package com.thinkbiganalytics.nifi.security;
/*-
* #%L
* thinkbig-nifi-security-api
* %%
* Copyright (C) 2017 ThinkBig Analytics
* %%
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* #L%
*/
import org.apache.commons.lang3.Validate;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.nifi.logging.ComponentLog;
import java.io.IOException;
/**
* Provides synchronized access to UserGroupInformation to avoid multiple processors/services from
* interfering with each other.
*/
public class SecurityUtil {
/**
* Initializes UserGroupInformation with the given Configuration and performs the login for the given principal
* and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying
* UserGroupInformation.
*
* @param config the configuration instance
* @param principal the principal to authenticate as
* @param keyTab the keytab to authenticate with
* @return the UGI for the given principal
* @throws IOException if login failed
*/
public static synchronized UserGroupInformation loginKerberos(final Configuration config, final String principal, final String keyTab)
throws IOException {
Validate.notNull(config);
Validate.notNull(principal);
Validate.notNull(keyTab);
config.set("hadoop.security.authentication", "Kerberos");
UserGroupInformation.setConfiguration(config);
return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal.trim(), keyTab.trim());
}
/**
* Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.getLoginUser().
* All logins should happen through this class to ensure other threads are not concurrently modifying
* UserGroupInformation.
*
* @param config the configuration instance
* @return the UGI for the given principal
* @throws IOException if login failed
*/
public static synchronized UserGroupInformation loginSimple(final Configuration config) throws IOException {
Validate.notNull(config);
UserGroupInformation.setConfiguration(config);
return UserGroupInformation.getLoginUser();
}
/**
* Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.isSecurityEnabled().
*
* All checks for isSecurityEnabled() should happen through this method.
*
* @param config the given configuration
* @return true if kerberos is enabled on the given configuration, false otherwise
*/
public static boolean isSecurityEnabled(final Configuration config) {
Validate.notNull(config);
return "kerberos".equalsIgnoreCase(config.get("hadoop.security.authentication"));
}
/**
* Start a thread that periodically attempts to renew the current Kerberos user's ticket.
*
* Callers of this method should store the reference to the KerberosTicketRenewer and call stop() to stop the thread.
*
* @param id The unique identifier to use for the thread, can be the class name that started the thread (i.e. PutHDFS, etc)
* @param ugi The current Kerberos user.
* @param renewalPeriod The amount of time between attempting renewals.
* @param logger The logger to use with in the renewer
* @return the KerberosTicketRenewer Runnable
*/
public static KerberosTicketRenewer startTicketRenewalThread(final String id, final UserGroupInformation ugi, final long renewalPeriod, final ComponentLog logger) {
final KerberosTicketRenewer renewer = new KerberosTicketRenewer(ugi, renewalPeriod, logger);
final Thread t = new Thread(renewer);
t.setName("Kerberos Ticket Renewal [" + id + "]");
t.start();
return renewer;
}
}