/*
* Copyright 2017 LinkedIn Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*
*/package azkaban.storage;
importstatic azkaban.Constants.ConfigurationKeys.AZKABAN_KERBEROS_PRINCIPAL;
importstatic azkaban.Constants.ConfigurationKeys.AZKABAN_KEYTAB_PATH;
importstatic java.util.Objects.requireNonNull;
import azkaban.spi.AzkabanException;
import azkaban.utils.Props;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.log4j.Logger;
/**
* This class helps in HDFS authorization and is a wrapper over Hadoop's {@link
* UserGroupInformation} class.
*/@SingletonpublicclassHdfsAuth{
privatestaticfinal Logger log = Logger.getLogger(HdfsAuth.class);
privatefinalboolean isSecurityEnabled;
private UserGroupInformation loggedInUser = null;
private String keytabPath = null;
private String keytabPrincipal = null;
@InjectpublicHdfsAuth(final Props props, final Configuration conf){
UserGroupInformation.setConfiguration(conf);
this.isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
if (this.isSecurityEnabled) {
log.info("The Hadoop cluster has enabled security");
this.keytabPath = requireNonNull(props.getString(AZKABAN_KEYTAB_PATH));
this.keytabPrincipal = requireNonNull(props.getString(AZKABAN_KERBEROS_PRINCIPAL));
}
}
/**
* API to authorize HDFS access. This logins in the configured user via the keytab. If the user is
* already logged in then it renews the TGT.
*/publicvoidauthorize(){
if (this.isSecurityEnabled) {
try {
login(this.keytabPrincipal, this.keytabPath);
} catch (final IOException e) {
log.error(e);
thrownew AzkabanException(String.format(
"Error: Unable to authorize to Hadoop. Principal: %s Keytab: %s", this.keytabPrincipal,
this.keytabPath));
}
}
}
privatevoidlogin(final String keytabPrincipal, final String keytabPath)throws IOException {
if (this.loggedInUser == null) {
log.info(
String.format("Logging in using Principal: %s Keytab: %s", keytabPrincipal, keytabPath));
UserGroupInformation.loginUserFromKeytab(keytabPrincipal, keytabPath);
this.loggedInUser = UserGroupInformation.getLoginUser();
log.info(String.format("User %s logged in.", this.loggedInUser));
} else {
log.info(String.format("User %s already logged in. Refreshing TGT", this.loggedInUser));
this.loggedInUser.checkTGTAndReloginFromKeytab();
}
}
}