/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.security;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
import org.apache.hadoop.security.alias.LocalJavaKeyStoreProvider;
/**
* Utility methods for both key and credential provider APIs.
*
*/
public final class ProviderUtils {
private static final Log LOG = LogFactory.getLog(ProviderUtils.class);
/**
* Hidden ctor to ensure that this utility class isn't
* instantiated explicitly.
*/
private ProviderUtils() {
// hide ctor for checkstyle compliance
}
/**
* Convert a nested URI to decode the underlying path. The translation takes
* the authority and parses it into the underlying scheme and authority.
* For example, "myscheme://hdfs@nn/my/path" is converted to
* "hdfs://nn/my/path".
* @param nestedUri the URI from the nested URI
* @return the unnested path
*/
public static Path unnestUri(URI nestedUri) {
StringBuilder result = new StringBuilder();
String authority = nestedUri.getAuthority();
if (authority != null) {
String[] parts = nestedUri.getAuthority().split("@", 2);
result.append(parts[0]);
result.append("://");
if (parts.length == 2) {
result.append(parts[1]);
}
}
result.append(nestedUri.getPath());
if (nestedUri.getQuery() != null) {
result.append("?");
result.append(nestedUri.getQuery());
}
if (nestedUri.getFragment() != null) {
result.append("#");
result.append(nestedUri.getFragment());
}
return new Path(result.toString());
}
/**
* Mangle given local java keystore file URI to allow use as a
* LocalJavaKeyStoreProvider.
* @param localFile absolute URI with file scheme and no authority component.
* i.e. return of File.toURI,
* e.g. file:///home/larry/creds.jceks
* @return URI of the form localjceks://file/home/larry/creds.jceks
* @throws IllegalArgumentException if localFile isn't not a file uri or if it
* has an authority component.
* @throws URISyntaxException if the wrapping process violates RFC 2396
*/
public static URI nestURIForLocalJavaKeyStoreProvider(final URI localFile)
throws URISyntaxException {
if (!("file".equals(localFile.getScheme()))) {
throw new IllegalArgumentException("passed URI had a scheme other than " +
"file.");
}
if (localFile.getAuthority() != null) {
throw new IllegalArgumentException("passed URI must not have an " +
"authority component. For non-local keystores, please use " +
JavaKeyStoreProvider.class.getName());
}
return new URI(LocalJavaKeyStoreProvider.SCHEME_NAME,
"//file" + localFile.getSchemeSpecificPart(), localFile.getFragment());
}
/**
* There are certain integrations of the credential provider API in
* which a recursive dependency between the provider and the hadoop
* filesystem abstraction causes a problem. These integration points
* need to leverage this utility method to remove problematic provider
* types from the existing provider path within the configuration.
*
* @param config the existing configuration with provider path
* @param fileSystemClass the class which providers must be compatible
* @return Configuration clone with new provider path
*/
public static Configuration excludeIncompatibleCredentialProviders(
Configuration config, Class<? extends FileSystem> fileSystemClass)
throws IOException {
String providerPath = config.get(
CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH);
if (providerPath == null) {
return config;
}
StringBuffer newProviderPath = new StringBuffer();
String[] providers = providerPath.split(",");
Path path = null;
for (String provider: providers) {
try {
path = unnestUri(new URI(provider));
Class<? extends FileSystem> clazz = null;
try {
String scheme = path.toUri().getScheme();
clazz = FileSystem.getFileSystemClass(scheme, config);
} catch (IOException ioe) {
// not all providers are filesystem based
// for instance user:/// will not be able to
// have a filesystem class associated with it.
if (newProviderPath.length() > 0) {
newProviderPath.append(",");
}
newProviderPath.append(provider);
}
if (clazz != null) {
if (fileSystemClass.isAssignableFrom(clazz)) {
LOG.debug("Filesystem based provider" +
" excluded from provider path due to recursive dependency: "
+ provider);
} else {
if (newProviderPath.length() > 0) {
newProviderPath.append(",");
}
newProviderPath.append(provider);
}
}
} catch (URISyntaxException e) {
LOG.warn("Credential Provider URI is invalid." + provider);
}
}
String effectivePath = newProviderPath.toString();
if (effectivePath.equals(providerPath)) {
return config;
}
Configuration conf = new Configuration(config);
if (effectivePath.equals("")) {
conf.unset(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH);
} else {
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH,
effectivePath);
}
return conf;
}
}