| blob | d8d4f788ab106894a4727d4e720259bd4f88f89a |
1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
34 /**
35 * Utility methods for helping with security tasks. Downstream users
36 * may rely on this class to handle authenticating via keytab where
37 * long running services need access to a secure HBase cluster.
38 *
39 * Callers must ensure:
40 *
41 * <ul>
42 * <li>HBase configuration files are in the Classpath
43 * <li>hbase.client.keytab.file points to a valid keytab on the local filesystem
44 * <li>hbase.client.kerberos.principal gives the Kerberos principal to use
45 * </ul>
46 *
47 * <pre>
48 * {@code
49 * ChoreService choreService = null;
50 * // Presumes HBase configuration files are on the classpath
51 * final Configuration conf = HBaseConfiguration.create();
52 * final ScheduledChore authChore = AuthUtil.getAuthChore(conf);
53 * if (authChore != null) {
54 * choreService = new ChoreService("MY_APPLICATION");
55 * choreService.scheduleChore(authChore);
56 * }
57 * try {
58 * // do application work
59 * } finally {
60 * if (choreService != null) {
61 * choreService.shutdown();
62 * }
63 * }
64 * }
65 * </pre>
66 *
67 * See the "Running Canary in a Kerberos-enabled Cluster" section of the HBase Reference Guide for
68 * an example of configuring a user of this Auth Chore to run on a secure cluster.
69 * <pre>
70 * </pre>
71 * This class will be internal used only from 2.2.0 version, and will transparently work
72 * for kerberized applications. For more, please refer
73 * <a href="http://hbase.apache.org/book.html#hbase.secure.configuration">Client-side Configuration for Secure Operation</a>
74 *
75 * @deprecated since 2.2.0, to be marked as
76 * {@link org.apache.yetus.audience.InterfaceAudience.Private} in 4.0.0.
77 * @see <a href="https://issues.apache.org/jira/browse/HBASE-20886">HBASE-20886</a>
78 */
79 @Deprecated
84 /** Prefix character to denote group names */
87 /** Client keytab file */
90 /** Client principal */
95 }
97 /**
98 * For kerberized cluster, return login user (from kinit or from keytab if specified).
99 * For non-kerberized cluster, return system user.
100 * @param conf configuartion file
101 * @return user
102 * @throws IOException login exception
103 */
113 // There's already a login user.
114 // But we should avoid misuse credentials which is a dangerous security issue,
115 // so here check whether user specified a keytab and a principal:
116 // 1. Yes, check if user principal match.
117 // a. match, just return.
118 // b. mismatch, login using keytab.
119 // 2. No, user may login through kinit, this is the old way, also just return.
123 }
126 // Kerberos is on and client specify a keytab and principal, but client doesn't login yet.
128 }
129 }
131 }
139 }
141 }
151 }
153 }
155 /**
156 * For kerberized cluster, return login user (from kinit or from keytab).
157 * Principal should be the following format: name/fully.qualified.domain.name@REALM.
158 * For non-kerberized cluster, return system user.
159 * <p>
160 * NOT recommend to use to method unless you're sure what you're doing, it is for canary only.
161 * Please use User#loginClient.
162 * @param conf configuration file
163 * @return user
164 * @throws IOException login exception
165 */
175 }
182 }
183 }
185 }
187 /**
188 * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
189 * @return a ScheduledChore for renewals.
190 */
195 }
198 // if you're in debug mode this is useful to avoid getting spammed by the getTGT()
199 // you can increase this, keeping in mind that the default refresh window is 0.8
200 // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min
203 @Override
209 }
210 }
211 };
212 }
214 /**
215 * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
216 * @param conf the hbase service configuration
217 * @return a ScheduledChore for renewals, if needed, and null otherwise.
218 * @deprecated Deprecated since 2.2.0, this method will be
219 * {@link org.apache.yetus.audience.InterfaceAudience.Private} use only after 4.0.0.
220 * @see <a href="https://issues.apache.org/jira/browse/HBASE-20886">HBASE-20886</a>
221 */
222 @Deprecated
226 }
232 @Override
235 }
237 @Override
240 }
241 };
242 }
244 /**
245 * Returns whether or not the given name should be interpreted as a group
246 * principal. Currently this simply checks if the name starts with the
247 * special group prefix character ("@").
248 */
252 }
254 /**
255 * Returns the actual name for a group principal (stripped of the
256 * group prefix).
257 */
262 }
265 }
267 /**
268 * Returns the group entry with the group prefix for a group principal.
269 */
273 }
274 }