首頁 探索 說明
登入
zhzhenqin
/
java-classic-code
1
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: 65ad258d98
分支列表 標籤列表
java-classic...
/
hadoop-auth
/
LoginUtil.java

LoginUtil.java 22 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554 
  1. package com.primeton.dsp.datarelease.data.bdata;
    2. 

  2. 

  3. 

  4. 

  5. import org.apache.hadoop.conf.Configuration;
    6. 

  6. import org.apache.hadoop.security.UserGroupInformation;
    7. 

  7. import org.apache.hadoop.security.authentication.util.KerberosUtil;
    8. 

  8. import org.apache.log4j.Logger;
    9. 

  9. 

  10. import javax.security.auth.login.AppConfigurationEntry;
    11. 

  11. import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
    12. 

  12. import java.io.File;
    13. 

  13. import java.io.FileWriter;
    14. 

  14. import java.io.IOException;
    15. 

  15. import java.util.HashMap;
    16. 

  16. import java.util.Map;
    17. 

  17. 

  18. /**
    19. 

  19.  *
    20. 

  20.  * Hadoop 认证实现类
    21. 

  21.  *
    22. 

  22.  * <pre>
    23. 

  23.  *
    24. 

  24.  * Created by zhaopx.
    25. 

  25.  * User: zhaopx
    26. 

  26.  * Date: 2020/4/20
    27. 

  27.  * Time: 17:57
    28. 

  28.  *
    29. 

  29.  * </pre>
    30. 

  30.  *
    31. 

  31.  * @author zhaopx
    32. 

  32.  */
    33. 

  33. public class LoginUtil {
    34. 

  34. 

  35.     public enum Module {
    36. 

  36.         STORM("StormClient"), KAFKA("KafkaClient"), ZOOKEEPER("Client");
    37. 

  37. 

  38.         private String name;
    39. 

  39. 

  40.         private Module(String name) {
    41. 

  41.             this.name = name;
    42. 

  42.         }
    43. 

  43. 

  44.         public String getName() {
    45. 

  45.             return name;
    46. 

  46.         }
    47. 

  47.     }
    48. 

  48. 

  49.     private static final Logger LOG = Logger.getLogger(LoginUtil.class);
    50. 

  50. 

  51.     /**
    52. 

  52.      * line operator string
    53. 

  53.      */
    54. 

  54.     private static final String LINE_SEPARATOR = System
    55. 

  55.             .getProperty("line.separator");
    56. 

  56. 

  57.     /**
    58. 

  58.      * jaas file postfix
    59. 

  59.      */
    60. 

  60.     private static final String JAAS_POSTFIX = ".jaas.conf";
    61. 

  61. 

  62.     /**
    63. 

  63.      * IBM jdk login module
    64. 

  64.      */
    65. 

  65.     private static final String IBM_LOGIN_MODULE = "com.ibm.security.auth.module.Krb5LoginModule required";
    66. 

  66. 

  67.     /**
    68. 

  68.      * oracle jdk login module
    69. 

  69.      */
    70. 

  70.     private static final String SUN_LOGIN_MODULE = "com.sun.security.auth.module.Krb5LoginModule required";
    71. 

  71. 

  72.     /**
    73. 

  73.      * java security login file path
    74. 

  74.      */
    75. 

  75.     public static final String JAVA_SECURITY_LOGIN_CONF_KEY = "java.security.auth.login.config";
    76. 

  76. 

  77.     private static final String JAVA_SECURITY_KRB5_CONF_KEY = "java.security.krb5.conf";
    78. 

  78. 

  79.     private static final String ZOOKEEPER_SERVER_PRINCIPAL_KEY = "zookeeper.server.principal";
    80. 

  80. 

  81.     private static final String LOGIN_FAILED_CAUSE_PASSWORD_WRONG = "(wrong password) keytab file and user not match, you can kinit -k -t keytab user in client server to check";
    82. 

  82. 

