Package org.apache.nifi.hadoop

Class SecurityUtil

java.lang.Object
org.apache.nifi.hadoop.SecurityUtil
public class SecurityUtil extends Object
Provides synchronized access to UserGroupInformation to avoid multiple processors/services from interfering with each other.

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    HADOOP_SECURITY_AUTHENTICATION
     
    static final String
    KERBEROS
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    SecurityUtil()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    static <T> T
    callWithUgi(org.apache.hadoop.security.UserGroupInformation ugi, PrivilegedExceptionAction<T> action)
    Helper method to execute the given action as the given user.
    static void
    checkTGTAndRelogin(org.apache.nifi.logging.ComponentLog log, KerberosUser kerberosUser)
    Helper method to call checkTGTAndRelogin on a given KerberosUser that may be null.
    static org.apache.hadoop.security.UserGroupInformation
    getUgiForKerberosUser(org.apache.hadoop.conf.Configuration config, KerberosUser kerberosUser)
    Authenticates a KerberosUser and acquires a UserGroupInformation instance using UserGroupInformation.getUGIFromSubject(Subject).
    static boolean
    isSecurityEnabled(org.apache.hadoop.conf.Configuration config)
    Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.isSecurityEnabled().
    static org.apache.hadoop.security.UserGroupInformation
    loginKerberos(org.apache.hadoop.conf.Configuration config, String principal, String keyTab)
    Initializes UserGroupInformation with the given Configuration and performs the login for the given principal and keytab.
    static org.apache.hadoop.security.UserGroupInformation
    loginSimple(org.apache.hadoop.conf.Configuration config)
    Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.getLoginUser().

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

  • Constructor Details

    • SecurityUtil

      public SecurityUtil()

  • Method Details

    • loginKerberos

      public static org.apache.hadoop.security.UserGroupInformation loginKerberos(org.apache.hadoop.conf.Configuration config, String principal, String keyTab) throws IOException
      Initializes UserGroupInformation with the given Configuration and performs the login for the given principal and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying UserGroupInformation.

      As of Apache NiFi 1.5.0, this method uses UserGroupInformation.loginUserFromKeytab(String, String) to authenticate the given principal, which sets the static variable loginUser in the UserGroupInformation instance. calls UserGroupInformation.getLoginUser().reloginFromKeytab() statically, which can return null if loginUser is not set, resulting in failure of the hadoop operation.

      Parameters:
      config - the configuration instance
      principal - the principal to authenticate as
      keyTab - the keytab to authenticate with
      Returns:
      the UGI for the given principal
      Throws:
      IOException - if login failed

    • getUgiForKerberosUser

      public static org.apache.hadoop.security.UserGroupInformation getUgiForKerberosUser(org.apache.hadoop.conf.Configuration config, KerberosUser kerberosUser) throws IOException
      Authenticates a KerberosUser and acquires a UserGroupInformation instance using UserGroupInformation.getUGIFromSubject(Subject). The UserGroupInformation will use the given Configuration.
      Parameters:
      config - The Configuration to apply to the acquired UserGroupInformation instance
      kerberosUser - The KerberosUser to authenticate
      Returns:
      A UserGroupInformation instance created using the Subject of the given KerberosUser
      Throws:
      IOException - if authentication fails

    • loginSimple

      public static org.apache.hadoop.security.UserGroupInformation loginSimple(org.apache.hadoop.conf.Configuration config) throws IOException
      Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.getLoginUser(). All logins should happen through this class to ensure other threads are not concurrently modifying UserGroupInformation.
      Parameters:
      config - the configuration instance
      Returns:
      the UGI for the given principal
      Throws:
      IOException - if login failed

    • isSecurityEnabled

      public static boolean isSecurityEnabled(org.apache.hadoop.conf.Configuration config)
      Initializes UserGroupInformation with the given Configuration and returns UserGroupInformation.isSecurityEnabled(). All checks for isSecurityEnabled() should happen through this method.
      Parameters:
      config - the given configuration
      Returns:
      true if kerberos is enabled on the given configuration, false otherwise

    • callWithUgi

      public static <T> T callWithUgi(org.apache.hadoop.security.UserGroupInformation ugi, PrivilegedExceptionAction<T> action) throws IOException
      Helper method to execute the given action as the given user.
      Type Parameters:
      T - the result type of the action
      Parameters:
      ugi - the user
      action - the action
      Returns:
      the result of the action
      Throws:
      IOException - if the action was interrupted

    • checkTGTAndRelogin

      public static void checkTGTAndRelogin(org.apache.nifi.logging.ComponentLog log, KerberosUser kerberosUser)
      Helper method to call checkTGTAndRelogin on a given KerberosUser that may be null.
      Parameters:
      log - the logger
      kerberosUser - the kerberos user
      Throws:
      KerberosLoginException - if an error occurs when checkTGTAndRelogin calls login or logout