HADOOP-13638. KMS should set UGI's Configuration object properly. Contributed by Wei-Chiu Chuang.

(cherry picked from commit fa397e74fe)

Conflicts:
	hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java

(cherry picked from commit 06187e4f98)

Conflicts:
	hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
This commit is contained in:
Xiao Chen 2016-09-26 13:00:57 -07:00
parent fa042ff9af
commit 09964a1629
2 changed files with 40 additions and 32 deletions

View File

@ -28,6 +28,7 @@ import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension; import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.KeyProviderFactory; import org.apache.hadoop.crypto.key.KeyProviderFactory;
import org.apache.hadoop.http.HttpServer2; import org.apache.hadoop.http.HttpServer2;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.util.VersionInfo; import org.apache.hadoop.util.VersionInfo;
import org.apache.log4j.PropertyConfigurator; import org.apache.log4j.PropertyConfigurator;
@ -121,6 +122,7 @@ public class KMSWebApp implements ServletContextListener {
} }
kmsConf = KMSConfiguration.getKMSConf(); kmsConf = KMSConfiguration.getKMSConf();
initLogging(confDir); initLogging(confDir);
UserGroupInformation.setConfiguration(kmsConf);
LOG.info("-------------------------------------------------------------"); LOG.info("-------------------------------------------------------------");
LOG.info(" Java runtime version : {}", System.getProperty( LOG.info(" Java runtime version : {}", System.getProperty(
"java.runtime.version")); "java.runtime.version"));

View File

@ -139,11 +139,31 @@ public class TestKMS {
} }
protected Configuration createBaseKMSConf(File keyStoreDir) throws Exception { protected Configuration createBaseKMSConf(File keyStoreDir) throws Exception {
Configuration conf = new Configuration(false); return createBaseKMSConf(keyStoreDir, null);
conf.set(KMSConfiguration.KEY_PROVIDER_URI, }
/**
* The Configuration object is shared by both KMS client and server in unit
* tests because UGI gets/sets it to a static variable.
* As a workaround, make sure the client configurations are copied to server
* so that client can read them.
* @param keyStoreDir where keystore is located.
* @param conf KMS client configuration
* @return KMS server configuration based on client.
* @throws Exception
*/
protected Configuration createBaseKMSConf(File keyStoreDir,
Configuration conf) throws Exception {
Configuration newConf;
if (conf == null) {
newConf = new Configuration(false);
} else {
newConf = new Configuration(conf);
}
newConf.set(KMSConfiguration.KEY_PROVIDER_URI,
"jceks://file@" + new Path(keyStoreDir.getAbsolutePath(), "kms.keystore").toUri()); "jceks://file@" + new Path(keyStoreDir.getAbsolutePath(), "kms.keystore").toUri());
conf.set("hadoop.kms.authentication.type", "simple"); newConf.set("hadoop.kms.authentication.type", "simple");
return conf; return newConf;
} }
public static void writeConf(File confDir, Configuration conf) public static void writeConf(File confDir, Configuration conf)
@ -272,9 +292,8 @@ public class TestKMS {
if (kerberos) { if (kerberos) {
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
} }
UserGroupInformation.setConfiguration(conf);
File testDir = getTestDir(); File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
final String keystore; final String keystore;
final String password; final String password;
@ -396,9 +415,8 @@ public class TestKMS {
final String specialKey = "key %^[\n{]}|\"<>\\"; final String specialKey = "key %^[\n{]}|\"<>\\";
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
File confDir = getTestDir(); File confDir = getTestDir();
conf = createBaseKMSConf(confDir); conf = createBaseKMSConf(confDir, conf);
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + specialKey + ".ALL", "*"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + specialKey + ".ALL", "*");
writeConf(confDir, conf); writeConf(confDir, conf);
@ -431,9 +449,8 @@ public class TestKMS {
public void testKMSProvider() throws Exception { public void testKMSProvider() throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
File confDir = getTestDir(); File confDir = getTestDir();
conf = createBaseKMSConf(confDir); conf = createBaseKMSConf(confDir, conf);
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.MANAGEMENT", "*"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.MANAGEMENT", "*");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.READ", "*"); conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.READ", "*");
@ -691,9 +708,8 @@ public class TestKMS {
public void testKeyACLs() throws Exception { public void testKeyACLs() throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath()); keytab.getAbsolutePath());
@ -969,9 +985,8 @@ public class TestKMS {
public void doKMSRestart(boolean useKrb) throws Exception { public void doKMSRestart(boolean useKrb) throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
if (useKrb) { if (useKrb) {
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
} }
@ -1049,9 +1064,8 @@ public class TestKMS {
public void testKMSAuthFailureRetry() throws Exception { public void testKMSAuthFailureRetry() throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath()); keytab.getAbsolutePath());
conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost"); conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
@ -1143,9 +1157,8 @@ public class TestKMS {
public void testACLs() throws Exception { public void testACLs() throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath()); keytab.getAbsolutePath());
@ -1453,9 +1466,8 @@ public class TestKMS {
public void testKMSBlackList() throws Exception { public void testKMSBlackList() throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
File testDir = getTestDir(); File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath()); keytab.getAbsolutePath());
@ -1542,9 +1554,8 @@ public class TestKMS {
public void testServicePrincipalACLs() throws Exception { public void testServicePrincipalACLs() throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
File testDir = getTestDir(); File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath()); keytab.getAbsolutePath());
@ -1669,9 +1680,8 @@ public class TestKMS {
public void testDelegationTokenAccess() throws Exception { public void testDelegationTokenAccess() throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath()); keytab.getAbsolutePath());
@ -1752,9 +1762,8 @@ public class TestKMS {
private void testDelegationTokensOps(Configuration conf, private void testDelegationTokensOps(Configuration conf,
final boolean useKrb) throws Exception { final boolean useKrb) throws Exception {
UserGroupInformation.setConfiguration(conf);
File confDir = getTestDir(); File confDir = getTestDir();
conf = createBaseKMSConf(confDir); conf = createBaseKMSConf(confDir, conf);
if (useKrb) { if (useKrb) {
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
@ -1898,9 +1907,8 @@ public class TestKMS {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost"); conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
@ -1988,9 +1996,8 @@ public class TestKMS {
public void doProxyUserTest(final boolean kerberos) throws Exception { public void doProxyUserTest(final boolean kerberos) throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
if (kerberos) { if (kerberos) {
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
} }
@ -2093,9 +2100,8 @@ public class TestKMS {
public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception { public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir); conf = createBaseKMSConf(testDir, conf);
if (kerberos) { if (kerberos) {
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
} }