org.apache.nifi.hadoop

Class SecurityUtil

java.lang.Object

org.apache.nifi.hadoop.SecurityUtil

public class SecurityUtil
extends Object

Provides synchronized access to UserGroupInformation to avoid multiple processors/services from interfering with each other.

Field Summary

Fields

Modifier and Type	Field and Description
static String	HADOOP_SECURITY_AUTHENTICATION
static String	KERBEROS

Constructor Summary

Constructors

Constructor and Description
SecurityUtil()

Method Summary

Modifier and Type	Method and Description
static org.apache.hadoop.security.UserGroupInformation	getUgiForKerberosUser(org.apache.hadoop.conf.Configuration config, KerberosUser kerberosUser) Authenticates a KerberosUser and acquires a UserGroupInformation instance using UserGroupInformation.getUGIFromSubject(Subject).
static boolean	isSecurityEnabled(org.apache.hadoop.conf.Configuration config) Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.isSecurityEnabled().
static org.apache.hadoop.security.UserGroupInformation	loginKerberos(org.apache.hadoop.conf.Configuration config, String principal, String keyTab) Initializes UserGroupInformation with the given Configuration and performs the login for the given principal and keytab.
static org.apache.hadoop.security.UserGroupInformation	loginSimple(org.apache.hadoop.conf.Configuration config) Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.getLoginUser().

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

HADOOP_SECURITY_AUTHENTICATION

public static final String HADOOP_SECURITY_AUTHENTICATION

See Also:

Constant Field Values

KERBEROS

public static final String KERBEROS

See Also:

Constant Field Values

Constructor Detail

SecurityUtil

public SecurityUtil()

Method Detail

loginKerberos

public static org.apache.hadoop.security.UserGroupInformation loginKerberos(org.apache.hadoop.conf.Configuration config,
                                                                            String principal,
                                                                            String keyTab)
                                                                     throws IOException

Initializes UserGroupInformation with the given Configuration and performs the login for the given principal and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying UserGroupInformation.

As of Apache NiFi 1.5.0, this method uses UserGroupInformation.loginUserFromKeytab(String, String) to authenticate the given principal, which sets the static variable loginUser in the UserGroupInformation instance. Setting loginUser is necessary for Client.Connection.handleSaslConnectionFailure(int, int, Exception, Random, UserGroupInformation) to be able to attempt a relogin during a connection failure. The handleSaslConnectionFailure method calls UserGroupInformation.getLoginUser().reloginFromKeytab() statically, which can return null if loginUser is not set, resulting in failure of the hadoop operation.

In previous versions of NiFi, UserGroupInformation.loginUserFromKeytabAndReturnUGI(String, String) was used to authenticate the principal, which does not set loginUser, making it impossible for a Client.Connection.handleSaslConnectionFailure(int, int, Exception, Random, UserGroupInformation) to be able to implicitly relogin the principal.

Parameters:

config - the configuration instance

principal - the principal to authenticate as

keyTab - the keytab to authenticate with

Returns:

the UGI for the given principal

Throws:

IOException - if login failed

getUgiForKerberosUser

public static org.apache.hadoop.security.UserGroupInformation getUgiForKerberosUser(org.apache.hadoop.conf.Configuration config,
                                                                                    KerberosUser kerberosUser)
                                                                             throws IOException

Authenticates a KerberosUser and acquires a UserGroupInformation instance using UserGroupInformation.getUGIFromSubject(Subject). The UserGroupInformation will use the given Configuration.

Parameters:

config - The Configuration to apply to the acquired UserGroupInformation instance

kerberosUser - The KerberosUser to authenticate

Returns:

A UserGroupInformation instance created using the Subject of the given KerberosUser

Throws:

IOException - if authentication fails

loginSimple

public static org.apache.hadoop.security.UserGroupInformation loginSimple(org.apache.hadoop.conf.Configuration config)
                                                                   throws IOException

Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.getLoginUser(). All logins should happen through this class to ensure other threads are not concurrently modifying UserGroupInformation.

Parameters:

config - the configuration instance

Returns:

the UGI for the given principal

Throws:

IOException - if login failed

isSecurityEnabled

public static boolean isSecurityEnabled(org.apache.hadoop.conf.Configuration config)

Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.isSecurityEnabled(). All checks for isSecurityEnabled() should happen through this method.

Parameters:

config - the given configuration

Returns:

true if kerberos is enabled on the given configuration, false otherwise