From 310e59acd5753a3ef6469bd43625ced53c16155b Mon Sep 17 00:00:00 2001 From: Robert Joseph Evans Date: Mon, 5 Nov 2012 18:32:33 +0000 Subject: [PATCH] svn merge -c 1405904 FIXES: HADOOP-9009. Add SecurityUtil methods to get/set authentication method (daryn via bobby) git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1405905 13f79535-47bb-0310-9956-ffa450edef68 --- .../hadoop-common/CHANGES.txt | 3 + .../apache/hadoop/security/SecurityUtil.java | 21 +++++++ .../hadoop/security/UserGroupInformation.java | 8 +-- .../apache/hadoop/ipc/MiniRPCBenchmark.java | 5 +- .../java/org/apache/hadoop/ipc/TestRPC.java | 25 +++++++-- .../org/apache/hadoop/ipc/TestSaslRPC.java | 28 +++++----- .../security/TestDoAsEffectiveUser.java | 8 +-- .../hadoop/security/TestSecurityUtil.java | 56 +++++++++++++++++-- 8 files changed, 118 insertions(+), 36 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 3555f8188ff..0f75482a9a6 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -61,6 +61,9 @@ Release 2.0.3-alpha - Unreleased HADOOP-8985. Add namespace declarations in .proto files for languages other than java. (Binglin Chan via suresh) + HADOOP-9009. Add SecurityUtil methods to get/set authentication method + (daryn via bobby) + OPTIMIZATIONS HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java index da0aa251a39..e900acfeaab 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java @@ -16,6 +16,8 @@ */ package org.apache.hadoop.security; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; + import java.io.IOException; import java.net.InetAddress; import java.net.InetSocketAddress; @@ -44,6 +46,7 @@ import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.http.HttpConfig; import org.apache.hadoop.io.Text; import org.apache.hadoop.net.NetUtils; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.authentication.client.AuthenticatedURL; import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.ssl.SSLFactory; @@ -665,4 +668,22 @@ public class SecurityUtil { } } + public static AuthenticationMethod getAuthenticationMethod(Configuration conf) { + String value = conf.get(HADOOP_SECURITY_AUTHENTICATION, "simple"); + try { + return Enum.valueOf(AuthenticationMethod.class, value.toUpperCase()); + } catch (IllegalArgumentException iae) { + throw new IllegalArgumentException("Invalid attribute value for " + + HADOOP_SECURITY_AUTHENTICATION + " of " + value); + } + } + + public static void setAuthenticationMethod( + AuthenticationMethod authenticationMethod, Configuration conf) { + if (authenticationMethod == null) { + authenticationMethod = AuthenticationMethod.SIMPLE; + } + conf.set(HADOOP_SECURITY_AUTHENTICATION, + authenticationMethod.toString().toLowerCase()); + } } diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 64ca98cf28a..cefe989ca11 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -235,15 +235,15 @@ public class UserGroupInformation { * @param conf the configuration to use */ private static synchronized void initUGI(Configuration conf) { - String value = conf.get(HADOOP_SECURITY_AUTHENTICATION); - if (value == null || "simple".equals(value)) { + AuthenticationMethod auth = SecurityUtil.getAuthenticationMethod(conf); + if (auth == AuthenticationMethod.SIMPLE) { useKerberos = false; - } else if ("kerberos".equals(value)) { + } else if (auth == AuthenticationMethod.KERBEROS) { useKerberos = true; } else { throw new IllegalArgumentException("Invalid attribute value for " + HADOOP_SECURITY_AUTHENTICATION + - " of " + value); + " of " + auth); } // If we haven't set up testing groups, use the configuration to find it if (!(groups instanceof TestingGroups)) { diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java index 5130bad1a69..edf95d74809 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/MiniRPCBenchmark.java @@ -30,7 +30,6 @@ import junit.framework.Assert; import org.apache.commons.logging.impl.Log4JLogger; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.io.Text; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.KerberosInfo; @@ -380,9 +379,7 @@ public class MiniRPCBenchmark { elapsedTime = mb.runMiniBenchmarkWithDelegationToken( conf, count, KEYTAB_FILE_KEY, USER_NAME_KEY); } else { - String auth = - conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, - "simple"); + String auth = SecurityUtil.getAuthenticationMethod(conf).toString(); System.out.println( "Running MiniRPCBenchmark with " + auth + " authentication."); elapsedTime = mb.runMiniBenchmark( diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestRPC.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestRPC.java index 732431d2a18..745eb792842 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestRPC.