Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *      http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.oozie.action.hadoop;
020
021import java.io.IOException;
022import java.security.PrivilegedExceptionAction;
023import java.util.Map;
024
025import org.apache.hadoop.conf.Configuration;
026import org.apache.hadoop.hbase.HBaseConfiguration;
027import org.apache.hadoop.hbase.security.User;
028import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
029import org.apache.hadoop.hbase.security.token.TokenUtil;
030import org.apache.hadoop.mapred.JobConf;
031import org.apache.oozie.action.ActionExecutor.Context;
032import org.apache.oozie.action.hadoop.Credentials;
033import org.apache.oozie.action.hadoop.CredentialsProperties;
034import org.apache.oozie.util.XLog;
035import org.apache.hadoop.security.UserGroupInformation;
036import org.apache.hadoop.security.token.Token;
037import org.apache.hadoop.security.token.TokenIdentifier;
038
039
040/**
041 * Hbase Credentials implementation to store in jobConf
042 * The jobConf is used further to pass credentials to the tasks while running
043 * Oozie server should be configured to use this Credentials class by including it via property 'oozie.credentials.credentialclasses'
044 *
045 */
046public class HbaseCredentials extends Credentials {
047    static final String OOZIE_HBASE_CLIENT_SITE_XML = "oozie-hbase-client-site.xml";
048    static final String HBASE_USE_DYNAMIC_JARS = "hbase.dynamic.jars.dir";
049
050    static {
051        Configuration.addDefaultResource(OOZIE_HBASE_CLIENT_SITE_XML);
052    }
053
054    /* (non-Javadoc)
055     * @see org.apache.oozie.action.hadoop.Credentials#addtoJobConf(org.apache.hadoop.mapred.JobConf, org.apache.oozie.action.hadoop.CredentialsProperties, org.apache.oozie.action.ActionExecutor.Context)
056     */
057    @Override
058    public void addtoJobConf(JobConf jobConf, CredentialsProperties props, Context context) throws Exception {
059        try {
060            copyHbaseConfToJobConf(jobConf, props);
061            obtainToken(jobConf, context);
062        }
063        catch (Exception e) {
064            XLog.getLog(getClass()).warn("Exception in receiving hbase credentials", e);
065            throw e;
066        }
067    }
068
069    void copyHbaseConfToJobConf(JobConf jobConf, CredentialsProperties props) {
070        // Create configuration using hbase-site.xml/hbase-default.xml
071        Configuration hbaseConf = new Configuration(false);
072        HBaseConfiguration.addHbaseResources(hbaseConf);
073        // copy cred props to hbaseconf and override if values already exists
074        addPropsConf(props, hbaseConf);
075        // copy cred props to jobconf and override if values already exist
076        addPropsConf(props, jobConf);
077        // copy conf from hbaseConf to jobConf without overriding the
078        // already existing values of jobConf
079        injectConf(hbaseConf, jobConf);
080    }
081
082    private void obtainToken(final JobConf jobConf, Context context) throws IOException, InterruptedException {
083        String user = context.getWorkflow().getUser();
084        UserGroupInformation ugi =  UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser());
085        User u = User.create(ugi);
086        // A direct doAs is required here vs. User#obtainAuthTokenForJob(...)
087        // See OOZIE-2419 for more
088        Token<AuthenticationTokenIdentifier> token = u.runAs(
089            new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
090                public Token<AuthenticationTokenIdentifier> run() throws Exception {
091                    return TokenUtil.obtainToken(jobConf);
092                }
093            }
094        );
095        jobConf.getCredentials().addToken(token.getService(), token);
096    }
097
098    private void addPropsConf(CredentialsProperties props, Configuration destConf) {
099        for (Map.Entry<String, String> entry : props.getProperties().entrySet()) {
100            destConf.set(entry.getKey(), entry.getValue());
101        }
102    }
103
104    private void injectConf(Configuration srcConf, Configuration destConf) {
105        for (Map.Entry<String, String> entry : srcConf) {
106            String name = entry.getKey();
107            if (destConf.get(name) == null) {
108                String value = entry.getValue();
109                destConf.set(name, value);
110            }
111        }
112    }
113}