  83.     private static final String LOGIN_FAILED_CAUSE_TIME_WRONG = "(clock skew) time of local server and remote server not match, please check ntp to remote server";
    84. 

  84. 

  85.     private static final String LOGIN_FAILED_CAUSE_AES256_WRONG = "(aes256 not support) aes256 not support by default jdk/jre, need copy local_policy.jar and US_export_policy.jar from remote server in path /opt/Bigdata/jdk/jre/lib/security";
    86. 

  86. 

  87.     private static final String LOGIN_FAILED_CAUSE_PRINCIPAL_WRONG = "(no rule) principal format not support by default, need add property hadoop.security.auth_to_local(in core-site.xml) value RULE:[1:$1] RULE:[2:$1]";
    88. 

  88. 

  89.     private static final String LOGIN_FAILED_CAUSE_TIME_OUT = "(time out) can not connect to kdc server or there is fire wall in the network";
    90. 

  90. 

  91.     private static final boolean IS_IBM_JDK = System.getProperty("java.vendor")
    92. 

  92.             .contains("IBM");
    93. 

  93. 

  94.     public synchronized static void login(String userPrincipal,
    95. 

  95.                                           String userKeytabPath, String krb5ConfPath, Configuration conf)
    96. 

  96.             throws IOException {
    97. 

  97.         // 1.check input parameters
    98. 

  98.         if ((userPrincipal == null) || (userPrincipal.length() <= 0)) {
    99. 

  99.             LOG.error("input userPrincipal is invalid.");
    100. 

  100.             throw new IOException("input userPrincipal is invalid.");
    101. 

  101.         }
    102. 

  102. 

  103.         if ((userKeytabPath == null) || (userKeytabPath.length() <= 0)) {
    104. 

  104.             LOG.error("input userKeytabPath is invalid.");
    105. 

  105.             throw new IOException("input userKeytabPath is invalid.");
    106. 

  106.         }
    107. 

  107. 

  108.         if ((krb5ConfPath == null) || (krb5ConfPath.length() <= 0)) {
    109. 

  109.             LOG.error("input krb5ConfPath is invalid.");
    110. 

  110.             throw new IOException("input krb5ConfPath is invalid.");
    111. 

  111.         }
    112. 

  112. 

  113.         if ((conf == null)) {
    114. 

  114.             LOG.error("input conf is invalid.");
    115. 

  115.             throw new IOException("input conf is invalid.");
    116. 

  116.         }
    117. 

  117. 

  118.         // 2.check file exsits
    119. 

  119.         File userKeytabFile = new File(userKeytabPath);
    120. 

  120.         if (!userKeytabFile.exists()) {
    121. 

  121.             LOG.error("userKeytabFile(" + userKeytabFile.getAbsolutePath()
    122. 

  122.                     + ") does not exsit.");
    123. 

  123.             throw new IOException("userKeytabFile("
    124. 

  124.                     + userKeytabFile.getAbsolutePath() + ") does not exsit.");
    125. 

  125.         }
    126. 

  126.         if (!userKeytabFile.isFile()) {
    127. 

  127.             LOG.error("userKeytabFile(" + userKeytabFile.getAbsolutePath()
    128. 

  128.                     + ") is not a file.");
    129. 

  129.             throw new IOException("userKeytabFile("
    130. 

  130.                     + userKeytabFile.getAbsolutePath() + ") is not a file.");
    131. 

  131.         }
    132. 

  132. 

  133.         File krb5ConfFile = new File(krb5ConfPath);
    134. 

  134.         if (!krb5ConfFile.exists()) {
    135. 

  135.             LOG.error("krb5ConfFile(" + krb5ConfFile.getAbsolutePath()
    136. 

  136.                     + ") does not exsit.");
    137. 

  137.             throw new IOException("krb5ConfFile("
    138. 

  138.                     + krb5ConfFile.getAbsolutePath() + ") does not exsit.");
    139. 

  139.         }
    140. 

  140.         if (!krb5ConfFile.isFile()) {
    141. 

