You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by el...@apache.org on 2014/12/22 20:17:48 UTC

[4/9] accumulo git commit: Merge branch '1.5' into 1.6

Merge branch '1.5' into 1.6


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/c3280461
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/c3280461
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/c3280461

Branch: refs/heads/1.6
Commit: c328046150b492fd583008ee09aa23c022a88a87
Parents: 42d651e 37ed176
Author: Josh Elser <el...@apache.org>
Authored: Mon Dec 22 13:40:42 2014 -0500
Committer: Josh Elser <el...@apache.org>
Committed: Mon Dec 22 13:40:42 2014 -0500

----------------------------------------------------------------------
 .../accumulo/core/security/SecurityUtil.java    | 80 -------------------
 .../accumulo/server/security/SecurityUtil.java  | 83 ++++++++++++++++++++
 2 files changed, 83 insertions(+), 80 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/c3280461/server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
----------------------------------------------------------------------
diff --cc server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
index 0000000,88e70cd..684efc3
mode 000000,100644..100644
--- a/server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
+++ b/server/src/main/java/org/apache/accumulo/server/security/SecurityUtil.java
@@@ -1,0 -1,91 +1,83 @@@
+ /*
+  * Licensed to the Apache Software Foundation (ASF) under one or more
+  * contributor license agreements.  See the NOTICE file distributed with
+  * this work for additional information regarding copyright ownership.
+  * The ASF licenses this file to You under the Apache License, Version 2.0
+  * (the "License"); you may not use this file except in compliance with
+  * the License.  You may obtain a copy of the License at
+  *
+  *     http://www.apache.org/licenses/LICENSE-2.0
+  *
+  * Unless required by applicable law or agreed to in writing, software
+  * distributed under the License is distributed on an "AS IS" BASIS,
+  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  */
+ package org.apache.accumulo.core.security;
+ 
+ import java.io.IOException;
+ import java.net.InetAddress;
+ 
+ import org.apache.accumulo.core.conf.AccumuloConfiguration;
+ import org.apache.accumulo.core.conf.Property;
+ import org.apache.hadoop.security.UserGroupInformation;
+ import org.apache.log4j.Logger;
+ 
+ /**
+  * 
+  */
+ public class SecurityUtil {
+   private static final Logger log = Logger.getLogger(SecurityUtil.class);
 -  private static final String ACCUMULO_HOME = "ACCUMULO_HOME", ACCUMULO_CONF_DIR = "ACCUMULO_CONF_DIR";
+   public static boolean usingKerberos = false;
+ 
+   /**
+    * This method is for logging a server in kerberos. If this is used in client code, it will fail unless run as the accumulo keytab's owner. Instead, use
+    * {@link #login(String, String)}
+    */
 -  public static void serverLogin() {
 -    @SuppressWarnings("deprecation")
 -    AccumuloConfiguration acuConf = AccumuloConfiguration.getSiteConfiguration();
 -    String keyTab = acuConf.get(Property.GENERAL_KERBEROS_KEYTAB);
++  public static void serverLogin(AccumuloConfiguration acuConf) {
++    String keyTab = acuConf.getPath(Property.GENERAL_KERBEROS_KEYTAB);
+     if (keyTab == null || keyTab.length() == 0)
+       return;
+     
+     usingKerberos = true;
 -    if (keyTab.contains("$" + ACCUMULO_HOME) && System.getenv(ACCUMULO_HOME) != null)
 -      keyTab = keyTab.replace("$" + ACCUMULO_HOME, System.getenv(ACCUMULO_HOME));
 -    
 -    if (keyTab.contains("$" + ACCUMULO_CONF_DIR) && System.getenv(ACCUMULO_CONF_DIR) != null)
 -      keyTab = keyTab.replace("$" + ACCUMULO_CONF_DIR, System.getenv(ACCUMULO_CONF_DIR));
+     
+     String principalConfig = acuConf.get(Property.GENERAL_KERBEROS_PRINCIPAL);
+     if (principalConfig == null || principalConfig.length() == 0)
+       return;
+     
+     if (login(principalConfig, keyTab)) {
+       try {
+         // This spawns a thread to periodically renew the logged in (accumulo) user
+         UserGroupInformation.getLoginUser();
+         return;
+       } catch (IOException io) {
+         log.error("Error starting up renewal thread. This shouldn't be happenining.", io);
+       }
+     }
+ 
+     throw new RuntimeException("Failed to perform Kerberos login for " + principalConfig + " using  " + keyTab);
+   }
+   
+   /**
+    * This will log in the given user in kerberos.
+    * 
+    * @param principalConfig
+    *          This is the principals name in the format NAME/HOST@REALM. {@link org.apache.hadoop.security.SecurityUtil#HOSTNAME_PATTERN} will automatically be
+    *          replaced by the systems host name.
+    * @return true if login succeeded, otherwise false
+    */
+   public static boolean login(String principalConfig, String keyTabPath) {
+     try {
+       String principalName = org.apache.hadoop.security.SecurityUtil.getServerPrincipal(principalConfig, InetAddress.getLocalHost().getCanonicalHostName());
+       if (keyTabPath != null && principalName != null && keyTabPath.length() != 0 && principalName.length() != 0) {
+         UserGroupInformation.loginUserFromKeytab(principalName, keyTabPath);
+         log.info("Succesfully logged in as user " + principalConfig);
+         return true;
+       }
+     } catch (IOException io) {
+       log.error("Error logging in user " + principalConfig + " using keytab at " + keyTabPath, io);
+     }
+     return false;
+   }
+ }