View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.hbase;
20  
21  import java.io.IOException;
22  import java.net.UnknownHostException;
23  
24  import org.apache.commons.logging.Log;
25  import org.apache.commons.logging.LogFactory;
26  import org.apache.hadoop.conf.Configuration;
27  import org.apache.hadoop.hbase.classification.InterfaceAudience;
28  import org.apache.hadoop.hbase.classification.InterfaceStability;
29  import org.apache.hadoop.hbase.security.UserProvider;
30  import org.apache.hadoop.hbase.util.Strings;
31  import org.apache.hadoop.hbase.util.Threads;
32  import org.apache.hadoop.net.DNS;
33  import org.apache.hadoop.security.UserGroupInformation;
34  
35  /**
36   * Utility methods for helping with security tasks.
37   */
38  @InterfaceAudience.Public
39  @InterfaceStability.Evolving
40  public class AuthUtil {
41    private static final Log LOG = LogFactory.getLog(AuthUtil.class);
42    /**
43     * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
44     */
45    public static void launchAuthChore(Configuration conf) throws IOException {
46      UserProvider userProvider = UserProvider.instantiate(conf);
47      // login the principal (if using secure Hadoop)
48      boolean securityEnabled =
49          userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled();
50      if (!securityEnabled) return;
51      String host = null;
52      try {
53        host = Strings.domainNamePointerToHostName(DNS.getDefaultHost(
54            conf.get("hbase.client.dns.interface", "default"),
55            conf.get("hbase.client.dns.nameserver", "default")));
56        userProvider.login("hbase.client.keytab.file", "hbase.client.kerberos.principal", host);
57      } catch (UnknownHostException e) {
58        LOG.error("Error resolving host name: " + e.getMessage(), e);
59        throw e;
60      } catch (IOException e) {
61        LOG.error("Error while trying to perform the initial login: " + e.getMessage(), e);
62        throw e;
63      }
64  
65      final UserGroupInformation ugi = userProvider.getCurrent().getUGI();
66      Stoppable stoppable = new Stoppable() {
67        private volatile boolean isStopped = false;
68  
69        @Override
70        public void stop(String why) {
71          isStopped = true;
72        }
73  
74        @Override
75        public boolean isStopped() {
76          return isStopped;
77        }
78      };
79  
80      // if you're in debug mode this is useful to avoid getting spammed by the getTGT()
81      // you can increase this, keeping in mind that the default refresh window is 0.8
82      // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min
83      final int CHECK_TGT_INTERVAL = 30 * 1000; // 30sec
84  
85      Chore refreshCredentials = new Chore("RefreshCredentials", CHECK_TGT_INTERVAL, stoppable) {
86        @Override
87        protected void chore() {
88          try {
89            ugi.checkTGTAndReloginFromKeytab();
90          } catch (IOException e) {
91            LOG.error("Got exception while trying to refresh credentials: " + e.getMessage(), e);
92          }
93        }
94      };
95      // Start the chore for refreshing credentials
96      Threads.setDaemonThreadRunning(refreshCredentials.getThread());
97    }
98  }