public class SecurityUtil extends Object
限定符和类型 | 类和说明 |
---|---|
protected static class |
SecurityUtil.QualifiedHostResolver
This an alternate resolver with important properties that the standard
java resolver lacks:
1) The hostname is fully qualified.
|
限定符和类型 | 字段和说明 |
---|---|
static String |
HOSTNAME_PATTERN |
static org.apache.commons.logging.Log |
LOG |
构造器和说明 |
---|
SecurityUtil() |
限定符和类型 | 方法和说明 |
---|---|
static String |
buildDTServiceName(URI uri,
int defPort)
create the service name for a Delegation token
|
static Text |
buildTokenService(InetSocketAddress addr)
Construct the service key for a token
|
static void |
fetchServiceTicket(URL remoteHost)
Explicitly pull the service ticket for the specified host.
|
static AccessControlList |
getAdminAcls(Configuration conf,
String configKey)
Get the ACL object representing the cluster administrators
The user who starts the daemon is automatically added as an admin
|
static InetAddress |
getByName(String hostname)
Resolves a host subject to the security requirements determined by
hadoop.security.token.service.use_ip.
|
static String |
getHostFromPrincipal(String principalName)
Get the host name from the principal name of format
|
static String |
getLocalHostName()
Get the fqdn for the current host.
|
static String |
getServerPrincipal(String principalConfig,
InetAddress addr)
Convert Kerberos principal name pattern to valid Kerberos principal names.
|
static String |
getServerPrincipal(String principalConfig,
String hostname)
Convert Kerberos principal name pattern to valid Kerberos principal
names.
|
static InetSocketAddress |
getTokenServiceAddr(Token<?> token)
Decode the given token's service field into an InetAddress
|
protected static boolean |
isOriginalTGT(String name) |
static void |
login(Configuration conf,
String keytabFileKey,
String userNameKey)
If a keytab has been provided, login as that user.
|
static void |
login(Configuration conf,
String keytabFileKey,
String userNameKey,
String hostname)
If a keytab has been provided, login as that user.
|
static URLConnection |
openSecureHttpConnection(URL url)
Open a (if need be) secure connection to a URL in a secure environment
that is using SPNEGO or KSSL to authenticate its URLs.
|
static void |
setTokenService(Token<?> token,
InetSocketAddress addr)
Set the given token's service to the format expected by the RPC client
|
static boolean |
useKsslAuth() |
protected static boolean isOriginalTGT(String name)
public static void fetchServiceTicket(URL remoteHost) throws IOException
remoteHost
- Target URL the krb-https client will accessIOException
- if a service ticket is not availablepublic static String getServerPrincipal(String principalConfig, String hostname) throws IOException
principalConfig
- the Kerberos principal name conf value to converthostname
- the fully-qualified domain name used for substitutionIOException
- if the service ticket cannot be retrievedpublic static String getServerPrincipal(String principalConfig, InetAddress addr) throws IOException
getServerPrincipal(String, String)
,
except 1) the reverse DNS lookup from addr to hostname is done only when
necessary, 2) param addr can't be null (no default behavior of using local
hostname when addr is null).principalConfig
- Kerberos principal name pattern to convertaddr
- InetAddress of the host used for substitutionIOException
- if the client address cannot be determinedpublic static String getLocalHostName() throws UnknownHostException
UnknownHostException
- if no IP address for the local host could be found.public static void login(Configuration conf, String keytabFileKey, String userNameKey) throws IOException
conf
- conf to usekeytabFileKey
- the key to look for keytab file in confuserNameKey
- the key to look for user's Kerberos principal name in confIOException
- if the client address cannot be determinedpublic static void login(Configuration conf, String keytabFileKey, String userNameKey, String hostname) throws IOException
conf
- conf to usekeytabFileKey
- the key to look for keytab file in confuserNameKey
- the key to look for user's Kerberos principal name in confhostname
- hostname to use for substitutionIOException
- if login failspublic static InetSocketAddress getTokenServiceAddr(Token<?> token)
token
- from which to obtain the servicepublic static void setTokenService(Token<?> token, InetSocketAddress addr)
token
- a delegation tokenaddr
- the socket for the rpc connectionpublic static Text buildTokenService(InetSocketAddress addr)
addr
- InetSocketAddress of remote connection with a tokenpublic static String buildDTServiceName(URI uri, int defPort)
uri
- of the servicedefPort
- is used if the uri lacks a portbuildTokenService(InetSocketAddress)
public static AccessControlList getAdminAcls(Configuration conf, String configKey)
conf
- configKey
- the key that holds the ACL string in its valuepublic static String getHostFromPrincipal(String principalName)
principalName
- principal name of format as described abovepublic static boolean useKsslAuth()
public static URLConnection openSecureHttpConnection(URL url) throws IOException
url
- to authenticate via SPNEGO.IOException
- If unable to authenticate via SPNEGOpublic static InetAddress getByName(String hostname) throws UnknownHostException
hostname
- host or ip to resolveUnknownHostException
- if the host doesn't existCopyright © 2009 The Apache Software Foundation