  141.             LOG.error("krb5ConfFile(" + krb5ConfFile.getAbsolutePath()
    142. 

  142.                     + ") is not a file.");
    143. 

  143.             throw new IOException("krb5ConfFile("
    144. 

  144.                     + krb5ConfFile.getAbsolutePath() + ") is not a file.");
    145. 

  145.         }
    146. 

  146. 

  147.         // 3.set and check krb5config
    148. 

  148.         setKrb5Config(krb5ConfFile.getAbsolutePath());
    149. 

  149.         setConfiguration(conf);
    150. 

  150. 

  151.         // 4.login and check for hadoop
    152. 

  152.         loginHadoop(userPrincipal, userKeytabFile.getAbsolutePath());
    153. 

  153.         LOG.info("Login success!!!!!!!!!!!!!!");
    154. 

  154.     }
    155. 

  155. 

  156.     private static void setConfiguration(Configuration conf) throws IOException {
    157. 

  157.         UserGroupInformation.setConfiguration(conf);
    158. 

  158.     }
    159. 

  159. 

  160.     private static boolean checkNeedLogin(String principal) throws IOException {
    161. 

  161.         if (!UserGroupInformation.isSecurityEnabled()) {
    162. 

  162.             LOG.error("UserGroupInformation is not SecurityEnabled, please check if core-site.xml exists in classpath.");
    163. 

  163.             throw new IOException(
    164. 

  164.                     "UserGroupInformation is not SecurityEnabled, please check if core-site.xml exists in classpath.");
    165. 

  165.         }
    166. 

  166.         UserGroupInformation currentUser = UserGroupInformation
    167. 

  167.                 .getCurrentUser();
    168. 

  168.         if ((currentUser != null) && (currentUser.hasKerberosCredentials())) {
    169. 

  169.             if (checkCurrentUserCorrect(principal)) {
    170. 

  170.                 LOG.info("current user is " + currentUser + "has logined.");
    171. 

  171.                 if (!currentUser.isFromKeytab()) {
    172. 

  172.                     LOG.error("current user is not from keytab.");
    173. 

  173.                     throw new IOException("current user is not from keytab.");
    174. 

  174.                 }
    175. 

  175.                 return false;
    176. 

  176.             } else {
    177. 

  177.                 LOG.error("current user is "
    178. 

  178.                         + currentUser
    179. 

  179.                         + "has logined. please check your enviroment , especially when it used IBM JDK or kerberos for OS count login!!");
    180. 

  180.                 throw new IOException("current user is " + currentUser
    181. 

  181.                         + " has logined. And please check your enviroment!!");
    182. 

  182.             }
    183. 

  183.         }
    184. 

  184. 

  185.         return true;
    186. 

  186.     }
    187. 

  187. 

  188.     public static void setKrb5Config(String krb5ConfFile) throws IOException {
    189. 

  189.         System.setProperty(JAVA_SECURITY_KRB5_CONF_KEY, krb5ConfFile);
    190. 

  190.         String ret = System.getProperty(JAVA_SECURITY_KRB5_CONF_KEY);
    191. 

  191.         if (ret == null) {
    192. 

  192.             LOG.error(JAVA_SECURITY_KRB5_CONF_KEY + " is null.");
    193. 

  193.             throw new IOException(JAVA_SECURITY_KRB5_CONF_KEY + " is null.");
    194. 

  194.         }
    195. 

  195.         if (!ret.equals(krb5ConfFile)) {
    196. 

  196.             LOG.error(JAVA_SECURITY_KRB5_CONF_KEY + " is " + ret + " is not "
    197. 

  197.                     + krb5ConfFile + ".");
    198. 

  198.             throw new IOException(JAVA_SECURITY_KRB5_CONF_KEY + " is " + ret
    199. 

  199.                     + " is not " + krb5ConfFile + ".");
    200. 

  200.         }
    201. 

  201.     }
    202. 

  202. 

  203.     public static void setJaasFile(String principal, String keytabPath)
    204. 

  204.             throws IOException {
    205. 

