svn merge -c 1593422 FIXES: MAPREDUCE-5884. History server uses short user name when canceling tokens. Contributed by Mohammad Kamrul Islam

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1593424 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Jason Darrell Lowe 2014-05-08 21:28:43 +00:00
parent 76bfc73cc9
commit 3019b2c7f0
4 changed files with 29 additions and 1 deletions

View File

@ -74,6 +74,9 @@ Release 2.5.0 - UNRELEASED
MAPREDUCE-5749. TestRMContainerAllocator#testReportedAppProgress Failed MAPREDUCE-5749. TestRMContainerAllocator#testReportedAppProgress Failed
(jlowe) (jlowe)
MAPREDUCE-5884. History server uses short user name when canceling tokens
(Mohammad Kamrul Islam via jlowe)
Release 2.4.1 - UNRELEASED Release 2.4.1 - UNRELEASED
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -396,7 +396,7 @@ public class HistoryClientService extends AbstractService {
.array(), new Text(protoToken.getKind()), new Text( .array(), new Text(protoToken.getKind()), new Text(
protoToken.getService())); protoToken.getService()));
String user = UserGroupInformation.getCurrentUser().getShortUserName(); String user = UserGroupInformation.getCurrentUser().getUserName();
jhsDTSecretManager.cancelToken(token, user); jhsDTSecretManager.cancelToken(token, user);
return Records.newRecord(CancelDelegationTokenResponse.class); return Records.newRecord(CancelDelegationTokenResponse.class);
} }

View File

@ -30,6 +30,8 @@ import java.util.Map;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier; import org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.DelegationKey; import org.apache.hadoop.security.token.delegation.DelegationKey;
import org.junit.Test; import org.junit.Test;
@ -87,6 +89,24 @@ public class TestJHSDelegationTokenSecretManager {
assertEquals("sequence number restore", tokenId2.getSequenceNumber() + 1, assertEquals("sequence number restore", tokenId2.getSequenceNumber() + 1,
tokenId3.getSequenceNumber()); tokenId3.getSequenceNumber());
mgr.cancelToken(token1, "tokenOwner"); mgr.cancelToken(token1, "tokenOwner");
// Testing with full principal name
MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(
new Text("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"),
new Text("tokenUser"));
KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]");
Token<MRDelegationTokenIdentifier> tokenFull = new Token<MRDelegationTokenIdentifier>(
tokenIdFull, mgr);
// Negative test
try {
mgr.cancelToken(tokenFull, "tokenOwner");
} catch (AccessControlException ace) {
assertTrue(ace.getMessage().contains(
"is not authorized to cancel the token"));
}
// Succeed to cancel with full principal
mgr.cancelToken(tokenFull, tokenIdFull.getOwner().toString());
long tokenRenewDate3 = mgr.getAllTokens().get(tokenId3).getRenewDate(); long tokenRenewDate3 = mgr.getAllTokens().get(tokenId3).getRenewDate();
mgr.stopThreads(); mgr.stopThreads();

View File

@ -198,6 +198,11 @@ public class TestJHSSecurity {
fail("Unexpected exception" + e); fail("Unexpected exception" + e);
} }
cancelDelegationToken(loggedInUser, hsService, token); cancelDelegationToken(loggedInUser, hsService, token);
// Testing the token with different renewer to cancel the token
Token tokenWithDifferentRenewer = getDelegationToken(loggedInUser,
hsService, "yarn");
cancelDelegationToken(loggedInUser, hsService, tokenWithDifferentRenewer);
if (clientUsingDT != null) { if (clientUsingDT != null) {
// RPC.stopProxy(clientUsingDT); // RPC.stopProxy(clientUsingDT);
clientUsingDT = null; clientUsingDT = null;