UserGroupInformation Source Code Analysis

最新推荐文章于 2023-04-04 17:24:42 发布
最新推荐文章于 2023-04-04 17:24:42 发布
阅读量609 收藏
点赞数
分类专栏: hadoop
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/houzhizhen/article/details/62888336
版权

UserGroupInformation is used in the following way.

final UserGroupInformation loginUgi = UserGroupInformation.getLoginUser();

The getLoginUser method is simple.

  public synchronized 
  static UserGroupInformation getLoginUser() throws IOException {
    if (loginUser == null) {
      loginUserFromSubject(null);
    }
    return loginUser;
  }
public synchronized 
  static void loginUserFromSubject(Subject subject) throws IOException {
    ensureInitialized();
    try {
      if (subject == null) {
        subject = new Subject();
      }
      LoginContext login =
          newLoginContext(authenticationMethod.getLoginAppName(), 
                          subject, new HadoopConfiguration());
      login.login();
      UserGroupInformation realUser = new UserGroupInformation(subject);
      realUser.setLogin(login);
      realUser.setAuthenticationMethod(authenticationMethod);
      realUser = new UserGroupInformation(login.getSubject());
      // If the HADOOP_PROXY_USER environment variable or property
      // is specified, create a proxy user as the logged in user.
      String proxyUser = System.getenv(HADOOP_PROXY_USER);
      if (proxyUser == null) {
        proxyUser = System.getProperty(HADOOP_PROXY_USER);
      }
      loginUser = proxyUser == null ? realUser : createProxyUser(proxyUser, realUser);

      String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
      if (fileLocation != null) {
        // Load the token storage file and put all of the tokens into the
        // user. Don't use the FileSystem API for reading since it has a lock
        // cycle (HADOOP-9212).
        Credentials cred = Credentials.readTokenStorageFile(
            new File(fileLocation), conf);
        loginUser.addCredentials(cred);
      }
      loginUser.spawnAutoRenewalThreadForUserCreds();
    } catch (LoginException le) {
      LOG.debug("failure to login", le);
      throw new IOException("failure to login", le);
    }
    if (LOG.isDebugEnabled()) {
      LOG.debug("UGI loginUser:"+loginUser);
    } 
  }
 private static void ensureInitialized() {
    if (conf == null) {
      synchronized(UserGroupInformation.class) {
        if (conf == null) { // someone might have beat us
          initialize(new Configuration(), false);
        }
      }
    }
  }
private static synchronized void initialize(Configuration conf,
                                              boolean overrideNameRules) {
    //authenticationMethod default: AuthenticationMethod.SIMPLE
    authenticationMethod = SecurityUtil.getAuthenticationMethod(conf);
    if (overrideNameRules || !HadoopKerberosName.hasRulesBeenSet()) {
      try {
        HadoopKerberosName.setConfiguration(conf);
      } catch (IOException ioe) {
        throw new RuntimeException(
            "Problem with Kerberos auth_to_local name configuration", ioe);
      }
    }
    // If we haven't set up testing groups, use the configuration to find it
    if (!(groups instanceof TestingGroups)) {
      groups = Groups.getUserToGroupsMappingService(conf);
    }
    UserGroupInformation.conf = conf;

    if (metrics.getGroupsQuantiles == null) {
      int[] intervals = conf.getInts(HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS);
      if (intervals != null && intervals.length > 0) {
        final int length = intervals.length;
        MutableQuantiles[] getGroupsQuantiles = new MutableQuantiles[length];
        for (int i = 0; i < length; i++) {
          getGroupsQuantiles[i] = metrics.registry.newQuantiles(
            "getGroups" + intervals[i] + "s",
            "Get groups", "ops", "latency", intervals[i]);
        }
        metrics.getGroupsQuantiles = getGroupsQuantiles;
      }
    }
  }
  public static AuthenticationMethod getAuthenticationMethod(Configuration conf) {
    String value = conf.get(HADOOP_SECURITY_AUTHENTICATION, "simple");
    try {
      return Enum.valueOf(AuthenticationMethod.class,
          StringUtils.toUpperCase(value));
    } catch (IllegalArgumentException iae) {
      throw new IllegalArgumentException("Invalid attribute value for " +
          HADOOP_SECURITY_AUTHENTICATION + " of " + value);
    }
  }
 public static void setConfiguration(Configuration conf) throws IOException {
    final String defaultRule;
    switch (SecurityUtil.getAuthenticationMethod(conf)) {
      case KERBEROS:
      case KERBEROS_SSL:
        try {
          KerberosUtil.getDefaultRealm();
        } catch (Exception ke) {
          throw new IllegalArgumentException("Can't get Kerberos realm", ke);
        }
        defaultRule = "DEFAULT";
        break;
      default:
        // just extract the simple user name
        defaultRule = "RULE:[1:$1] RULE:[2:$1]";
        break; 
    }
    String ruleString = conf.get(HADOOP_SECURITY_AUTH_TO_LOCAL, defaultRule);
   // ruleString: RULE:[1:$1] RULE:[2:$1]
    setRules(ruleString);
  }
  public static synchronized Groups getUserToGroupsMappingService(
    Configuration conf) {