  205.         String jaasPath = new File(System.getProperty("java.io.tmpdir"))
    206. 

  206.                 + File.separator + System.getProperty("user.name")
    207. 

  207.                 + JAAS_POSTFIX;
    208. 

  208. 

  209.         // windows路径下分隔符替换
    210. 

  210.         jaasPath = jaasPath.replace("\\", "\\\\");
    211. 

  211.         keytabPath = keytabPath.replace("\\", "\\\\");
    212. 

  212.         // 删除jaas文件
    213. 

  213.         deleteJaasFile(jaasPath);
    214. 

  214.         writeJaasFile(jaasPath, principal, keytabPath);
    215. 

  215.         System.setProperty(JAVA_SECURITY_LOGIN_CONF_KEY, jaasPath);
    216. 

  216.     }
    217. 

  217. 

  218.     private static void writeJaasFile(String jaasPath, String principal,
    219. 

  219.                                       String keytabPath) throws IOException {
    220. 

  220.         FileWriter writer = new FileWriter(new File(jaasPath));
    221. 

  221.         try {
    222. 

  222.             writer.write(getJaasConfContext(principal, keytabPath));
    223. 

  223.             writer.flush();
    224. 

  224.         } catch (IOException e) {
    225. 

  225.             throw new IOException("Failed to create jaas.conf File");
    226. 

  226.         } finally {
    227. 

  227.             writer.close();
    228. 

  228.         }
    229. 

  229.     }
    230. 

  230. 

  231.     private static void deleteJaasFile(String jaasPath) throws IOException {
    232. 

  232.         File jaasFile = new File(jaasPath);
    233. 

  233.         if (jaasFile.exists()) {
    234. 

  234.             if (!jaasFile.delete()) {
    235. 

  235.                 throw new IOException("Failed to delete exists jaas file.");
    236. 

  236.             }
    237. 

  237.         }
    238. 

  238.     }
    239. 

  239. 

  240.     private static String getJaasConfContext(String principal, String keytabPath) {
    241. 

  241.         Module[] allModule = Module.values();
    242. 

  242.         StringBuilder builder = new StringBuilder();
    243. 

  243.         for (Module modlue : allModule) {
    244. 

  244.             builder.append(getModuleContext(principal, keytabPath, modlue));
    245. 

  245.         }
    246. 

  246.         return builder.toString();
    247. 

  247.     }
    248. 

  248. 

  249.     private static String getModuleContext(String userPrincipal,
    250. 

  250.                                            String keyTabPath, Module module) {
    251. 

  251.         StringBuilder builder = new StringBuilder();
    252. 

  252.         if (IS_IBM_JDK) {
    253. 

  253.             builder.append(module.getName()).append(" {")
    254. 

  254.                     .append(LINE_SEPARATOR);
    255. 

  255.             builder.append(IBM_LOGIN_MODULE).append(LINE_SEPARATOR);
    256. 

  256.             builder.append("credsType=both").append(LINE_SEPARATOR);
    257. 

  257.             builder.append("principal=\"" + userPrincipal + "\"").append(
    258. 

  258.                     LINE_SEPARATOR);
    259. 

  259.             builder.append("useKeytab=\"" + keyTabPath + "\"").append(
    260. 

  260.                     LINE_SEPARATOR);
    261. 

  261.             builder.append("debug=true;").append(LINE_SEPARATOR);
    262. 

  262.             builder.append("};").append(LINE_SEPARATOR);
    263. 

  263.         } else {
    264. 

  264.             builder.append(module.getName()).append(" {")
    265. 

  265.                     .append(LINE_SEPARATOR);
    266. 

  266.             builder.append(SUN_LOGIN_MODULE).append(LINE_SEPARATOR);
    267. 

  267.             builder.append("useKeyTab=true").append(LINE_SEPARATOR);
    268. 

  268.             builder.append("keyTab=\"" + keyTabPath + "\"").append(
    269. 

  269.                     LINE_SEPARATOR);
    270. 

  270.             builder.append("principal=\"" + userPrincipal + "\"").append(
    271. 

