org.apache.hadoop.security
Class SecurityUtil

java.lang.Object
  extended by org.apache.hadoop.security.SecurityUtil

public class SecurityUtil
extends Object


Nested Class Summary
protected static class SecurityUtil.QualifiedHostResolver
          This an alternate resolver with important properties that the standard java resolver lacks: 1) The hostname is fully qualified.
 
Field Summary
static String HOSTNAME_PATTERN
           
static org.apache.commons.logging.Log LOG
           
 
Constructor Summary
SecurityUtil()
           
 
Method Summary
static String buildDTServiceName(URI uri, int defPort)
          create the service name for a Delegation token
static Text buildTokenService(InetSocketAddress addr)
          Construct the service key for a token
static void fetchServiceTicket(URL remoteHost)
          Explicitly pull the service ticket for the specified host.
static AccessControlList getAdminAcls(Configuration conf, String configKey)
          Get the ACL object representing the cluster administrators The user who starts the daemon is automatically added as an admin
static InetAddress getByName(String hostname)
          Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip.
static String getHostFromPrincipal(String principalName)
          Get the host name from the principal name of format /host@realm.
static String getLocalHostName()
          Get the fqdn for the current host.
static String getServerPrincipal(String principalConfig, InetAddress addr)
          Convert Kerberos principal name pattern to valid Kerberos principal names.
static String getServerPrincipal(String principalConfig, String hostname)
          Convert Kerberos principal name pattern to valid Kerberos principal names.
static InetSocketAddress getTokenServiceAddr(Token<?> token)
          Decode the given token's service field into an InetAddress
protected static boolean isOriginalTGT(String name)
           
static void login(Configuration conf, String keytabFileKey, String userNameKey)
          If a keytab has been provided, login as that user.
static void login(Configuration conf, String keytabFileKey, String userNameKey, String hostname)
          If a keytab has been provided, login as that user.
static URLConnection openSecureHttpConnection(URL url)
          Open a (if need be) secure connection to a URL in a secure environment that is using SPNEGO or KSSL to authenticate its URLs.
static void setTokenService(Token<?> token, InetSocketAddress addr)
          Set the given token's service to the format expected by the RPC client
static boolean useKsslAuth()
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

LOG

public static final org.apache.commons.logging.Log LOG

HOSTNAME_PATTERN

public static final String HOSTNAME_PATTERN
See Also:
Constant Field Values
Constructor Detail

SecurityUtil

public SecurityUtil()
Method Detail

isOriginalTGT

protected static boolean isOriginalTGT(String name)

fetchServiceTicket

public static void fetchServiceTicket(URL remoteHost)
                               throws IOException
Explicitly pull the service ticket for the specified host. This solves a problem with Java's Kerberos SSL problem where the client cannot authenticate against a cross-realm service. It is necessary for clients making kerberized https requests to call this method on the target URL to ensure that in a cross-realm environment the remote host will be successfully authenticated. This method is internal to Hadoop and should not be used by other applications. This method should not be considered stable or open: it will be removed when the Java behavior is changed.

Parameters:
remoteHost - Target URL the krb-https client will access
Throws:
IOException - if a service ticket is not available

getServerPrincipal

public static String getServerPrincipal(String principalConfig,
                                        String hostname)
                                 throws IOException
Convert Kerberos principal name pattern to valid Kerberos principal names. It replaces hostname pattern with hostname, which should be fully-qualified domain name. If hostname is null or "0.0.0.0", it uses dynamically looked-up fqdn of the current host instead.

Parameters:
principalConfig - the Kerberos principal name conf value to convert
hostname - the fully-qualified domain name used for substitution
Returns:
converted Kerberos principal name
Throws:
IOException - if the service ticket cannot be retrieved

getServerPrincipal

public static String getServerPrincipal(String principalConfig,
                                        InetAddress addr)
                                 throws IOException
Convert Kerberos principal name pattern to valid Kerberos principal names. This method is similar to getServerPrincipal(String, String), except 1) the reverse DNS lookup from addr to hostname is done only when necessary, 2) param addr can't be null (no default behavior of using local hostname when addr is null).