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestRPC.java @@ -55,13 +55,16 @@ import org.apache.hadoop.ipc.Client.ConnectionId; import org.apache.hadoop.metrics2.MetricsRecordBuilder; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.authorize.PolicyProvider; import org.apache.hadoop.security.authorize.Service; import org.apache.hadoop.security.token.SecretManager; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.test.MockitoUtil; +import org.junit.Before; import org.junit.Test; import com.google.protobuf.DescriptorProtos; @@ -75,11 +78,14 @@ public class TestRPC { public static final Log LOG = LogFactory.getLog(TestRPC.class); - private static Configuration conf = new Configuration(); + private static Configuration conf; - static { + @Before + public void setupConf() { + conf = new Configuration(); conf.setClass("rpc.engine." + StoppedProtocol.class.getName(), StoppedRpcEngine.class, RpcEngine.class); + UserGroupInformation.setConfiguration(conf); } int datasize = 1024*100; @@ -676,11 +682,17 @@ public class TestRPC { @Test public void testErrorMsgForInsecureClient() throws Exception { - final Server server = new RPC.Builder(conf).setProtocol(TestProtocol.class) + Configuration serverConf = new Configuration(conf); + SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, + serverConf); + UserGroupInformation.setConfiguration(serverConf); + + final Server server = new RPC.Builder(serverConf).setProtocol(TestProtocol.class) .setInstance(new TestImpl()).setBindAddress(ADDRESS).setPort(0) .setNumHandlers(5).setVerbose(true).build(); - server.enableSecurity(); server.start(); + + UserGroupInformation.setConfiguration(conf); boolean succeeded = false; final InetSocketAddress addr = NetUtils.getConnectAddress(server); TestProtocol proxy = null; @@ -702,17 +714,18 @@ public class TestRPC { conf.setInt(CommonConfigurationKeys.IPC_SERVER_RPC_READ_THREADS_KEY, 2); - final Server multiServer = new RPC.Builder(conf) + UserGroupInformation.setConfiguration(serverConf); + final Server multiServer = new RPC.Builder(serverConf) .setProtocol(TestProtocol.class).setInstance(new TestImpl()) .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true) .build(); - multiServer.enableSecurity(); multiServer.start(); succeeded = false; final InetSocketAddress mulitServerAddr = NetUtils.getConnectAddress(multiServer); proxy = null; try { + UserGroupInformation.setConfiguration(conf); proxy = (TestProtocol) RPC.getProxy(TestProtocol.class, TestProtocol.versionID, mulitServerAddr, conf); proxy.echo(""); diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java index 1410a133005..aae2c6d4e0f 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java @@ -18,8 +18,9 @@ package org.apache.hadoop.ipc; -import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; +import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.*; import static org.junit.Assert.*; + import java.io.DataInput; import java.io.DataOutput; import java.io.IOException; @@ -78,7 +79,7 @@ public class TestSaslRPC { @BeforeClass public static void setup() { conf = new Configuration(); - conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos"); + SecurityUtil.setAuthenticationMethod(KERBEROS, conf); UserGroupInformation.setConfiguration(conf); } @@ -263,7 +264,6 @@ public class TestSaslRPC { Server server = new RPC.Builder(conf).setProtocol(TestSaslProtocol.class) .setInstance(new TestSaslImpl()).setBindAddress(ADDRESS).setPort(0) .setNumHandlers(5).setVerbose(true).build(); - server.disableSecurity(); TestTokenSecretManager sm = new TestTokenSecretManager(); doDigestRpc(server, sm); } @@ -345,7 +345,7 @@ public class TestSaslRPC { new InetSocketAddress(0), TestSaslProtocol.class, null, 0, newConf); assertEquals(SERVER_PRINCIPAL_1, remoteId.getServerPrincipal()); // this following test needs security to be off - newConf.set(HADOOP_SECURITY_AUTHENTICATION, "simple"); + SecurityUtil.setAuthenticationMethod(SIMPLE, newConf); UserGroupInformation.setConfiguration(newConf); remoteId = ConnectionId.getConnectionId(new InetSocketAddress(0), TestSaslProtocol.class, null, 0, newConf); @@ -536,15 +536,15 @@ public class TestSaslRPC { final boolean useToken ) throws Exception { + Configuration serverConf = new Configuration(conf); + SecurityUtil.setAuthenticationMethod( + isSecureServer ? KERBEROS : SIMPLE, serverConf); + UserGroupInformation.setConfiguration(serverConf); + TestTokenSecretManager sm = new TestTokenSecretManager(); - Server server = new RPC.Builder(conf).setProtocol(TestSaslProtocol.class) + Server server = new RPC.Builder(serverConf).setProtocol(TestSaslProtocol.class) .setInstance(new TestSaslImpl()).setBindAddress(ADDRESS).setPort(0) .setNumHandlers(5).setVerbose(true).setSecretManager(sm).build(); - if (isSecureServer) { - server.enableSecurity(); - } else { - server.disableSecurity(); - } server.start(); final UserGroupInformation current = UserGroupInformation.getCurrentUser(); @@ -558,8 +558,10 @@ public class TestSaslRPC { current.addToken(token); } - conf.set(HADOOP_SECURITY_AUTHENTICATION, isSecureClient ? "kerberos" : "simple"); - UserGroupInformation.setConfiguration(conf); + final Configuration clientConf = new Configuration(conf); + SecurityUtil.setAuthenticationMethod( + isSecureClient ? KERBEROS : SIMPLE, clientConf); + UserGroupInformation.setConfiguration(clientConf); try { return current.doAs(new PrivilegedExceptionAction() { @Override @@ -567,7 +569,7 @@ public class TestSaslRPC { TestSaslProtocol proxy = null; try { proxy = (TestSaslProtocol) RPC.getProxy(TestSaslProtocol.class, - TestSaslProtocol.versionID, addr, conf); + TestSaslProtocol.versionID, addr, clientConf); return proxy.getAuthMethod(); } finally { if (proxy != null) { diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java index 529124eddf1..129d4a06d0a 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestDoAsEffectiveUser.java @@ -28,13 +28,13 @@ import java.util.Enumeration; import junit.framework.Assert; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.io.Text; import org.apache.hadoop.ipc.ProtocolSignature; import org.apache.hadoop.ipc.RPC; import org.apache.hadoop.ipc.Server; import org.apache.hadoop.ipc.VersionedProtocol; import org.apache.hadoop.net.NetUtils; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenInfo; @@ -416,8 +416,7 @@ public class TestDoAsEffectiveUser { public void testProxyWithToken() throws Exception { final Configuration conf = new Configuration(masterConf); TestTokenSecretManager sm = new TestTokenSecretManager(); - conf - .set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); + SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf); UserGroupInformation.setConfiguration(conf); final Server server = new RPC.Builder(conf).setProtocol(TestProtocol.class) .setInstance(new TestImpl()).setBindAddress(ADDRESS).setPort(0) @@ -471,8 +470,7 @@ public class TestDoAsEffectiveUser { public void testTokenBySuperUser() throws Exception { TestTokenSecretManager sm = new TestTokenSecretManager(); final Configuration newConf = new Configuration(masterConf); - newConf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, - "kerberos"); + SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, newConf); UserGroupInformation.setConfiguration(newConf); final Server server = new RPC.Builder(newConf) .setProtocol(TestProtocol.class).setInstance(new TestImpl()) diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java index cc22796ab1f..f7096394133 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestSecurityUtil.java @@ -16,6 +16,8 @@ */ package org.apache.hadoop.security; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; +import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.*; import static org.junit.Assert.*; import java.io.IOException; @@ -29,10 +31,19 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.io.Text; import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.security.token.TokenIdentifier; +import org.junit.BeforeClass; import org.junit.Test; import org.mockito.Mockito; public class TestSecurityUtil { + @BeforeClass + public static void unsetKerberosRealm() { + // prevent failures if kinit-ed or on os x with no realm + System.setProperty("java.security.krb5.kdc", ""); + System.setProperty("java.security.krb5.realm", "NONE"); + } + @Test public void isOriginalTGTReturnsCorrectValues() { assertTrue(SecurityUtil.isTGSPrincipal @@ -111,9 +122,7 @@ public class TestSecurityUtil { @Test public void testStartsWithIncorrectSettings() throws IOException { Configuration conf = new Configuration(); - conf.set( - org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, - "kerberos"); + SecurityUtil.setAuthenticationMethod(KERBEROS, conf); String keyTabKey="key"; conf.set(keyTabKey, ""); UserGroupInformation.setConfiguration(conf); @@ -256,7 +265,7 @@ public class TestSecurityUtil { SecurityUtil.setTokenServiceUseIp(useIp); String serviceHost = useIp ? ip : host.toLowerCase(); - Token token = new Token(); + Token token = new Token(); Text service = new Text(serviceHost+":"+port); assertEquals(service, SecurityUtil.buildTokenService(addr)); @@ -345,4 +354,43 @@ public class TestSecurityUtil { NetUtils.addStaticResolution(staticHost, "255.255.255.255"); verifyServiceAddr(staticHost, "255.255.255.255"); } + + @Test + public void testGetAuthenticationMethod() { + Configuration conf = new Configuration(); + // default is simple + conf.unset(HADOOP_SECURITY_AUTHENTICATION); + assertEquals(SIMPLE, SecurityUtil.getAuthenticationMethod(conf)); + // simple + conf.set(HADOOP_SECURITY_AUTHENTICATION, "simple"); + assertEquals(SIMPLE, SecurityUtil.getAuthenticationMethod(conf)); + // kerberos + conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos"); + assertEquals(KERBEROS, SecurityUtil.getAuthenticationMethod(conf)); + // bad value + conf.set(HADOOP_SECURITY_AUTHENTICATION, "kaboom"); + String error = null; + try { + SecurityUtil.getAuthenticationMethod(conf); + } catch (Exception e) { + error = e.toString(); + } + assertEquals("java.lang.IllegalArgumentException: " + + "Invalid attribute value for " + + HADOOP_SECURITY_AUTHENTICATION + " of kaboom", error); + } + + @Test + public void testSetAuthenticationMethod() { + Configuration conf = new Configuration(); + // default + SecurityUtil.setAuthenticationMethod(null, conf); + assertEquals("simple", conf.get(HADOOP_SECURITY_AUTHENTICATION)); + // simple + SecurityUtil.setAuthenticationMethod(SIMPLE, conf); + assertEquals("simple", conf.get(HADOOP_SECURITY_AUTHENTICATION)); + // kerberos + SecurityUtil.setAuthenticationMethod(KERBEROS, conf); + assertEquals("kerberos", conf.get(HADOOP_SECURITY_AUTHENTICATION)); + } }