001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018 019package org.apache.oozie.action.hadoop; 020 021import java.io.IOException; 022import java.security.PrivilegedExceptionAction; 023import java.util.Map; 024 025import org.apache.hadoop.conf.Configuration; 026import org.apache.hadoop.hbase.HBaseConfiguration; 027import org.apache.hadoop.hbase.security.User; 028import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier; 029import org.apache.hadoop.hbase.security.token.TokenUtil; 030import org.apache.hadoop.mapred.JobConf; 031import org.apache.oozie.action.ActionExecutor.Context; 032import org.apache.oozie.action.hadoop.Credentials; 033import org.apache.oozie.action.hadoop.CredentialsProperties; 034import org.apache.oozie.util.XLog; 035import org.apache.hadoop.security.UserGroupInformation; 036import org.apache.hadoop.security.token.Token; 037import org.apache.hadoop.security.token.TokenIdentifier; 038 039 040/** 041 * Hbase Credentials implementation to store in jobConf 042 * The jobConf is used further to pass credentials to the tasks while running 043 * Oozie server should be configured to use this Credentials class by including it via property 'oozie.credentials.credentialclasses' 044 * 045 */ 046public class HbaseCredentials extends Credentials { 047 048 049 /* (non-Javadoc) 050 * @see org.apache.oozie.action.hadoop.Credentials#addtoJobConf(org.apache.hadoop.mapred.JobConf, org.apache.oozie.action.hadoop.CredentialsProperties, org.apache.oozie.action.ActionExecutor.Context) 051 */ 052 @Override 053 public void addtoJobConf(JobConf jobConf, CredentialsProperties props, Context context) throws Exception { 054 try { 055 copyHbaseConfToJobConf(jobConf, props); 056 obtainToken(jobConf, context); 057 } 058 catch (Exception e) { 059 XLog.getLog(getClass()).warn("Exception in receiving hbase credentials", e); 060 throw e; 061 } 062 } 063 064 void copyHbaseConfToJobConf(JobConf jobConf, CredentialsProperties props) { 065 // Create configuration using hbase-site.xml/hbase-default.xml 066 Configuration hbaseConf = new Configuration(false); 067 HBaseConfiguration.addHbaseResources(hbaseConf); 068 // copy cred props to hbaseconf and override if values already exists 069 addPropsConf(props, hbaseConf); 070 // copy cred props to jobconf and override if values already exist 071 addPropsConf(props, jobConf); 072 // copy conf from hbaseConf to jobConf without overriding the 073 // already existing values of jobConf 074 injectConf(hbaseConf, jobConf); 075 } 076 077 private void obtainToken(final JobConf jobConf, Context context) throws IOException, InterruptedException { 078 String user = context.getWorkflow().getUser(); 079 UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); 080 User u = User.create(ugi); 081 // A direct doAs is required here vs. User#obtainAuthTokenForJob(...) 082 // See OOZIE-2419 for more 083 Token<AuthenticationTokenIdentifier> token = u.runAs( 084 new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() { 085 public Token<AuthenticationTokenIdentifier> run() throws Exception { 086 return TokenUtil.obtainToken(jobConf); 087 } 088 } 089 ); 090 jobConf.getCredentials().addToken(token.getService(), token); 091 } 092 093 private void addPropsConf(CredentialsProperties props, Configuration destConf) { 094 for (Map.Entry<String, String> entry : props.getProperties().entrySet()) { 095 destConf.set(entry.getKey(), entry.getValue()); 096 } 097 } 098 099 private void injectConf(Configuration srcConf, Configuration destConf) { 100 for (Map.Entry<String, String> entry : srcConf) { 101 String name = entry.getKey(); 102 if (destConf.get(name) == null) { 103 String value = entry.getValue(); 104 destConf.set(name, value); 105 } 106 } 107 } 108}