KerberosAuthorizationFilter.java example

Explorer

bigpetstore-master
- hadoop-1.2.1
  - src
- src
  - integration
    - java
      - org
        bigtop
        bigpetstore
        integration
        BigPetStoreHiveIT.java
        BigPetStoreMahoutIT.java
        BigPetStorePigIT.java
        ITUtils.java
  - main
    - java
      - org
        bigtop
        bigpetstore
        clustering
        BPSRecommnder.java
        MahoutClusterTransactionsByRegion.java
        contract
        PetStoreStatistics.java
        etl
        CrunchETL.java
        HiveViewCreator.java
        LineItem.java
        PigCSVCleaner.java
        generator
        BPSGenerator.java
        GeneratePetStoreTransactionsInputFormat.java
        PetStoreTransaction.java
        PetStoreTransactionInputSplit.java
        TransactionIteratorFactory.java
        util
        BigPetStoreConstants.java
        DeveloperTools.java
        NumericalIdUtils.java
        Pair.java
        PetStoreParseFunctions.java
        StringUtils.java
  - test
    - java
      - org
        bigtop
        bigpetstore
        docs
        TestDocs.java
        generator
        TestNumericalIdUtils.java
        TestPetStoreTransactionGeneratorJob.java

/**
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */


package org.apache.hadoop.hdfsproxy;

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.security.UserGroupInformation;

import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import java.io.IOException;
import java.util.Arrays;

/**
 * This filter is required for hdfsproxies connecting to HDFS
 * with kerberos authentication. Keytab file and principal to
 * use for proxy user is retrieved from a configuration file.
 * If user attribute in ldap doesn't kerberos realm, the 
 * default realm is picked up from configuration. 
 */
public class KerberosAuthorizationFilter extends AuthorizationFilter {

  private String defaultRealm;

  @Override
  public void init(FilterConfig filterConfig) throws ServletException {
    super.init(filterConfig);
    Configuration conf = new Configuration(false);
    conf.addResource("hdfsproxy-default.xml");
    conf.addResource("hdfsproxy-site.xml");
    initializeUGI(conf);
    initDefaultRealm(conf);
  }

  private void initializeUGI(Configuration conf) {
    try {
      conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
          "kerberos");

      UserGroupInformation.setConfiguration(conf);
      UserGroupInformation.loginUserFromKeytab(
          conf.get("hdfsproxy.kerberos.principal"),
          conf.get("hdfsproxy.kerberos.keytab"));

      LOG.info(contextPath + " :: Logged in user: " +
          UserGroupInformation.getLoginUser().getUserName() +
          ", Current User: " + UserGroupInformation.getCurrentUser().getUserName());

    } catch (IOException e) {
      throw new RuntimeException("Unable to initialize credentials", e);
    }
  }

  private void initDefaultRealm(Configuration conf) {
    defaultRealm = conf.get("hdfsproxy.kerberos.default.realm","");
  }

  @Override
  /** If the userid does not have realm, add the default realm */
  protected String getUserId(ServletRequest request) {
    String userId =  super.getUserId(request);
    return userId +
        (userId.indexOf('@') > 0 ? "" : defaultRealm);
  }

  @Override
  protected String getGroups(ServletRequest request) {
    UserGroupInformation ugi = UserGroupInformation.
        createRemoteUser(getUserId(request));
    return Arrays.toString(ugi.getGroupNames());
  }
}