Revert "HADOOP-10982"

This reverts commit d9a86031a0.
This commit is contained in:
Alejandro Abdelnur 2014-09-17 11:11:15 -07:00
parent d9a86031a0
commit 3f8f860cc6
3 changed files with 11 additions and 72 deletions

View File

@ -45,7 +45,6 @@ import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
import java.io.OutputStreamWriter; import java.io.OutputStreamWriter;
import java.io.Writer; import java.io.Writer;
import java.lang.reflect.UndeclaredThrowableException;
import java.net.HttpURLConnection; import java.net.HttpURLConnection;
import java.net.SocketTimeoutException; import java.net.SocketTimeoutException;
import java.net.URI; import java.net.URI;
@ -401,8 +400,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
}); });
} catch (IOException ex) { } catch (IOException ex) {
throw ex; throw ex;
} catch (UndeclaredThrowableException ex) {
throw new IOException(ex.getUndeclaredThrowable());
} catch (Exception ex) { } catch (Exception ex) {
throw new IOException(ex); throw new IOException(ex);
} }

View File

@ -602,31 +602,7 @@ $ keytool -genkey -alias tomcat -keyalg RSA
*** HTTP Kerberos Principals Configuration *** HTTP Kerberos Principals Configuration
When KMS instances are behind a load-balancer or VIP, clients will use the TBD
hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the
URL is used to construct the Kerberos service name of the server,
<<<HTTP/#HOSTNAME#>>>. This means that all KMS instances must have have a
Kerberos service name with the load-balancer or VIP hostname.
In order to be able to access directly a specific KMS instance, the KMS
instance must also have Kebero service name with its own hostname. This is
require for monitoring and admin purposes.
Both Kerberos service principal credentials (for the load-balancer/VIP
hostname and for the actual KMS instance hostname) must be in the keytab file
configured for authentication. And the principal name specified in the
configuration must be '*'. For example:
+---+
<property>
<name>hadoop.kms.authentication.kerberos.principal</name>
<value>*</value>
</property>
+---+
<<NOTE:>> If using HTTPS, the SSL certificate used by the KMS instance must
be configured to support multiple hostnames (see Java 7
<<<keytool>> SAN extension support for details on how to do this).
*** HTTP Authentication Signature *** HTTP Authentication Signature

View File

@ -32,7 +32,6 @@ import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil; import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.junit.AfterClass; import org.junit.AfterClass;
@ -210,7 +209,6 @@ public class TestKMS {
keytab = new File(kdcDir, "keytab"); keytab = new File(kdcDir, "keytab");
List<String> principals = new ArrayList<String>(); List<String> principals = new ArrayList<String>();
principals.add("HTTP/localhost"); principals.add("HTTP/localhost");
principals.add("HTTP/127.0.0.1");
principals.add("client"); principals.add("client");
principals.add("hdfs"); principals.add("hdfs");
principals.add("otheradmin"); principals.add("otheradmin");
@ -253,8 +251,8 @@ public class TestKMS {
} }
} }
public void testStartStop(final boolean ssl, final boolean kerberos, public void testStartStop(final boolean ssl, final boolean kerberos)
final boolean multipleServerPrincipals) throws Exception { throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
if (kerberos) { if (kerberos) {
conf.set("hadoop.security.authentication", "kerberos"); conf.set("hadoop.security.authentication", "kerberos");
@ -280,12 +278,7 @@ public class TestKMS {
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
keytab.getAbsolutePath()); keytab.getAbsolutePath());
if (multipleServerPrincipals) { conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
conf.set("hadoop.kms.authentication.kerberos.principal", "*");
} else {
conf.set("hadoop.kms.authentication.kerberos.principal",
"HTTP/localhost");
}
conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT"); conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
} }
@ -298,42 +291,21 @@ public class TestKMS {
URL url = getKMSUrl(); URL url = getKMSUrl();
Assert.assertEquals(keystore != null, Assert.assertEquals(keystore != null,
url.getProtocol().equals("https")); url.getProtocol().equals("https"));
final URI uri = createKMSUri(getKMSUrl());
if (kerberos) { if (kerberos) {
for (String user : new String[]{"client", "client/host"}) { for (String user : new String[]{"client", "client/host"}) {
doAs(user, new PrivilegedExceptionAction<Void>() { doAs(user, new PrivilegedExceptionAction<Void>() {
@Override @Override
public Void run() throws Exception { public Void run() throws Exception {
URI uri = createKMSUri(getKMSUrl()); final KeyProvider kp = new KMSClientProvider(uri, conf);
KeyProvider kp = new KMSClientProvider(uri, conf);
// getKeys() empty // getKeys() empty
Assert.assertTrue(kp.getKeys().isEmpty()); Assert.assertTrue(kp.getKeys().isEmpty());
if (!ssl) {
String url = getKMSUrl().toString();
url = url.replace("localhost", "127.0.0.1");
uri = createKMSUri(new URL(url));
if (multipleServerPrincipals) {
kp = new KMSClientProvider(uri, conf);
// getKeys() empty
Assert.assertTrue(kp.getKeys().isEmpty());
} else {
kp = new KMSClientProvider(uri, conf);
try {
kp.getKeys().isEmpty();
Assert.fail();
} catch (IOException ex) {
Assert.assertEquals(AuthenticationException.class,
ex.getCause().getClass());
}
}
}
return null; return null;
} }
}); });
} }
} else { } else {
URI uri = createKMSUri(getKMSUrl());
KeyProvider kp = new KMSClientProvider(uri, conf); KeyProvider kp = new KMSClientProvider(uri, conf);
// getKeys() empty // getKeys() empty
Assert.assertTrue(kp.getKeys().isEmpty()); Assert.assertTrue(kp.getKeys().isEmpty());
@ -345,27 +317,22 @@ public class TestKMS {
@Test @Test
public void testStartStopHttpPseudo() throws Exception { public void testStartStopHttpPseudo() throws Exception {
testStartStop(false, false, false); testStartStop(false, false);
} }
@Test @Test
public void testStartStopHttpsPseudo() throws Exception { public void testStartStopHttpsPseudo() throws Exception {
testStartStop(true, false, false); testStartStop(true, false);
} }
@Test @Test
public void testStartStopHttpKerberos() throws Exception { public void testStartStopHttpKerberos() throws Exception {
testStartStop(false, true, false); testStartStop(false, true);
} }
@Test @Test
public void testStartStopHttpsKerberos() throws Exception { public void testStartStopHttpsKerberos() throws Exception {
testStartStop(true, true, false); testStartStop(true, true);
}
@Test
public void testStartStopHttpsKerberosMultiplePrincipals() throws Exception {
testStartStop(false, true, true);
} }
@Test @Test
@ -1373,8 +1340,7 @@ public class TestKMS {
KeyProvider kp = new KMSClientProvider(uri, conf); KeyProvider kp = new KMSClientProvider(uri, conf);
kp.createKey("kA", new KeyProvider.Options(conf)); kp.createKey("kA", new KeyProvider.Options(conf));
} catch (IOException ex) { } catch (IOException ex) {
Assert.assertEquals(AuthenticationException.class, System.out.println(ex.getMessage());
ex.getCause().getClass());
} }
doAs("client", new PrivilegedExceptionAction<Void>() { doAs("client", new PrivilegedExceptionAction<Void>() {