svn merge -c 1593422 FIXES: MAPREDUCE-5884. History server uses short user name when canceling tokens. Contributed by Mohammad Kamrul Islam
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1593424 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
76bfc73cc9
commit
3019b2c7f0
|
@ -74,6 +74,9 @@ Release 2.5.0 - UNRELEASED
|
||||||
MAPREDUCE-5749. TestRMContainerAllocator#testReportedAppProgress Failed
|
MAPREDUCE-5749. TestRMContainerAllocator#testReportedAppProgress Failed
|
||||||
(jlowe)
|
(jlowe)
|
||||||
|
|
||||||
|
MAPREDUCE-5884. History server uses short user name when canceling tokens
|
||||||
|
(Mohammad Kamrul Islam via jlowe)
|
||||||
|
|
||||||
Release 2.4.1 - UNRELEASED
|
Release 2.4.1 - UNRELEASED
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -396,7 +396,7 @@ public class HistoryClientService extends AbstractService {
|
||||||
.array(), new Text(protoToken.getKind()), new Text(
|
.array(), new Text(protoToken.getKind()), new Text(
|
||||||
protoToken.getService()));
|
protoToken.getService()));
|
||||||
|
|
||||||
String user = UserGroupInformation.getCurrentUser().getShortUserName();
|
String user = UserGroupInformation.getCurrentUser().getUserName();
|
||||||
jhsDTSecretManager.cancelToken(token, user);
|
jhsDTSecretManager.cancelToken(token, user);
|
||||||
return Records.newRecord(CancelDelegationTokenResponse.class);
|
return Records.newRecord(CancelDelegationTokenResponse.class);
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,6 +30,8 @@ import java.util.Map;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.io.Text;
|
import org.apache.hadoop.io.Text;
|
||||||
import org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier;
|
import org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier;
|
||||||
|
import org.apache.hadoop.security.AccessControlException;
|
||||||
|
import org.apache.hadoop.security.authentication.util.KerberosName;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
import org.apache.hadoop.security.token.delegation.DelegationKey;
|
import org.apache.hadoop.security.token.delegation.DelegationKey;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
@ -87,6 +89,24 @@ public class TestJHSDelegationTokenSecretManager {
|
||||||
assertEquals("sequence number restore", tokenId2.getSequenceNumber() + 1,
|
assertEquals("sequence number restore", tokenId2.getSequenceNumber() + 1,
|
||||||
tokenId3.getSequenceNumber());
|
tokenId3.getSequenceNumber());
|
||||||
mgr.cancelToken(token1, "tokenOwner");
|
mgr.cancelToken(token1, "tokenOwner");
|
||||||
|
|
||||||
|
// Testing with full principal name
|
||||||
|
MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(
|
||||||
|
new Text("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"),
|
||||||
|
new Text("tokenUser"));
|
||||||
|
KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]");
|
||||||
|
Token<MRDelegationTokenIdentifier> tokenFull = new Token<MRDelegationTokenIdentifier>(
|
||||||
|
tokenIdFull, mgr);
|
||||||
|
// Negative test
|
||||||
|
try {
|
||||||
|
mgr.cancelToken(tokenFull, "tokenOwner");
|
||||||
|
} catch (AccessControlException ace) {
|
||||||
|
assertTrue(ace.getMessage().contains(
|
||||||
|
"is not authorized to cancel the token"));
|
||||||
|
}
|
||||||
|
// Succeed to cancel with full principal
|
||||||
|
mgr.cancelToken(tokenFull, tokenIdFull.getOwner().toString());
|
||||||
|
|
||||||
long tokenRenewDate3 = mgr.getAllTokens().get(tokenId3).getRenewDate();
|
long tokenRenewDate3 = mgr.getAllTokens().get(tokenId3).getRenewDate();
|
||||||
mgr.stopThreads();
|
mgr.stopThreads();
|
||||||
|
|
||||||
|
|
|
@ -198,6 +198,11 @@ public class TestJHSSecurity {
|
||||||
fail("Unexpected exception" + e);
|
fail("Unexpected exception" + e);
|
||||||
}
|
}
|
||||||
cancelDelegationToken(loggedInUser, hsService, token);
|
cancelDelegationToken(loggedInUser, hsService, token);
|
||||||
|
|
||||||
|
// Testing the token with different renewer to cancel the token
|
||||||
|
Token tokenWithDifferentRenewer = getDelegationToken(loggedInUser,
|
||||||
|
hsService, "yarn");
|
||||||
|
cancelDelegationToken(loggedInUser, hsService, tokenWithDifferentRenewer);
|
||||||
if (clientUsingDT != null) {
|
if (clientUsingDT != null) {
|
||||||
// RPC.stopProxy(clientUsingDT);
|
// RPC.stopProxy(clientUsingDT);
|
||||||
clientUsingDT = null;
|
clientUsingDT = null;
|
||||||
|
|
Loading…
Reference in New Issue