SecurityUtil (nifi-hadoop-utils 1.16.1 API)

java.lang.Object
- org.apache.nifi.hadoop.SecurityUtil

```
public class SecurityUtil
extends Object
```
Provides synchronized access to UserGroupInformation to avoid multiple processors/services from interfering with each other.

Field Summary

Fields
Modifier and Type Field and Description

static String HADOOP_SECURITY_AUTHENTICATION

static String KERBEROS

Fields
Modifier and Type	Field and Description
`static String`	`HADOOP_SECURITY_AUTHENTICATION`
`static String`	`KERBEROS`

Constructor Summary

Constructors
Constructor and Description

SecurityUtil()

Constructors
Constructor and Description
`SecurityUtil()`

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method and Description
`static <T> T`	`callWithUgi(org.apache.hadoop.security.UserGroupInformation ugi, PrivilegedExceptionAction<T> action)` Helper method to execute the given action as the given user.
`static void`	`checkTGTAndRelogin(ComponentLog log, KerberosUser kerberosUser)` Helper method to call checkTGTAndRelogin on a given KerberosUser that may be null.
`static org.apache.hadoop.security.UserGroupInformation`	`getUgiForKerberosUser(org.apache.hadoop.conf.Configuration config, KerberosUser kerberosUser)` Authenticates a `KerberosUser` and acquires a `UserGroupInformation` instance using `UserGroupInformation.getUGIFromSubject(Subject)`.
`static boolean`	`isSecurityEnabled(org.apache.hadoop.conf.Configuration config)` Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.isSecurityEnabled().
`static org.apache.hadoop.security.UserGroupInformation`	`loginKerberos(org.apache.hadoop.conf.Configuration config, String principal, String keyTab)` Initializes UserGroupInformation with the given Configuration and performs the login for the given principal and keytab.
`static org.apache.hadoop.security.UserGroupInformation`	`loginSimple(org.apache.hadoop.conf.Configuration config)` Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.getLoginUser().

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - HADOOP_SECURITY_AUTHENTICATION
```
public static final String HADOOP_SECURITY_AUTHENTICATION
```
    See Also:
    
    Constant Field Values
  - KERBEROS
```
public static final String KERBEROS
```
    See Also:
    
    Constant Field Values
- Constructor Detail
  - SecurityUtil
```
public SecurityUtil()
```
- Method Detail
  - loginKerberos
```
public static org.apache.hadoop.security.UserGroupInformation loginKerberos(org.apache.hadoop.conf.Configuration config,
                                                                            String principal,
                                                                            String keyTab)
                                                                     throws IOException
```
    Initializes UserGroupInformation with the given Configuration and performs the login for the given principal and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying UserGroupInformation.
    As of Apache NiFi 1.5.0, this method uses UserGroupInformation.loginUserFromKeytab(String, String) to authenticate the given principal, which sets the static variable loginUser in the UserGroupInformation instance. Setting loginUser is necessary for Client.Connection.handleSaslConnectionFailure(int, int, Exception, Random, UserGroupInformation) to be able to attempt a relogin during a connection failure. The handleSaslConnectionFailure method calls UserGroupInformation.getLoginUser().reloginFromKeytab() statically, which can return null if loginUser is not set, resulting in failure of the hadoop operation.
    In previous versions of NiFi, UserGroupInformation.loginUserFromKeytabAndReturnUGI(String, String) was used to authenticate the principal, which does not set loginUser, making it impossible for a Client.Connection.handleSaslConnectionFailure(int, int, Exception, Random, UserGroupInformation) to be able to implicitly relogin the principal.
    
    Parameters:
    
    config - the configuration instance
    
    principal - the principal to authenticate as
    
    keyTab - the keytab to authenticate with
    
    Returns:
    
    the UGI for the given principal
    
    Throws:
    
    IOException - if login failed
  - getUgiForKerberosUser
```
public static org.apache.hadoop.security.UserGroupInformation getUgiForKerberosUser(org.apache.hadoop.conf.Configuration config,
                                                                                    KerberosUser kerberosUser)
                                                                             throws IOException
```
    Authenticates a KerberosUser and acquires a UserGroupInformation instance using UserGroupInformation.getUGIFromSubject(Subject). The UserGroupInformation will use the given Configuration.
    
    Parameters:
    
    config - The Configuration to apply to the acquired UserGroupInformation instance
    
    kerberosUser - The KerberosUser to authenticate
    
    Returns:
    
    A UserGroupInformation instance created using the Subject of the given KerberosUser
    
    Throws:
    
    IOException - if authentication fails
  - loginSimple
```
public static org.apache.hadoop.security.UserGroupInformation loginSimple(org.apache.hadoop.conf.Configuration config)
                                                                   throws IOException
```
    Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.getLoginUser(). All logins should happen through this class to ensure other threads are not concurrently modifying UserGroupInformation.
    
    Parameters:
    
    config - the configuration instance
    
    Returns:
    
    the UGI for the given principal
    
    Throws:
    
    IOException - if login failed
  - isSecurityEnabled
```
public static boolean isSecurityEnabled(org.apache.hadoop.conf.Configuration config)
```
    Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.isSecurityEnabled(). All checks for isSecurityEnabled() should happen through this method.
    
    Parameters:
    
    config - the given configuration
    
    Returns:
    
    true if kerberos is enabled on the given configuration, false otherwise
  - callWithUgi
```
public static <T> T callWithUgi(org.apache.hadoop.security.UserGroupInformation ugi,
                                PrivilegedExceptionAction<T> action)
                         throws IOException
```
    Helper method to execute the given action as the given user.
    
    Type Parameters:
    
    T - the result type of the action
    
    Parameters:
    
    ugi - the user
    
    action - the action
    
    Returns:
    
    the result of the action
    
    Throws:
    
    IOException - if the action was interrupted
  - checkTGTAndRelogin
```
public static void checkTGTAndRelogin(ComponentLog log,
                                      KerberosUser kerberosUser)
```
    Helper method to call checkTGTAndRelogin on a given KerberosUser that may be null.
    
    Parameters:
    
    log - the logger
    
    kerberosUser - the kerberos user
    
    Throws:
    
    KerberosLoginException - if an error occurs when checkTGTAndRelogin calls login or logout

Class SecurityUtil

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

HADOOP_SECURITY_AUTHENTICATION

KERBEROS

Constructor Detail

SecurityUtil

Method Detail

loginKerberos

getUgiForKerberosUser

loginSimple

isSecurityEnabled

callWithUgi

checkTGTAndRelogin