From 3f8f860cc65e179dd5766fea4d21cf30fa4b96e3 Mon Sep 17 00:00:00 2001 From: Alejandro Abdelnur Date: Wed, 17 Sep 2014 11:11:15 -0700 Subject: [PATCH] Revert "HADOOP-10982" This reverts commit d9a86031a077184d429dd5463e7da156df112011. --- .../crypto/key/kms/KMSClientProvider.java | 3 -- .../hadoop-kms/src/site/apt/index.apt.vm | 26 +-------- .../hadoop/crypto/key/kms/server/TestKMS.java | 54 ++++--------------- 3 files changed, 11 insertions(+), 72 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index a97463ac881..899b6c44dc7 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -45,7 +45,6 @@ import java.io.InputStream; import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.Writer; -import java.lang.reflect.UndeclaredThrowableException; import java.net.HttpURLConnection; import java.net.SocketTimeoutException; import java.net.URI; @@ -401,8 +400,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, }); } catch (IOException ex) { throw ex; - } catch (UndeclaredThrowableException ex) { - throw new IOException(ex.getUndeclaredThrowable()); } catch (Exception ex) { throw new IOException(ex); } diff --git a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm index 682f4795d89..5fded9282c7 100644 --- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm +++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm @@ -602,31 +602,7 @@ $ keytool -genkey -alias tomcat -keyalg RSA *** HTTP Kerberos Principals Configuration - When KMS instances are behind a load-balancer or VIP, clients will use the - hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the - URL is used to construct the Kerberos service name of the server, - <<>>. This means that all KMS instances must have have a - Kerberos service name with the load-balancer or VIP hostname. - - In order to be able to access directly a specific KMS instance, the KMS - instance must also have Kebero service name with its own hostname. This is - require for monitoring and admin purposes. - - Both Kerberos service principal credentials (for the load-balancer/VIP - hostname and for the actual KMS instance hostname) must be in the keytab file - configured for authentication. And the principal name specified in the - configuration must be '*'. For example: - -+---+ - - hadoop.kms.authentication.kerberos.principal - * - -+---+ - - <> If using HTTPS, the SSL certificate used by the KMS instance must - be configured to support multiple hostnames (see Java 7 - <<> SAN extension support for details on how to do this). + TBD *** HTTP Authentication Signature diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java index 42afe19a73f..cdb3c7f5098 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java @@ -32,7 +32,6 @@ import org.apache.hadoop.minikdc.MiniKdc; import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.ssl.KeyStoreTestUtil; import org.junit.AfterClass; @@ -210,7 +209,6 @@ public class TestKMS { keytab = new File(kdcDir, "keytab"); List principals = new ArrayList(); principals.add("HTTP/localhost"); - principals.add("HTTP/127.0.0.1"); principals.add("client"); principals.add("hdfs"); principals.add("otheradmin"); @@ -253,8 +251,8 @@ public class TestKMS { } } - public void testStartStop(final boolean ssl, final boolean kerberos, - final boolean multipleServerPrincipals) throws Exception { + public void testStartStop(final boolean ssl, final boolean kerberos) + throws Exception { Configuration conf = new Configuration(); if (kerberos) { conf.set("hadoop.security.authentication", "kerberos"); @@ -280,12 +278,7 @@ public class TestKMS { conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath()); - if (multipleServerPrincipals) { - conf.set("hadoop.kms.authentication.kerberos.principal", "*"); - } else { - conf.set("hadoop.kms.authentication.kerberos.principal", - "HTTP/localhost"); - } + conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost"); conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT"); } @@ -298,42 +291,21 @@ public class TestKMS { URL url = getKMSUrl(); Assert.assertEquals(keystore != null, url.getProtocol().equals("https")); + final URI uri = createKMSUri(getKMSUrl()); if (kerberos) { for (String user : new String[]{"client", "client/host"}) { doAs(user, new PrivilegedExceptionAction() { @Override public Void run() throws Exception { - URI uri = createKMSUri(getKMSUrl()); - KeyProvider kp = new KMSClientProvider(uri, conf); + final KeyProvider kp = new KMSClientProvider(uri, conf); // getKeys() empty Assert.assertTrue(kp.getKeys().isEmpty()); - - if (!ssl) { - String url = getKMSUrl().toString(); - url = url.replace("localhost", "127.0.0.1"); - uri = createKMSUri(new URL(url)); - if (multipleServerPrincipals) { - kp = new KMSClientProvider(uri, conf); - // getKeys() empty - Assert.assertTrue(kp.getKeys().isEmpty()); - } else { - kp = new KMSClientProvider(uri, conf); - try { - kp.getKeys().isEmpty(); - Assert.fail(); - } catch (IOException ex) { - Assert.assertEquals(AuthenticationException.class, - ex.getCause().getClass()); - } - } - } return null; } }); } } else { - URI uri = createKMSUri(getKMSUrl()); KeyProvider kp = new KMSClientProvider(uri, conf); // getKeys() empty Assert.assertTrue(kp.getKeys().isEmpty()); @@ -345,27 +317,22 @@ public class TestKMS { @Test public void testStartStopHttpPseudo() throws Exception { - testStartStop(false, false, false); + testStartStop(false, false); } @Test public void testStartStopHttpsPseudo() throws Exception { - testStartStop(true, false, false); + testStartStop(true, false); } @Test public void testStartStopHttpKerberos() throws Exception { - testStartStop(false, true, false); + testStartStop(false, true); } @Test public void testStartStopHttpsKerberos() throws Exception { - testStartStop(true, true, false); - } - - @Test - public void testStartStopHttpsKerberosMultiplePrincipals() throws Exception { - testStartStop(false, true, true); + testStartStop(true, true); } @Test @@ -1373,8 +1340,7 @@ public class TestKMS { KeyProvider kp = new KMSClientProvider(uri, conf); kp.createKey("kA", new KeyProvider.Options(conf)); } catch (IOException ex) { - Assert.assertEquals(AuthenticationException.class, - ex.getCause().getClass()); + System.out.println(ex.getMessage()); } doAs("client", new PrivilegedExceptionAction() {