org.apache.hadoop.security

类 SecurityUtil

java.lang.Object

org.apache.hadoop.security.SecurityUtil

public class SecurityUtil
extends Object

嵌套类概要

嵌套类

限定符和类型	类和说明
protected static class	SecurityUtil.QualifiedHostResolver This an alternate resolver with important properties that the standard java resolver lacks: 1) The hostname is fully qualified.

字段概要

字段

限定符和类型	字段和说明
static String	HOSTNAME_PATTERN
static org.apache.commons.logging.Log	LOG

构造器概要

构造器

构造器和说明
SecurityUtil()

方法概要

方法

限定符和类型	方法和说明
static String	buildDTServiceName(URI uri, int defPort) create the service name for a Delegation token
static Text	buildTokenService(InetSocketAddress addr) Construct the service key for a token
static void	fetchServiceTicket(URL remoteHost) Explicitly pull the service ticket for the specified host.
static AccessControlList	getAdminAcls(Configuration conf, String configKey) Get the ACL object representing the cluster administrators The user who starts the daemon is automatically added as an admin
static InetAddress	getByName(String hostname) Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip.
static String	getHostFromPrincipal(String principalName) Get the host name from the principal name of format /host@realm.
static String	getLocalHostName() Get the fqdn for the current host.
static String	getServerPrincipal(String principalConfig, InetAddress addr) Convert Kerberos principal name pattern to valid Kerberos principal names.
static String	getServerPrincipal(String principalConfig, String hostname) Convert Kerberos principal name pattern to valid Kerberos principal names.
static InetSocketAddress	getTokenServiceAddr(Token<?> token) Decode the given token's service field into an InetAddress
protected static boolean	isOriginalTGT(String name)
static void	login(Configuration conf, String keytabFileKey, String userNameKey) If a keytab has been provided, login as that user.
static void	login(Configuration conf, String keytabFileKey, String userNameKey, String hostname) If a keytab has been provided, login as that user.
static URLConnection	openSecureHttpConnection(URL url) Open a (if need be) secure connection to a URL in a secure environment that is using SPNEGO or KSSL to authenticate its URLs.
static void	setTokenService(Token<?> token, InetSocketAddress addr) Set the given token's service to the format expected by the RPC client
static boolean	useKsslAuth()

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

字段详细资料

LOG

public static final org.apache.commons.logging.Log LOG

HOSTNAME_PATTERN

public static final String HOSTNAME_PATTERN

另请参阅:

常量字段值

构造器详细资料

SecurityUtil

public SecurityUtil()

方法详细资料

isOriginalTGT

protected static boolean isOriginalTGT(String name)

fetchServiceTicket

public static void fetchServiceTicket(URL remoteHost)
                               throws IOException

Explicitly pull the service ticket for the specified host. This solves a problem with Java's Kerberos SSL problem where the client cannot authenticate against a cross-realm service. It is necessary for clients making kerberized https requests to call this method on the target URL to ensure that in a cross-realm environment the remote host will be successfully authenticated. This method is internal to Hadoop and should not be used by other applications. This method should not be considered stable or open: it will be removed when the Java behavior is changed.

参数:

remoteHost - Target URL the krb-https client will access

抛出:

IOException - if a service ticket is not available

getServerPrincipal

public static String getServerPrincipal(String principalConfig,
                        String hostname)
                                 throws IOException

Convert Kerberos principal name pattern to valid Kerberos principal names. It replaces hostname pattern with hostname, which should be fully-qualified domain name. If hostname is null or "0.0.0.0", it uses dynamically looked-up fqdn of the current host instead.

参数:

principalConfig - the Kerberos principal name conf value to convert

hostname - the fully-qualified domain name used for substitution

返回:

converted Kerberos principal name

抛出:

IOException - if the service ticket cannot be retrieved

getServerPrincipal

public static String getServerPrincipal(String principalConfig,
                        InetAddress addr)
                                 throws IOException

Convert Kerberos principal name pattern to valid Kerberos principal names. This method is similar to getServerPrincipal(String, String), except 1) the reverse DNS lookup from addr to hostname is done only when necessary, 2) param addr can't be null (no default behavior of using local hostname when addr is null).