    if(GROUPS == null) {
      if(LOG.isDebugEnabled()) {
        LOG.debug(" Creating new Groups object");
      }
      GROUPS = new Groups(conf);
    }
    return GROUPS;
  }
 public Groups(Configuration conf) {
    this(conf, new Timer());
  }

  public Groups(Configuration conf, final Timer timer) {
  // impl default: object of org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback.class
    impl = 
      ReflectionUtils.newInstance(
          conf.getClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING, 
                        ShellBasedUnixGroupsMapping.class, 
                        GroupMappingServiceProvider.class), 
          conf);
//cacheTimeout default: 300000ms, equals 5 minutes. 
    cacheTimeout = 
      conf.getLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS, 
          CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS_DEFAULT) * 1000;
     //negativeCacheTimeout default: 3000ms.
    negativeCacheTimeout =
      conf.getLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS,
          CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS_DEFAULT) * 1000;
   // warningDeltaMs default: 5000
    warningDeltaMs =
      conf.getLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_WARN_AFTER_MS,
        CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_WARN_AFTER_MS_DEFAULT);
    parseStaticMapping(conf);

    this.timer = timer;
    this.cache = CacheBuilder.newBuilder()
      .refreshAfterWrite(cacheTimeout, TimeUnit.MILLISECONDS)
      .ticker(new TimerToTickerAdapter(timer))
      .expireAfterWrite(10 * cacheTimeout, TimeUnit.MILLISECONDS)
      .build(new GroupCacheLoader());

    if(negativeCacheTimeout > 0) {
      Cache<String, Boolean> tempMap = CacheBuilder.newBuilder()
        .expireAfterWrite(negativeCacheTimeout, TimeUnit.MILLISECONDS)
        .ticker(new TimerToTickerAdapter(timer))
        .build();
      negativeCache = Collections.newSetFromMap(tempMap.asMap());
    }

