Author: daijy
Date: Thu Mar 17 22:50:03 2016
New Revision: 1735518
URL: http://svn.apache.org/viewvc?rev=1735518&view=rev
Log:
PIG-4796: Authenticate with Kerberos using a keytab file
Added:
pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java
Added: pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java
URL:
http://svn.apache.org/viewvc/pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java?rev=1735518&view=auto
==============================================================================
--- pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java (added)
+++ pig/trunk/src/org/apache/pig/backend/hadoop/HKerberos.java Thu Mar 17
22:50:03 2016
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.pig.backend.hadoop;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import java.io.IOException;
+
+/**
+ * Support for logging in using a kerberos keytab file.
+ *
+ * <br/>
+ * Kerberos is a authentication system that uses tickets with a limited
valitity time.<br/>
+ * As a consequence running a pig script on a kerberos secured hadoop cluster
limits the running time to at most
+ * the remaining validity time of these kerberos tickets. When doing really
complex analytics this may become a
+ * problem as the job may need to run for a longer time than these ticket
times allow.<br/>
+ * A kerberos keytab file is essentially a Kerberos specific form of the
password of a user. <br/>
+ * It is possible to enable a Hadoop job to request new tickets when they
expire by creating a keytab file and
+ * make it part of the job that is running in the cluster.
+ * This will extend the maximum job duration beyond the maximum renew time of
the kerberos tickets.<br/>
+ * <br/>
+ * Usage:
+ * <ol>
+ * <li>Create a keytab file for the required principal.<br/>
+ * <p>Using the ktutil tool you can create a keytab using roughly these
commands:<br/>
+ * <i>addent -password -p [email protected] -k 1 -e rc4-hmac<br/>
+ * addent -password -p [email protected] -k 1 -e aes256-cts<br/>
+ * wkt niels.keytab</i></p>
+ * </li>
+ * <li>Set the following properties (either via the .pigrc file or on the
command line via -P file)<br/>
+ * <ul>
+ * <li><i>java.security.krb5.conf</i><br/>
+ * The path to the local krb5.conf file.<br/>
+ * Usually this is "/etc/krb5.conf"</li>
+ * <li><i>hadoop.security.krb5.principal</i><br/>
+ * The pricipal you want to login with.<br/>
+ * Usually this would look like this "[email protected]"</li>
+ * <li><i>hadoop.security.krb5.keytab</i><br/>
+ * The path to the local keytab file that must be used to
authenticate with.<br/>
+ * Usually this would look like this
"/home/niels/.krb/niels.keytab"</li>
+ * </ul></li>
+ * </ol>
+ * NOTE: All paths in these variables are local to the client system starting
the actual pig script.
+ * This can be run without any special access to the cluster nodes.
+ */
+public class HKerberos {
+ private static final Log LOG = LogFactory.getLog(HKerberos.class);
+
+ public static void tryKerberosKeytabLogin(Configuration conf) {
+ // Before we can actually connect we may need to login using the
provided credentials.
+ if (UserGroupInformation.isSecurityEnabled()) {
+ UserGroupInformation loginUser;
+ try {
+ loginUser = UserGroupInformation.getLoginUser();
+ } catch (IOException e) {
+ LOG.error("Unable to start attempt to login using Kerberos
keytab: " + e.getMessage());
+ return;
+ }
+
+ // If we are logged in into Kerberos with a keytab we can skip
this to avoid needless logins
+ if (!loginUser.hasKerberosCredentials() &&
!loginUser.isFromKeytab()) {
+ String krb5Conf = conf.get("java.security.krb5.conf");
+ String krb5Principal =
conf.get("hadoop.security.krb5.principal");
+ String krb5Keytab = conf.get("hadoop.security.krb5.keytab");
+
+ // Only attempt login if we have all the required settings.
+ if (krb5Conf != null && krb5Principal != null && krb5Keytab !=
null) {
+ LOG.info("Trying login using Kerberos Keytab");
+ LOG.info("krb5: Conf = " + krb5Conf);
+ LOG.info("krb5: Principal = " + krb5Principal);
+ LOG.info("krb5: Keytab = " + krb5Keytab);
+ System.setProperty("java.security.krb5.conf", krb5Conf);
+ try {
+
UserGroupInformation.loginUserFromKeytab(krb5Principal, krb5Keytab);
+ } catch (IOException e) {
+ LOG.error("Unable to perform keytab based kerberos
authentication: " + e.getMessage());
+ }
+ }
+ }
+ }
+ }
+
+}
