You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by el...@apache.org on 2013/12/18 22:59:55 UTC
[1/2] git commit: ACCUMULO-2058 Add shell env interpolation for
ACCUMULO_CONF_DIR when extracting kerberos keytab value.
Updated Branches:
refs/heads/1.5.1-SNAPSHOT 2d97b875a -> 001fdd69b
ACCUMULO-2058 Add shell env interpolation for ACCUMULO_CONF_DIR when extracting kerberos keytab value.
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/559b18bc
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/559b18bc
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/559b18bc
Branch: refs/heads/1.5.1-SNAPSHOT
Commit: 559b18bc73225ea2cc779ec727c8f49b29ab2924
Parents: adee0f1
Author: Josh Elser <el...@apache.org>
Authored: Wed Dec 18 16:30:31 2013 -0500
Committer: Josh Elser <el...@apache.org>
Committed: Wed Dec 18 16:30:31 2013 -0500
----------------------------------------------------------------------
.../org/apache/accumulo/server/security/SecurityUtil.java | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/accumulo/blob/559b18bc/src/server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
----------------------------------------------------------------------
diff --git a/src/server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java b/src/server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
index 94dcd1b..2d1ff53 100644
--- a/src/server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
+++ b/src/server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
@@ -29,6 +29,7 @@ import org.apache.log4j.Logger;
*/
public class SecurityUtil {
private static final Logger log = Logger.getLogger(SecurityUtil.class);
+ private static final String ACCUMULO_HOME = "ACCUMULO_HOME", ACCUMULO_CONF_DIR = "ACCUMULO_CONF_DIR";
/**
* This method is for logging a server in kerberos. If this is used in client code, it will fail unless run as the accumulo keytab's owner. Instead, use
@@ -40,8 +41,11 @@ public class SecurityUtil {
String keyTab = acuConf.get(Property.GENERAL_KERBEROS_KEYTAB);
if (keyTab == null || keyTab.length() == 0)
return;
- if (keyTab.contains("$ACCUMULO_HOME") && System.getenv("ACCUMULO_HOME") != null)
- keyTab = keyTab.replace("$ACCUMULO_HOME", System.getenv("ACCUMULO_HOME"));
+ if (keyTab.contains("$" + ACCUMULO_HOME) && System.getenv(ACCUMULO_HOME) != null)
+ keyTab = keyTab.replace("$" + ACCUMULO_HOME, System.getenv(ACCUMULO_HOME));
+
+ if (keyTab.contains("$" + ACCUMULO_CONF_DIR) && System.getenv(ACCUMULO_CONF_DIR) != null)
+ keyTab = keyTab.replace("$" + ACCUMULO_CONF_DIR, System.getenv(ACCUMULO_CONF_DIR));
String principalConfig = acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL);
if (principalConfig == null || principalConfig.length() == 0)
[2/2] git commit: Merge branch '1.4.5-SNAPSHOT' into 1.5.1-SNAPSHOT
Posted by el...@apache.org.