Parameters:
principalConfig - Kerberos principal name pattern to convert
addr - InetAddress of the host used for substitution
Returns:
converted Kerberos principal name
Throws:
IOException - if the client address cannot be determined

getLocalHostName

public static String getLocalHostName()
                               throws UnknownHostException
Get the fqdn for the current host.

Returns:
fqdn of the current host.
Throws:
UnknownHostException - if no IP address for the local host could be found.

login

public static void login(Configuration conf,
                         String keytabFileKey,
                         String userNameKey)
                  throws IOException
If a keytab has been provided, login as that user. Substitute $host in user's Kerberos principal name with a dynamically looked-up fully-qualified domain name of the current host.

Parameters:
conf - conf to use
keytabFileKey - the key to look for keytab file in conf
userNameKey - the key to look for user's Kerberos principal name in conf
Throws:
IOException - if the client address cannot be determined

login

public static void login(Configuration conf,
                         String keytabFileKey,
                         String userNameKey,
                         String hostname)
                  throws IOException
If a keytab has been provided, login as that user. Substitute $host in user's Kerberos principal name with hostname.

Parameters:
conf - conf to use
keytabFileKey - the key to look for keytab file in conf
userNameKey - the key to look for user's Kerberos principal name in conf
hostname - hostname to use for substitution
Throws:
IOException - if login fails

getTokenServiceAddr

public static InetSocketAddress getTokenServiceAddr(Token<?> token)
Decode the given token's service field into an InetAddress

Parameters:
token - from which to obtain the service
Returns:
InetAddress for the service

setTokenService

public static void setTokenService(Token<?> token,
                                   InetSocketAddress addr)
Set the given token's service to the format expected by the RPC client

Parameters:
token - a delegation token
addr - the socket for the rpc connection

buildTokenService

public static Text buildTokenService(InetSocketAddress addr)
Construct the service key for a token

Parameters:
addr - InetSocketAddress of remote connection with a token
Returns:
"ip:port" or "host:port" depending on the value of hadoop.security.token.service.use_ip

buildDTServiceName

public static String buildDTServiceName(URI uri,
                                        int defPort)
create the service name for a Delegation token

Parameters:
uri - of the service
defPort - is used if the uri lacks a port
Returns:
the token service, or null if no authority
See Also:
buildTokenService(InetSocketAddress)

getAdminAcls

public static AccessControlList getAdminAcls(Configuration conf,
                                             String configKey)
Get the ACL object representing the cluster administrators The user who starts the daemon is automatically added as an admin

Parameters:
conf -
configKey - the key that holds the ACL string in its value
Returns:
AccessControlList instance

getHostFromPrincipal

public static String getHostFromPrincipal(String principalName)
Get the host name from the principal name of format /host@realm.

Parameters:
principalName - principal name of format as described above
Returns:
host name if the the string conforms to the above format, else null

useKsslAuth

public static boolean useKsslAuth()
Returns:
true if we should use KSSL to authenticate NN HTTP endpoints, false to use SPNEGO or if security is disabled.

openSecureHttpConnection

public static URLConnection openSecureHttpConnection(URL url)
                                              throws IOException
Open a (if need be) secure connection to a URL in a secure environment that is using SPNEGO or KSSL to authenticate its URLs. All Namenode and Secondary Namenode URLs that are protected via SPNEGO or KSSL should be accessed via this method.

Parameters:
url - to authenticate via SPNEGO.
Returns:
A connection that has been authenticated via SPNEGO
Throws:
IOException - If unable to authenticate via SPNEGO

getByName

public static InetAddress getByName(String hostname)
                             throws UnknownHostException
Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip.

Parameters:
hostname - host or ip to resolve
Returns:
a resolved host
Throws:
UnknownHostException - if the host doesn't exist


Copyright © 2009 The Apache Software Foundation