... providers)
      Test setup method to register additional providers.
      Parameters:
      providers - a list of high priority providers to use

    • getKerberosInfo

      public static org.apache.hadoop.security.KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf)
      Look up the KerberosInfo for a given protocol. It searches all known SecurityInfo providers.
      Parameters:
      protocol - the protocol class to get the information for
      conf - configuration object
      Returns:
      the KerberosInfo or null if it has no KerberosInfo defined

    • getClientPrincipal

      public static String getClientPrincipal(Class<?> protocol, Configuration conf)
      Look up the client principal for a given protocol. It searches all known SecurityInfo providers.
      Parameters:
      protocol - the protocol class to get the information for
      conf - configuration object
      Returns:
      client principal or null if it has no client principal defined.

    • getTokenInfo

      public static TokenInfo getTokenInfo(Class<?> protocol, Configuration conf)
      Look up the TokenInfo for a given protocol. It searches all known SecurityInfo providers.
      Parameters:
      protocol - The protocol class to get the information for.
      conf - Configuration object
      Returns:
      the TokenInfo or null if it has no KerberosInfo defined

    • getTokenServiceAddr

      public static InetSocketAddress getTokenServiceAddr(Token<?> token)
      Decode the given token's service field into an InetAddress
      Parameters:
      token - from which to obtain the service
      Returns:
      InetAddress for the service

    • setTokenService

      public static void setTokenService(Token<?> token, InetSocketAddress addr)
      Set the given token's service to the format expected by the RPC client
      Parameters:
      token - a delegation token
      addr - the socket for the rpc connection

    • buildTokenService

      public static Text buildTokenService(InetSocketAddress addr)
      Construct the service key for a token
      Parameters:
      addr - InetSocketAddress of remote connection with a token
      Returns:
      "ip:port" or "host:port" depending on the value of hadoop.security.token.service.use_ip

    • buildTokenService

      public static Text buildTokenService(URI uri)
      Construct the service key for a token
      Parameters:
      uri - of remote connection with a token
      Returns:
      "ip:port" or "host:port" depending on the value of hadoop.security.token.service.use_ip

    • doAsLoginUserOrFatal

      public static <T> T doAsLoginUserOrFatal(PrivilegedAction<T> action)
      Perform the given action as the daemon's login user. If the login user cannot be determined, this will log a FATAL error and exit the whole JVM.
      Type Parameters:
      T - generic type T.
      Parameters:
      action - action.
      Returns:
      generic type T.

    • doAsLoginUser

      public static <T> T doAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException
      Perform the given action as the daemon's login user. If an InterruptedException is thrown, it is converted to an IOException.
      Type Parameters:
      T - Generics Type T.
      Parameters:
      action - the action to perform
      Returns:
      the result of the action
      Throws:
      IOException - in the event of error

    • doAsCurrentUser

      public static <T> T doAsCurrentUser(PrivilegedExceptionAction<T> action) throws IOException
      Perform the given action as the daemon's current user. If an InterruptedException is thrown, it is converted to an IOException.
      Type Parameters:
      T - generic type T.
      Parameters:
      action - the action to perform
      Returns:
      the result of the action
      Throws:
      IOException - in the event of error

    • getByName

      @Private public static InetAddress getByName(String hostname) throws UnknownHostException
      Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip. Optionally logs slow resolutions.
      Parameters:
      hostname - host or ip to resolve
      Returns:
      a resolved host
      Throws:
      UnknownHostException - if the host doesn't exist

    • getAuthenticationMethod

      public static UserGroupInformation.AuthenticationMethod getAuthenticationMethod(Configuration conf)

    • setAuthenticationMethod

      public static void setAuthenticationMethod(UserGroupInformation.AuthenticationMethod authenticationMethod, Configuration conf)

    • isPrivilegedPort

      public static boolean isPrivilegedPort(int port)

    • getZKAuthInfos

      public static List<org.apache.hadoop.util.ZKUtil.ZKAuthInfo> getZKAuthInfos(Configuration conf, String configKey) throws IOException
      Utility method to fetch ZK auth info from the configuration.
      Parameters:
      conf - configuration.
      configKey - config key.
      Returns:
      ZKAuthInfo List.
      Throws:
      IOException - if the Zookeeper ACLs configuration file cannot be read
      org.apache.hadoop.util.ZKUtil.BadAuthFormatException - if the auth format is invalid

    • validateSslConfiguration

      public static void validateSslConfiguration(org.apache.hadoop.security.SecurityUtil.TruststoreKeystore truststoreKeystore) throws ConfigurationException
      Throws:
      ConfigurationException

    • setSslConfiguration

      public static void setSslConfiguration(org.apache.zookeeper.client.ZKClientConfig zkClientConfig, org.apache.hadoop.security.SecurityUtil.TruststoreKeystore truststoreKeystore) throws ConfigurationException
      Configure ZooKeeper Client with SSL/TLS connection.
      Parameters:
      zkClientConfig - ZooKeeper Client configuration
      truststoreKeystore - truststore keystore, that we use to set the SSL configurations
      Throws:
      ConfigurationException - if the SSL configs are empty

    • setSslConfiguration

      public static void setSslConfiguration(org.apache.zookeeper.client.ZKClientConfig zkClientConfig, org.apache.hadoop.security.SecurityUtil.TruststoreKeystore truststoreKeystore, org.apache.zookeeper.common.ClientX509Util x509Util) throws ConfigurationException
      Throws:
      ConfigurationException