  271.                     LINE_SEPARATOR);
    272. 

  272.             builder.append("useTicketCache=false").append(LINE_SEPARATOR);
    273. 

  273.             builder.append("storeKey=true").append(LINE_SEPARATOR);
    274. 

  274.             builder.append("debug=true;").append(LINE_SEPARATOR);
    275. 

  275.             builder.append("};").append(LINE_SEPARATOR);
    276. 

  276.         }
    277. 

  277. 

  278.         return builder.toString();
    279. 

  279.     }
    280. 

  280. 

  281.     public static void setJaasConf(String loginContextName, String principal,
    282. 

  282.                                    String keytabFile) throws IOException {
    283. 

  283.         if ((loginContextName == null) || (loginContextName.length() <= 0)) {
    284. 

  284.             LOG.error("input loginContextName is invalid.");
    285. 

  285.             throw new IOException("input loginContextName is invalid.");
    286. 

  286.         }
    287. 

  287. 

  288.         if ((principal == null) || (principal.length() <= 0)) {
    289. 

  289.             LOG.error("input principal is invalid.");
    290. 

  290.             throw new IOException("input principal is invalid.");
    291. 

  291.         }
    292. 

  292. 

  293.         if ((keytabFile == null) || (keytabFile.length() <= 0)) {
    294. 

  294.             LOG.error("input keytabFile is invalid.");
    295. 

  295.             throw new IOException("input keytabFile is invalid.");
    296. 

  296.         }
    297. 

  297. 

  298.         File userKeytabFile = new File(keytabFile);
    299. 

  299.         if (!userKeytabFile.exists()) {
    300. 

  300.             LOG.error("userKeytabFile(" + userKeytabFile.getAbsolutePath()
    301. 

  301.                     + ") does not exsit.");
    302. 

  302.             throw new IOException("userKeytabFile("
    303. 

  303.                     + userKeytabFile.getAbsolutePath() + ") does not exsit.");
    304. 

  304.         }
    305. 

  305. 

  306.         javax.security.auth.login.Configuration
    307. 

  307.                 .setConfiguration(new JaasConfiguration(loginContextName,
    308. 

  308.                         principal, userKeytabFile.getAbsolutePath()));
    309. 

  309. 

  310.         javax.security.auth.login.Configuration conf = javax.security.auth.login.Configuration
    311. 

  311.                 .getConfiguration();
    312. 

  312.         if (!(conf instanceof JaasConfiguration)) {
    313. 

  313.             LOG.error("javax.security.auth.login.Configuration is not JaasConfiguration.");
    314. 

  314.             throw new IOException(
    315. 

  315.                     "javax.security.auth.login.Configuration is not JaasConfiguration.");
    316. 

  316.         }
    317. 

  317. 

  318.         AppConfigurationEntry[] entrys = conf
    319. 

  319.                 .getAppConfigurationEntry(loginContextName);
    320. 

  320.         if (entrys == null) {
    321. 

  321.             LOG.error("javax.security.auth.login.Configuration has no AppConfigurationEntry named "
    322. 

  322.                     + loginContextName + ".");
    323. 

  323.             throw new IOException(
    324. 

  324.                     "javax.security.auth.login.Configuration has no AppConfigurationEntry named "
    325. 

  325.                             + loginContextName + ".");
    326. 

  326.         }
    327. 

  327. 

  328.         boolean checkPrincipal = false;
    329. 

  329.         for (int i = 0; i < entrys.length; i++) {
    330. 

  330.             if (entrys[i].getOptions().get("principal").equals(principal)) {
    331. 

  331.                 checkPrincipal = true;
    332. 

  332.             }
    333. 

  333. 

  334.         }
    335. 

  335. 

  336.         if (!checkPrincipal) {
    337. 

  337.             LOG.error("AppConfigurationEntry named " + loginContextName
    338. 

  338.                     + " does not have principal value of " + principal + ".");
    339. 

  339.             throw new IOException("AppConfigurationEntry named "
    340. 

