| blob | 95dfdd206ec8c946d07cc624fa283886e1353809 |
1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
34 /**
35 * Utility methods for helping with security tasks. Downstream users
36 * may rely on this class to handle authenticating via keytab where
37 * long running services need access to a secure HBase cluster.
38 *
39 * Callers must ensure:
40 *
41 * <ul>
42 * <li>HBase configuration files are in the Classpath
43 * <li>hbase.client.keytab.file points to a valid keytab on the local filesystem
44 * <li>hbase.client.kerberos.principal gives the Kerberos principal to use
45 * </ul>
46 *
47 * <pre>
48 * {@code
49 * ChoreService choreService = null;
50 * // Presumes HBase configuration files are on the classpath
51 * final Configuration conf = HBaseConfiguration.create();
52 * final ScheduledChore authChore = AuthUtil.getAuthChore(conf);
53 * if (authChore != null) {
54 * choreService = new ChoreService("MY_APPLICATION");
55 * choreService.scheduleChore(authChore);
56 * }
57 * try {
58 * // do application work
59 * } finally {
60 * if (choreService != null) {
61 * choreService.shutdown();
62 * }
63 * }
64 * }
65 * </pre>
66 *
67 * See the "Running Canary in a Kerberos-enabled Cluster" section of the HBase Reference Guide for
68 * an example of configuring a user of this Auth Chore to run on a secure cluster.
69 * <pre>
70 * </pre>
71 * This class will be internal used only from 2.2.0 version, and will transparently work
72 * for kerberized applications. For more, please refer
73 * <a href="http://hbase.apache.org/book.html#hbase.secure.configuration">Client-side Configuration for Secure Operation</a>
74 *
75 * @deprecated since 2.2.0, to be marked as
76 * {@link org.apache.yetus.audience.InterfaceAudience.Private} in 4.0.0.
77 * @see <a href="https://issues.apache.org/jira/browse/HBASE-20886">HBASE-20886</a>
78 */
79 @Deprecated
84 /** Prefix character to denote group names */
87 /** Client keytab file */
90 /** Client principal */
93 /** Configuration to automatically try to renew keytab-based logins */
94 public static final String HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY = "hbase.client.keytab.automatic.renewal";
99 }
101 /**
102 * For kerberized cluster, return login user (from kinit or from keytab if specified).
103 * For non-kerberized cluster, return system user.
104 * @param conf configuartion file
105 * @return user
106 * @throws IOException login exception
107 */
117 // There's already a login user.
118 // But we should avoid misuse credentials which is a dangerous security issue,
119 // so here check whether user specified a keytab and a principal:
120 // 1. Yes, check if user principal match.
121 // a. match, just return.
122 // b. mismatch, login using keytab.
123 // 2. No, user may login through kinit, this is the old way, also just return.
127 }
130 // Kerberos is on and client specify a keytab and principal, but client doesn't login yet.
132 }
133 }
135 }
143 }
145 }
155 }
157 }
159 /**
160 * For kerberized cluster, return login user (from kinit or from keytab).
161 * Principal should be the following format: name/fully.qualified.domain.name@REALM.
162 * For non-kerberized cluster, return system user.
163 * <p>
164 * NOT recommend to use to method unless you're sure what you're doing, it is for canary only.
165 * Please use User#loginClient.
166 * @param conf configuration file
167 * @return user
168 * @throws IOException login exception
169 */
179 }
186 }
187 }
189 }
191 /**
192 * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
193 * @return a ScheduledChore for renewals.
194 */
196 public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user, Configuration conf) {
199 }
202 // if you're in debug mode this is useful to avoid getting spammed by the getTGT()
203 // you can increase this, keeping in mind that the default refresh window is 0.8
204 // e.g. 5min tgt * 0.8 = 4min refresh so interval is better be way less than 1min
207 @Override
213 }
214 }
215 };
216 }
218 /**
219 * Checks if security is enabled and if so, launches chore for refreshing kerberos ticket.
220 * @param conf the hbase service configuration
221 * @return a ScheduledChore for renewals, if needed, and null otherwise.
222 * @deprecated Deprecated since 2.2.0, this method will be
223 * {@link org.apache.yetus.audience.InterfaceAudience.Private} use only after 4.0.0.
224 * @see <a href="https://issues.apache.org/jira/browse/HBASE-20886">HBASE-20886</a>
225 */
226 @Deprecated
230 }
233 }
239 @Override
242 }
244 @Override
247 }
248 };
249 }
251 /**
252 * Returns whether or not the given name should be interpreted as a group
253 * principal. Currently this simply checks if the name starts with the
254 * special group prefix character ("@").
255 */
259 }
261 /**
262 * Returns the actual name for a group principal (stripped of the
263 * group prefix).
264 */
269 }
272 }
274 /**
275 * Returns the group entry with the group prefix for a group principal.
276 */
280 }
282 /**
283 * Returns true if the chore to automatically renew Kerberos tickets (from
284 * keytabs) should be started. The default is true.
285 */
288 HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT);
289 }
290 }