pig-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From da...@apache.org
Subject svn commit: r1735518 - /pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java
Date Thu, 17 Mar 2016 22:50:03 GMT
Author: daijy
Date: Thu Mar 17 22:50:03 2016
New Revision: 1735518

URL: http://svn.apache.org/viewvc?rev=1735518&view=rev
Log:
PIG-4796: Authenticate with Kerberos using a keytab file

Added:
    pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java

Added: pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java
URL: http://svn.apache.org/viewvc/pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java?rev=1735518&view=auto
==============================================================================
--- pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java (added)
+++ pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java Thu Mar 17 22:50:03 2016
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.pig.backend.hadoop;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import java.io.IOException;
+
+/**
+ * Support for logging in using a kerberos keytab file.
+ *
+ * <br/>
+ * Kerberos is a authentication system that uses tickets with a limited valitity time.<br/>
+ * As a consequence running a pig script on a kerberos secured hadoop cluster limits the
running time to at most
+ * the remaining validity time of these kerberos tickets. When doing really complex analytics
this may become a
+ * problem as the job may need to run for a longer time than these ticket times allow.<br/>
+ * A kerberos keytab file is essentially a Kerberos specific form of the password of a user.
<br/>
+ * It is possible to enable a Hadoop job to request new tickets when they expire by creating
a keytab file and
+ * make it part of the job that is running in the cluster.
+ * This will extend the maximum job duration beyond the maximum renew time of the kerberos
tickets.<br/>
+ * <br/>
+ * Usage:
+ * <ol>
+ *      <li>Create a keytab file for the required principal.<br/>
+ *      <p>Using the ktutil tool you can create a keytab using roughly these commands:<br/>
+ *      <i>addent -password -p niels@EXAMPLE.NL -k 1 -e rc4-hmac<br/>
+ *      addent -password -p niels@EXAMPLE.NL -k 1 -e aes256-cts<br/>
+ *      wkt niels.keytab</i></p>
+ *      </li>
+ *      <li>Set the following properties (either via the .pigrc file or on the command
line via -P file)<br/>
+ *          <ul>
+ *          <li><i>java.security.krb5.conf</i><br/>
+ *              The path to the local krb5.conf file.<br/>
+ *              Usually this is "/etc/krb5.conf"</li>
+ *          <li><i>hadoop.security.krb5.principal</i><br/>
+ *              The pricipal you want to login with.<br/>
+ *              Usually this would look like this "niels@EXAMPLE.NL"</li>
+ *          <li><i>hadoop.security.krb5.keytab</i><br/>
+ *              The path to the local keytab file that must be used to authenticate with.<br/>
+ *              Usually this would look like this "/home/niels/.krb/niels.keytab"</li>
+ *          </ul></li>
+ * </ol>
+ * NOTE: All paths in these variables are local to the client system starting the actual
pig script.
+ * This can be run without any special access to the cluster nodes.
+ */
+public class HKerberos {
+    private static final Log LOG = LogFactory.getLog(HKerberos.class);
+
+    public static void tryKerberosKeytabLogin(Configuration conf) {
+        // Before we can actually connect we may need to login using the provided credentials.
+        if (UserGroupInformation.isSecurityEnabled()) {
+            UserGroupInformation loginUser;
+            try {
+                loginUser = UserGroupInformation.getLoginUser();
+            } catch (IOException e) {
+                LOG.error("Unable to start attempt to login using Kerberos keytab: " + e.getMessage());
+                return;
+            }
+
+            // If we are logged in into Kerberos with a keytab we can skip this to avoid
needless logins
+            if (!loginUser.hasKerberosCredentials() && !loginUser.isFromKeytab())
{
+                String krb5Conf      = conf.get("java.security.krb5.conf");
+                String krb5Principal = conf.get("hadoop.security.krb5.principal");
+                String krb5Keytab    = conf.get("hadoop.security.krb5.keytab");
+
+                // Only attempt login if we have all the required settings.
+                if (krb5Conf != null && krb5Principal != null && krb5Keytab
!= null) {
+                    LOG.info("Trying login using Kerberos Keytab");
+                    LOG.info("krb5: Conf      = " + krb5Conf);
+                    LOG.info("krb5: Principal = " + krb5Principal);
+                    LOG.info("krb5: Keytab    = " + krb5Keytab);
+                    System.setProperty("java.security.krb5.conf", krb5Conf);
+                    try {
+                        UserGroupInformation.loginUserFromKeytab(krb5Principal, krb5Keytab);
+                    } catch (IOException e) {
+                        LOG.error("Unable to perform keytab based kerberos authentication:
" + e.getMessage());
+                    }
+                }
+            }
+        }
+    }
+
+}



Mime
View raw message