  340.                     + loginContextName + " does not have principal value of "
    341. 

  341.                     + principal + ".");
    342. 

  342.         }
    343. 

  343. 

  344.     }
    345. 

  345. 

  346.     public static void setZookeeperServerPrincipal(String zkServerPrincipal)
    347. 

  347.             throws IOException {
    348. 

  348.         System.setProperty(ZOOKEEPER_SERVER_PRINCIPAL_KEY, zkServerPrincipal);
    349. 

  349.         String ret = System.getProperty(ZOOKEEPER_SERVER_PRINCIPAL_KEY);
    350. 

  350.         if (ret == null) {
    351. 

  351.             LOG.error(ZOOKEEPER_SERVER_PRINCIPAL_KEY + " is null.");
    352. 

  352.             throw new IOException(ZOOKEEPER_SERVER_PRINCIPAL_KEY + " is null.");
    353. 

  353.         }
    354. 

  354.         if (!ret.equals(zkServerPrincipal)) {
    355. 

  355.             LOG.error(ZOOKEEPER_SERVER_PRINCIPAL_KEY + " is " + ret
    356. 

  356.                     + " is not " + zkServerPrincipal + ".");
    357. 

  357.             throw new IOException(ZOOKEEPER_SERVER_PRINCIPAL_KEY + " is " + ret
    358. 

  358.                     + " is not " + zkServerPrincipal + ".");
    359. 

  359.         }
    360. 

  360.     }
    361. 

  361. 

  362.     public static void setZookeeperServerPrincipal(String zkServerPrincipalKey,
    363. 

  363.                                                    String zkServerPrincipal) throws IOException {
    364. 

  364.         System.setProperty(zkServerPrincipalKey, zkServerPrincipal);
    365. 

  365.         String ret = System.getProperty(zkServerPrincipalKey);
    366. 

  366.         if (ret == null) {
    367. 

  367.             LOG.error(zkServerPrincipalKey + " is null.");
    368. 

  368.             throw new IOException(zkServerPrincipalKey + " is null.");
    369. 

  369.         }
    370. 

  370.         if (!ret.equals(zkServerPrincipal)) {
    371. 

  371.             LOG.error(zkServerPrincipalKey + " is " + ret + " is not "
    372. 

  372.                     + zkServerPrincipal + ".");
    373. 

  373.             throw new IOException(zkServerPrincipalKey + " is " + ret
    374. 

  374.                     + " is not " + zkServerPrincipal + ".");
    375. 

  375.         }
    376. 

  376.     }
    377. 

  377. 

  378.     private static void loginHadoop(String principal, String keytabFile)
    379. 

  379.             throws IOException {
    380. 

  380.         try {
    381. 

  381.             UserGroupInformation.loginUserFromKeytab(principal, keytabFile);
    382. 

  382.         } catch (IOException e) {
    383. 

  383.             LOG.error("login failed with " + principal + " and " + keytabFile
    384. 

  384.                     + ".");
    385. 

  385.             LOG.error("perhaps cause 1 is " + LOGIN_FAILED_CAUSE_PASSWORD_WRONG
    386. 

  386.                     + ".");
    387. 

  387.             LOG.error("perhaps cause 2 is " + LOGIN_FAILED_CAUSE_TIME_WRONG
    388. 

  388.                     + ".");
    389. 

  389.             LOG.error("perhaps cause 3 is " + LOGIN_FAILED_CAUSE_AES256_WRONG
    390. 

  390.                     + ".");
    391. 

  391.             LOG.error("perhaps cause 4 is "
    392. 

  392.                     + LOGIN_FAILED_CAUSE_PRINCIPAL_WRONG + ".");
    393. 

  393.             LOG.error("perhaps cause 5 is " + LOGIN_FAILED_CAUSE_TIME_OUT + ".");
    394. 

  394. 

  395.             throw e;
    396. 

  396.         }
    397. 

  397.     }
    398. 

  398. 

  399.     private static void checkAuthenticateOverKrb() throws IOException {
    400. 

