Package org.apache.hadoop.hbase.security

Class User

java.lang.Object
org.apache.hadoop.hbase.security.User
Direct Known Subclasses:
AccessChecker.InputUser, User.SecureHadoopUser
@Public public abstract class User extends Object
Wrapper to abstract out usage of user and group information in HBase.

This class provides a common interface for interacting with user and group information across changing APIs in different versions of Hadoop. It only provides access to the common set of functionality in UserGroupInformation currently needed by HBase, but can be extended as needs change.

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static final class 
    User.SecureHadoopUser
    Bridges User invocations to underlying calls to UserGroupInformation for secure Hadoop 0.20 and versions 0.21 and above.
    static class 
    User.TestingGroups
     

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    HBASE_SECURITY_AUTHORIZATION_CONF_KEY
     
    static final String
    HBASE_SECURITY_CONF_KEY
     
    protected org.apache.hadoop.security.UserGroupInformation
    ugi
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    User()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    addToken(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token)
    Adds the given Token to the user's credentials.
    static User
    create(org.apache.hadoop.security.UserGroupInformation ugi)
    Wraps an underlying UserGroupInformation instance.
    static User
    createUserForTesting(org.apache.hadoop.conf.Configuration conf, String name, String[] groups)
    Generates a new User instance specifically for use in test code.
    boolean
    equals(Object o)
     
    static User
    getCurrent()
    Returns the User instance within current execution context.
    String[]
    getGroupNames()
    Returns the list of groups of which this user is a member.
    String
    getName()
    Returns the full user name.
    abstract String
    getShortName()
    Returns the shortened version of the user name -- the portion that maps to an operating system user name.
    org.apache.hadoop.security.token.Token<?>
    getToken(String kind, String service)
    Returns the Token of the specified kind associated with this user, or null if the Token is not present.
    Collection<org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier>>
    getTokens()
    Returns all the tokens stored in the user's credentials.
    org.apache.hadoop.security.UserGroupInformation
    getUGI()
     
    int
    hashCode()
     
    static boolean
    isHBaseSecurityEnabled(org.apache.hadoop.conf.Configuration conf)
    Returns whether or not secure authentication is enabled for HBase.
    boolean
    isLoginFromKeytab()
    Returns true if user credentials are obtained from keytab.
    static boolean
    isSecurityEnabled()
    Returns whether or not Kerberos authentication is configured for Hadoop.
    static void
    login(String keytabLocation, String pricipalName)
    Login with the given keytab and principal.
    static void
    login(org.apache.hadoop.conf.Configuration conf, String fileConfKey, String principalConfKey, String localhost)
    Log in the current process using the given configuration keys for the credential file and login principal.
    abstract <T> T
    runAs(PrivilegedAction<T> action)
    Executes the given action within the context of this user.
    abstract <T> T
    runAs(PrivilegedExceptionAction<T> action)
    Executes the given action within the context of this user.
    static <T> T
    runAsLoginUser(PrivilegedExceptionAction<T> action)
    Executes the given action as the login user
    static boolean
    shouldLoginFromKeytab(org.apache.hadoop.conf.Configuration conf)
    In secure environment, if a user specified his keytab and principal, a hbase client will try to login with them.
    String
    toString()
     

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait

  • Field Details

  • Constructor Details

    • User

      public User()

  • Method Details

    • getUGI

      public org.apache.hadoop.security.UserGroupInformation getUGI()

    • getName

      public String getName()
      Returns the full user name. For Kerberos principals this will include the host and realm portions of the principal name.
      Returns:
      User full name.

    • getGroupNames

      public String[] getGroupNames()
      Returns the list of groups of which this user is a member. On secure Hadoop this returns the group information for the user as resolved on the server. For 0.20 based Hadoop, the group names are passed from the client.

    • getShortName

      public abstract String getShortName()
      Returns the shortened version of the user name -- the portion that maps to an operating system user name.
      Returns:
      Short name

    • runAs

      public abstract <T> T runAs(PrivilegedAction<T> action)
      Executes the given action within the context of this user.

    • runAs

      public abstract <T> T runAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
      Executes the given action within the context of this user.
      Throws:
      IOException
      InterruptedException

    • getToken

      public org.apache.hadoop.security.token.Token<?> getToken(String kind, String service) throws IOException
      Returns the Token of the specified kind associated with this user, or null if the Token is not present.
      Parameters:
      kind - the kind of token
      service - service on which the token is supposed to be used
      Returns:
      the token of the specified kind.
      Throws:
      IOException

    • getTokens

      public Collection<org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier>> getTokens()
      Returns all the tokens stored in the user's credentials.

    • addToken

      public void addToken(org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token)
      Adds the given Token to the user's credentials.
      Parameters:
      token - the token to add

    • isLoginFromKeytab

      public boolean isLoginFromKeytab()
      Returns true if user credentials are obtained from keytab.

    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • getCurrent

      public static User getCurrent() throws IOException
      Returns the User instance within current execution context.
      Throws:
      IOException

    • runAsLoginUser

      public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws IOException
      Executes the given action as the login user
      Throws:
      IOException

    • create

      public static User create(org.apache.hadoop.security.UserGroupInformation ugi)
      Wraps an underlying UserGroupInformation instance.
      Parameters:
      ugi - The base Hadoop user

    • createUserForTesting

      public static User createUserForTesting(org.apache.hadoop.conf.Configuration conf, String name, String[] groups)
      Generates a new User instance specifically for use in test code.
      Parameters:
      name - the full username
      groups - the group names to which the test user will belong
      Returns:
      a new User instance

    • login

      public static void login(org.apache.hadoop.conf.Configuration conf, String fileConfKey, String principalConfKey, String localhost) throws IOException
      Log in the current process using the given configuration keys for the credential file and login principal.

      This is only applicable when running on secure Hadoop -- see org.apache.hadoop.security.SecurityUtil#login(Configuration,String,String,String). On regular Hadoop (without security features), this will safely be ignored.

      Parameters:
      conf - The configuration data to use
      fileConfKey - Property key used to configure path to the credential file
      principalConfKey - Property key used to configure login principal
      localhost - Current hostname to use in any credentials
      Throws:
      IOException - underlying exception from SecurityUtil.login() call

    • login

      public static void login(String keytabLocation, String pricipalName) throws IOException
      Login with the given keytab and principal.
      Parameters:
      keytabLocation - path of keytab
      pricipalName - login principal
      Throws:
      IOException - underlying exception from UserGroupInformation.loginUserFromKeytab

    • isSecurityEnabled

      public static boolean isSecurityEnabled()
      Returns whether or not Kerberos authentication is configured for Hadoop. For non-secure Hadoop, this always returns false. For secure Hadoop, it will return the value from UserGroupInformation.isSecurityEnabled().

    • isHBaseSecurityEnabled

      public static boolean isHBaseSecurityEnabled(org.apache.hadoop.conf.Configuration conf)
      Returns whether or not secure authentication is enabled for HBase. Note that HBase security requires HDFS security to provide any guarantees, so it is recommended that secure HBase should run on secure HDFS.

    • shouldLoginFromKeytab

      public static boolean shouldLoginFromKeytab(org.apache.hadoop.conf.Configuration conf)
      In secure environment, if a user specified his keytab and principal, a hbase client will try to login with them. Otherwise, hbase client will try to obtain ticket(through kinit) from system.
      Parameters:
      conf - configuration file
      Returns:
      true if keytab and principal are configured