    if(LOG.isDebugEnabled())
      LOG.debug("Group mapping impl=" + impl.getClass().getName() + 
          "; cacheTimeout=" + cacheTimeout + "; warningDeltaMs=" +
          warningDeltaMs);
  }
houzhizhen
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
【安全】Kerberos相关问题进行故障排除| 常见错误和解决方法
九师兄
01-07 2万+
1.概述 转载 为了学习:Kerberos相关问题进行故障排除| 常见错误和解决方法 2.总结 可以用来帮助诊断Kerberos相关问题的原因并实施解决方案的指南。 3. 症状 单击症状链接转到相应的疑难解答部分。 2.1 Kerberos tgt javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: F.
Hadoop UserGroupInformation详解
gezooo的专栏
04-03 6406
hadoop UserGroupInformation研究了很多次,每次都是朦朦胧胧,这一次花了一些力气,终于是搞明白了。 下面大概了解下面Java的认证相关框架 JAAS 认证和授权框架,只要负责用户的认证和权限。 SASL client 和 server之间认证的框架 GSS 是sasl的一个provider,也就是实现了sasl框架 参考JAAS/GSS-API/SASL/Kerberos简介 | NoSQL漫谈 网上关于high level介绍的还比较多,可以搜索一些,但是要真正理解Us
Hadoop认证Kerberos--UserGroupInformation.doAs
Alecor的博客
07-29 2854
如果你只是单纯地使用 Hadoop 的 MapReduce, 也许压根就不需要了解还有个 UserGroupInformation. 当你需要在 Yarn 上做些其它工作时,就必须与 UserGroupInformation 打交道。 UserGroupInformation保存hadoop用户及组信息 此类包装JAAS Subject,并提供确定用户的用户名和组的方法。它支持Windows,Unix和Kerberos登录模块。 常用代码 String userCode="user1"; String ke
【大数据安全-Kerberos】Kerberos常见问题及解决方案
最新发布
weixin_53543905的博客
04-04 7238
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 可以用来帮助诊断 Kerberos 相关问题的原因并实施解决方案的指南。
Java访问Kerberos认证的HDFS文件系统
司马班如
12-06 3764
Java访问Kerberos认证的HDFS文件系统一、项目pom依赖配置二、Java访问代码三、实现截图四、遇到错误五、总结 前几天搭建了Kerberos认证的HDFS文件系统,今天打算写文章来介绍一下,用Java来访问经过Kerberos加密的HDFS文件系统,在这之前,需要在KDC生成keytab文件,然后把/etc/krb5.conf文件下载,并且放到项目中。 一、项目pom依赖配置 <dependency> <groupId>org.apache.hadoop</gr
Hadoop-0.20.0源代码分析(02)
千与的专栏
09-19 6366
UserGroupInformation类定义了一个与文件系统相关的用户和组信息抽象的内容,Hadoop框架实现了一个基于Unix系统的用户和组信息的实现类UnixUserGroupInformation,该类继承自UserGroupInformation抽象类。从UserGroupInformation抽象类与其子类UnixUserGroupInformation的属性字段可以看出,抽象类所
krb-thrift:通过 Thrift 传递 Kerberos 凭据的示例
07-09
使用 Hadoop UserGroupInformation 通过 Thrift RPC 传递 Kerberos 凭据 这是一个快速示例,它可以显示客户端缓存的 kerberos 凭据可以通过 Thrift RPC 传递到服务器,该服务器可以在服务器凭据之上代理该用户。 ...
hadoop-core-1.2.1.jar
12-03
ERROR security.UserGroupInformation: PriviledgedActionException as:chuck cause:java.io.IOException: Failed to set permissions of path: 分析问题: 属于windows下的eclipse中访问的权限问题,需要重新打包...
Dr.COM Authenticate Client Installer网通宽带插件
02-16
Dr.COM Authenticate Client Installer网通宽带插件
hadoop-2.6.0-hadoop.dll-winutils.exe
08-30
 at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)  at org.apache.hadoop.mapreduce.Job.submit(Job.java:1293)  at org.apache.hadoop.mapreduce.Job....
Hbase 基本操作类
07-16
UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("jdzy/[email protected]", keyStr); } catch (IOException e) { e....
Client 和 NN 创建Connection的详解(二)UserGroupInformation是如何传递的
gezooo的专栏
04-03 305
Client.Connection.setupIOStreams() --->发送连接上下文 writeConnectionContext(remoteId, authMethod); 发送的 IpcConnectionContextProto 里包含了UserGroupInformation /** * Spec for UserInformationProto is specified in ProtoUtil#makeIpcConnectionContext */ m
Hadoop UserGroupInformation 的那些 login
热门推荐
wujun8的专栏
09-24 1万+
loginUserFromSubject loginUserFromKeytab getUGIFromTicketCache ugi password keytab ticket -Djava.security.krb5.conf="$APP_HOME"/_krb/krb5.conf hive No groups bug
解决Caused by: GSSException: (Mechanism level: Failed to find any Kerberos tgt)
qq_43688472的博客
12-16 1万+
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) 解决方法: 1、一种是由于kerberos的keytab权限问题导致,一般用kinit -kt /var/lib/hadoop-hdfs/hdfs.keytab hdfs/admin 类似的命令可以解决。 2、kerberos过期 3、由于JDK的问题: 网上有说针对jdk1.8.44以上版本,
处理Mechanism level: Failed to find any Kerberos credentails异常
haoren1994的博客
06-12 4087
最近在测试华为集群认真的时候 代码出现 Mechanism level: Failed to find any Kerberos credentails异常(内网开发),无法贴出故障 解决办法 配置host映射
hive连接报错-java.lang.NoClassDefFoundError: Could not initialize class org.apache.hadoop.security.UserG
一立方星空
12-07 8632
hive连接报错-java.lang.NoClassDefFoundError: Could not initialize class org.apache.hadoop.security.UserGroupInformation 报错信息:无法初始化用户组 Handler dispatch failed; nested exception is java.lang.NoClassDefFoundError: Could not initialize class org.apache.hadoop.se
hadoop2.6 UserGroupInformation 获取用户名
亚瑟的守护的专栏
12-30 6667
Hadoop的客户端是通过FileSystem类操作hdfs的。 FileSystem.get()方法获取FileSystem对象。 public static FileSystem get(final URI uri, final Configuration conf, final String user) throws IOException, InterruptedE
hadoop 2.6.0 安全问题--UserGroupInformation
houzhizhen的专栏
01-25 3367
UserGroupInformation可以使用任何你想拥有权限的用户来操作集群。 在UserGroupInformationloginUserFromSubject方法如下,首先系统获到系统用户,然后再判断是否设置环境变量HADOOP_PROXY_USER,或者系统属性HADOOP_PROXY_USER,如果设置那么loginUser就为HADOOP_PROXY_USER,代码如下: @I
usergroupinformation
03-16
usergroupinformation是指用户组信息,包括用户组名称、用户组成员、用户组权限等。在计算机系统中,用户组是一种将多个用户组合在一起的方式,可以方便地管理用户的权限和访问控制。用户组信息通常存储在系统的用户...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值