  400.         UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    401. 

  401.         UserGroupInformation currentUser = UserGroupInformation
    402. 

  402.                 .getCurrentUser();
    403. 

  403.         if (loginUser == null) {
    404. 

  404.             LOG.error("current user is " + currentUser
    405. 

  405.                     + ", but loginUser is null.");
    406. 

  406.             throw new IOException("current user is " + currentUser
    407. 

  407.                     + ", but loginUser is null.");
    408. 

  408.         }
    409. 

  409.         if (!loginUser.equals(currentUser)) {
    410. 

  410.             LOG.error("current user is " + currentUser + ", but loginUser is "
    411. 

  411.                     + loginUser + ".");
    412. 

  412.             throw new IOException("current user is " + currentUser
    413. 

  413.                     + ", but loginUser is " + loginUser + ".");
    414. 

  414.         }
    415. 

  415.         if (!loginUser.hasKerberosCredentials()) {
    416. 

  416.             LOG.error("current user is " + currentUser
    417. 

  417.                     + " has no Kerberos Credentials.");
    418. 

  418.             throw new IOException("current user is " + currentUser
    419. 

  419.                     + " has no Kerberos Credentials.");
    420. 

  420.         }
    421. 

  421.         if (!UserGroupInformation.isLoginKeytabBased()) {
    422. 

  422.             LOG.error("current user is " + currentUser
    423. 

  423.                     + " is not Login Keytab Based.");
    424. 

  424.             throw new IOException("current user is " + currentUser
    425. 

  425.                     + " is not Login Keytab Based.");
    426. 

  426.         }
    427. 

  427.     }
    428. 

  428. 

  429.     private static boolean checkCurrentUserCorrect(String principal)
    430. 

  430.             throws IOException {
    431. 

  431.         UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    432. 

  432.         if (ugi == null) {
    433. 

  433.             LOG.error("current user still null.");
    434. 

  434.             throw new IOException("current user still null.");
    435. 

  435.         }
    436. 

  436. 

  437.         String defaultRealm = null;
    438. 

  438.         try {
    439. 

  439.             defaultRealm = KerberosUtil.getDefaultRealm();
    440. 

  440.         } catch (Exception e) {
    441. 

  441.             LOG.warn("getDefaultRealm failed.");
    442. 

  442.             throw new IOException(e);
    443. 

  443.         }
    444. 

  444. 

  445.         if ((defaultRealm != null) && (defaultRealm.length() > 0)) {
    446. 

  446.             StringBuilder realm = new StringBuilder();
    447. 

  447.             StringBuilder principalWithRealm = new StringBuilder();
    448. 

  448.             realm.append("@").append(defaultRealm);
    449. 

  449.             if (!principal.endsWith(realm.toString())) {
    450. 

  450.                 principalWithRealm.append(principal).append(realm);
    451. 

  451.                 principal = principalWithRealm.toString();
    452. 

  452.             }
    453. 

  453.         }
    454. 

  454. 

  455.         return principal.equals(ugi.getUserName());
    456. 

  456.     }
    457. 

  457. 

  458.     /**
    459. 

  459.      * copy from hbase zkutil 0.94&0.98 A JAAS configuration that defines the
    460. 

  460.      * login modules that we want to use for login.
    461. 

  461.      */
    462. 

  462.     private static class JaasConfiguration extends
    463. 

  463.             javax.security.auth.login.Configuration {
    464. 

  464.         private static final Map<String, String> BASIC_JAAS_OPTIONS = new HashMap<String, String>();
    465. 

  465. 

  466.         static {
    467. 

  467.             String jaasEnvVar = System.getenv("HBASE_JAAS_DEBUG");
    468. 

  468.             if (jaasEnvVar != null && "true".equalsIgnoreCase(jaasEnvVar)) {
    469. 

  469.                 BASIC_JAAS_OPTIONS.put("debug", "true");
    470. 

  470.             }
    471. 

  471.         }
    472. 

  472. 