Merge branch '1.4.5-SNAPSHOT' into 1.5.1-SNAPSHOT
Conflicts:
core/src/main/java/org/apache/accumulo/core/security/SecurityUtil.java
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/001fdd69
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/001fdd69
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/001fdd69
Branch: refs/heads/1.5.1-SNAPSHOT
Commit: 001fdd69b694236335f98127f7b07636a12a6329
Parents: 2d97b87 559b18b
Author: Josh Elser <el...@apache.org>
Authored: Wed Dec 18 16:33:25 2013 -0500
Committer: Josh Elser <el...@apache.org>
Committed: Wed Dec 18 16:33:25 2013 -0500
----------------------------------------------------------------------
.../org/apache/accumulo/core/security/SecurityUtil.java | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/accumulo/blob/001fdd69/core/src/main/java/org/apache/accumulo/core/security/SecurityUtil.java
----------------------------------------------------------------------
diff --cc core/src/main/java/org/apache/accumulo/core/security/SecurityUtil.java
index 8add1a7,0000000..672e784
mode 100644,000000..100644
--- a/core/src/main/java/org/apache/accumulo/core/security/SecurityUtil.java
+++ b/core/src/main/java/org/apache/accumulo/core/security/SecurityUtil.java
@@@ -1,84 -1,0 +1,89 @@@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.accumulo.core.security;
+
+import java.io.IOException;
+import java.net.InetAddress;
+
+import org.apache.accumulo.core.conf.AccumuloConfiguration;
+import org.apache.accumulo.core.conf.Property;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.log4j.Logger;
+
+/**
+ *
+ */
+public class SecurityUtil {
+ private static final Logger log = Logger.getLogger(SecurityUtil.class);
++ private static final String ACCUMULO_HOME = "ACCUMULO_HOME", ACCUMULO_CONF_DIR = "ACCUMULO_CONF_DIR";
+ public static boolean usingKerberos = false;
++
+ /**
+ * This method is for logging a server in kerberos. If this is used in client code, it will fail unless run as the accumulo keytab's owner. Instead, use
+ * {@link #login(String, String)}
+ */
+ public static void serverLogin() {
+ @SuppressWarnings("deprecation")
+ AccumuloConfiguration acuConf = AccumuloConfiguration.getSiteConfiguration();
+ String keyTab = acuConf.get(Property.GENERAL_KERBEROS_KEYTAB);
+ if (keyTab == null || keyTab.length() == 0)
+ return;
+
+ usingKerberos = true;
- if (keyTab.contains("$ACCUMULO_HOME") && System.getenv("ACCUMULO_HOME") != null)
- keyTab = keyTab.replace("$ACCUMULO_HOME", System.getenv("ACCUMULO_HOME"));
++ if (keyTab.contains("$" + ACCUMULO_HOME) && System.getenv(ACCUMULO_HOME) != null)
++ keyTab = keyTab.replace("$" + ACCUMULO_HOME, System.getenv(ACCUMULO_HOME));
++
++ if (keyTab.contains("$" + ACCUMULO_CONF_DIR) && System.getenv(ACCUMULO_CONF_DIR) != null)
++ keyTab = keyTab.replace("$" + ACCUMULO_CONF_DIR, System.getenv(ACCUMULO_CONF_DIR));
+
+ String principalConfig = acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL);
+ if (principalConfig == null || principalConfig.length() == 0)
+ return;
+
+ if (login(principalConfig, keyTab)) {
+ try {
+ // This spawns a thread to periodically renew the logged in (accumulo) user
+ UserGroupInformation.getLoginUser();
+ } catch (IOException io) {
+ log.error("Error starting up renewal thread. This shouldn't be happenining.", io);
+ }
+ }
+ }
+
+ /**
+ * This will log in the given user in kerberos.
+ *
+ * @param principalConfig
+ * This is the principals name in the format NAME/HOST@REALM. {@link org.apache.hadoop.security.SecurityUtil#HOSTNAME_PATTERN} will automatically be
+ * replaced by the systems host name.
+ * @param keyTabPath
+ * @return true if login succeeded, otherwise false
+ */
+ public static boolean login(String principalConfig, String keyTabPath) {
+ try {
+ String principalName = org.apache.hadoop.security.SecurityUtil.getServerPrincipal(principalConfig, InetAddress.getLocalHost().getCanonicalHostName());
+ if (keyTabPath != null && principalName != null && keyTabPath.length() != 0 && principalName.length() != 0) {
+ UserGroupInformation.loginUserFromKeytab(principalName, keyTabPath);
+ log.info("Succesfully logged in as user " + principalConfig);
+ return true;
+ }
+ } catch (IOException io) {
+ log.error("Error logging in user " + principalConfig + " using keytab at " + keyTabPath, io);
+ }
+ return false;
+ }
+}