参数:

principalConfig - Kerberos principal name pattern to convert

addr - InetAddress of the host used for substitution

返回:

converted Kerberos principal name

抛出:

IOException - if the client address cannot be determined

getLocalHostName

public static String getLocalHostName()
                               throws UnknownHostException

Get the fqdn for the current host.

返回:

fqdn of the current host.

抛出:

UnknownHostException - if no IP address for the local host could be found.

login

public static void login(Configuration conf,
         String keytabFileKey,
         String userNameKey)
                  throws IOException

If a keytab has been provided, login as that user. Substitute $host in user's Kerberos principal name with a dynamically looked-up fully-qualified domain name of the current host.

参数:

conf - conf to use

keytabFileKey - the key to look for keytab file in conf

userNameKey - the key to look for user's Kerberos principal name in conf

抛出:

IOException - if the client address cannot be determined

login

public static void login(Configuration conf,
         String keytabFileKey,
         String userNameKey,
         String hostname)
                  throws IOException

If a keytab has been provided, login as that user. Substitute $host in user's Kerberos principal name with hostname.

参数:

conf - conf to use

keytabFileKey - the key to look for keytab file in conf

userNameKey - the key to look for user's Kerberos principal name in conf

hostname - hostname to use for substitution

抛出:

IOException - if login fails

getTokenServiceAddr

public static InetSocketAddress getTokenServiceAddr(Token<?> token)

Decode the given token's service field into an InetAddress

参数:

token - from which to obtain the service

返回:

InetAddress for the service

setTokenService

public static void setTokenService(Token<?> token,
                   InetSocketAddress addr)

Set the given token's service to the format expected by the RPC client

参数:

token - a delegation token

addr - the socket for the rpc connection

buildTokenService

public static Text buildTokenService(InetSocketAddress addr)

Construct the service key for a token

参数:

addr - InetSocketAddress of remote connection with a token

返回:

"ip:port" or "host:port" depending on the value of hadoop.security.token.service.use_ip

buildDTServiceName

public static String buildDTServiceName(URI uri,
                        int defPort)

create the service name for a Delegation token

参数:

uri - of the service

defPort - is used if the uri lacks a port

返回:

the token service, or null if no authority

另请参阅:

buildTokenService(InetSocketAddress)

getAdminAcls

public static AccessControlList getAdminAcls(Configuration conf,
                             String configKey)

Get the ACL object representing the cluster administrators The user who starts the daemon is automatically added as an admin

参数:

conf -

configKey - the key that holds the ACL string in its value

返回:

AccessControlList instance

getHostFromPrincipal

public static String getHostFromPrincipal(String principalName)

Get the host name from the principal name of format /host@realm.

参数:

principalName - principal name of format as described above

返回:

host name if the the string conforms to the above format, else null

useKsslAuth

public static boolean useKsslAuth()

返回:

true if we should use KSSL to authenticate NN HTTP endpoints, false to use SPNEGO or if security is disabled.

openSecureHttpConnection

public static URLConnection openSecureHttpConnection(URL url)
                                              throws IOException

Open a (if need be) secure connection to a URL in a secure environment that is using SPNEGO or KSSL to authenticate its URLs. All Namenode and Secondary Namenode URLs that are protected via SPNEGO or KSSL should be accessed via this method.

参数:

url - to authenticate via SPNEGO.

返回:

A connection that has been authenticated via SPNEGO

抛出:

IOException - If unable to authenticate via SPNEGO

getByName

public static InetAddress getByName(String hostname)
                             throws UnknownHostException

Resolves a host subject to the security requirements determined by hadoop.security.token.service.use_ip.

参数:

hostname - host or ip to resolve

返回:

a resolved host

抛出:

UnknownHostException - if the host doesn't exist