  473.         private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS = new HashMap<String, String>();
    474. 

  474. 

  475.         static {
    476. 

  476.             if (IS_IBM_JDK) {
    477. 

  477.                 KEYTAB_KERBEROS_OPTIONS.put("credsType", "both");
    478. 

  478.             } else {
    479. 

  479.                 KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
    480. 

  480.                 KEYTAB_KERBEROS_OPTIONS.put("useTicketCache", "false");
    481. 

  481.                 KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
    482. 

  482.                 KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
    483. 

  483.             }
    484. 

  484. 

  485.             KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
    486. 

  486.         }
    487. 

  487. 

  488.         private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry(
    489. 

  489.                 KerberosUtil.getKrb5LoginModuleName(),
    490. 

  490.                 LoginModuleControlFlag.REQUIRED, KEYTAB_KERBEROS_OPTIONS);
    491. 

  491. 

  492.         private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = new AppConfigurationEntry[] { KEYTAB_KERBEROS_LOGIN };
    493. 

  493. 

  494.         private javax.security.auth.login.Configuration baseConfig;
    495. 

  495. 

  496.         private final String loginContextName;
    497. 

  497. 

  498.         private final boolean useTicketCache;
    499. 

  499. 

  500.         private final String keytabFile;
    501. 

  501. 

  502.         private final String principal;
    503. 

  503. 

  504.         public JaasConfiguration(String loginContextName, String principal,
    505. 

  505.                                  String keytabFile) throws IOException {
    506. 

  506.             this(loginContextName, principal, keytabFile, keytabFile == null
    507. 

  507.                     || keytabFile.length() == 0);
    508. 

  508.         }
    509. 

  509. 

  510.         private JaasConfiguration(String loginContextName, String principal,
    511. 

  511.                                   String keytabFile, boolean useTicketCache) throws IOException {
    512. 

  512.             try {
    513. 

  513.                 this.baseConfig = javax.security.auth.login.Configuration
    514. 

  514.                         .getConfiguration();
    515. 

  515.             } catch (SecurityException e) {
    516. 

  516.                 this.baseConfig = null;
    517. 

  517.             }
    518. 

  518.             this.loginContextName = loginContextName;
    519. 

  519.             this.useTicketCache = useTicketCache;
    520. 

  520.             this.keytabFile = keytabFile;
    521. 

  521.             this.principal = principal;
    522. 

  522. 

  523.             initKerberosOption();
    524. 

  524.             LOG.info("JaasConfiguration loginContextName=" + loginContextName
    525. 

  525.                     + " principal=" + principal + " useTicketCache="
    526. 

  526.                     + useTicketCache + " keytabFile=" + keytabFile);
    527. 

  527.         }
    528. 

  528. 

  529.         private void initKerberosOption() throws IOException {
    530. 

  530.             if (!useTicketCache) {
    531. 

  531.                 if (IS_IBM_JDK) {
    532. 

  532.                     KEYTAB_KERBEROS_OPTIONS.put("useKeytab", keytabFile);
    533. 

  533.                 } else {
    534. 

  534.                     KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
    535. 

  535.                     KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
    536. 

  536.                     KEYTAB_KERBEROS_OPTIONS.put("useTicketCache",
    537. 

  537.                             useTicketCache ? "true" : "false");
    538. 

  538.                 }
    539. 

  539.             }
    540. 

  540.             KEYTAB_KERBEROS_OPTIONS.put("principal", principal);
    541. 

  541.         }
    542. 

  542. 

  543.         @Override
    544. 

  544.         public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
    545. 

  545.             if (loginContextName.equals(appName)) {
    546. 

  546.                 return KEYTAB_KERBEROS_CONF;
    547. 

  547.             }
    548. 

  548.             if (baseConfig != null) {
    549. 

  549.                 return baseConfig.getAppConfigurationEntry(appName);
    550. 

  550.             }
    551. 

  551.             return (null);
    552. 

  552.         }
    553. 

  553.     }
    554. 

  554. }
    555.