Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *      http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.oozie.action.hadoop;
020
021import java.io.IOException;
022import java.security.PrivilegedExceptionAction;
023import java.util.Map;
024
025import org.apache.hadoop.conf.Configuration;
026import org.apache.hadoop.hbase.HBaseConfiguration;
027import org.apache.hadoop.hbase.client.Connection;
028import org.apache.hadoop.hbase.client.ConnectionFactory;
029import org.apache.hadoop.hbase.security.User;
030import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
031import org.apache.hadoop.hbase.security.token.TokenUtil;
032import org.apache.hadoop.security.Credentials;
033import org.apache.hadoop.security.UserGroupInformation;
034import org.apache.hadoop.security.token.Token;
035import org.apache.oozie.action.ActionExecutor.Context;
036import org.apache.oozie.util.XLog;
037
038
039/**
040 * Hbase Credentials implementation to store in jobConf
041 * The jobConf is used further to pass credentials to the tasks while running
042 * Oozie server should be configured to use this Credentials class by including it via property
043 * 'oozie.credentials.credentialclasses'
044 *
045 */
046public class HbaseCredentials implements CredentialsProvider {
047    static final String OOZIE_HBASE_CLIENT_SITE_XML = "oozie-hbase-client-site.xml";
048    static final String HBASE_USE_DYNAMIC_JARS = "hbase.dynamic.jars.dir";
049
050    static {
051        Configuration.addDefaultResource(OOZIE_HBASE_CLIENT_SITE_XML);
052    }
053
054    /* (non-Javadoc)
055     * @see org.apache.oozie.action.hadoop.Credentials#addtoJobConf(org.apache.hadoop.mapred.JobConf,
056     * org.apache.oozie.action.hadoop.CredentialsProperties, org.apache.oozie.action.ActionExecutor.Context)
057     */
058    @Override
059    public void updateCredentials(Credentials credentials, Configuration config, CredentialsProperties props,
060            Context context) throws Exception {
061        try {
062            copyHbaseConfToJobConf(config, props);
063            obtainToken(credentials, config, context);
064        }
065        catch (Exception e) {
066            XLog.getLog(getClass()).warn("Exception in receiving hbase credentials", e);
067            throw e;
068        }
069    }
070
071    void copyHbaseConfToJobConf(Configuration jobConf, CredentialsProperties props) {
072        // Create configuration using hbase-site.xml/hbase-default.xml
073        Configuration hbaseConf = new Configuration(false);
074        HBaseConfiguration.addHbaseResources(hbaseConf);
075        // copy cred props to hbaseconf and override if values already exists
076        addPropsConf(props, hbaseConf);
077        // copy cred props to jobconf and override if values already exist
078        addPropsConf(props, jobConf);
079        // copy conf from hbaseConf to jobConf without overriding the
080        // already existing values of jobConf
081        injectConf(hbaseConf, jobConf);
082    }
083
084    private void obtainToken(Credentials credentials, final Configuration jobConf, Context context)
085            throws IOException, InterruptedException {
086        String user = context.getWorkflow().getUser();
087        UserGroupInformation ugi =  UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser());
088        User u = User.create(ugi);
089        // A direct doAs is required here vs. User#obtainAuthTokenForJob(...)
090        // See OOZIE-2419 for more
091        XLog.getLog(getClass()).debug("Getting Hbase token for user {0}", user);
092        Token<AuthenticationTokenIdentifier> token = u.runAs(
093            new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
094                public Token<AuthenticationTokenIdentifier> run() throws Exception {
095                    Token<AuthenticationTokenIdentifier> newToken = null;
096                    try (Connection connection = ConnectionFactory.createConnection(jobConf)) {
097                        newToken = TokenUtil.obtainToken(connection);
098                    }
099                    return newToken;
100                }
101            }
102        );
103        XLog.getLog(getClass()).debug("Got token, adding it to credentials.");
104        credentials.addToken(CredentialsProviderFactory.getUniqueAlias(token), token);
105    }
106
107    private void addPropsConf(CredentialsProperties props, Configuration destConf) {
108        for (Map.Entry<String, String> entry : props.getProperties().entrySet()) {
109            destConf.set(entry.getKey(), entry.getValue());
110        }
111    }
112
113    private void injectConf(Configuration srcConf, Configuration destConf) {
114        for (Map.Entry<String, String> entry : srcConf) {
115            String name = entry.getKey();
116            if (destConf.get(name) == null) {
117                String value = entry.getValue();
118                destConf.set(name, value);
119            }
120        }
121    }
122}