Revert "HADOOP-10982"

This reverts commit d9a86031a0.
2014-09-17 11:11:15 -07:00 · 2014-09-17 11:11:15 -07:00 · 3f8f860cc6
parent d9a86031a0
commit 3f8f860cc6
3 changed files with 11 additions and 72 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@ -45,7 +45,6 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
 import java.io.Writer;
-import java.lang.reflect.UndeclaredThrowableException;
 import java.net.HttpURLConnection;
 import java.net.SocketTimeoutException;
 import java.net.URI;
@ -401,8 +400,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
      });
    } catch (IOException ex) {
      throw ex;
-    } catch (UndeclaredThrowableException ex) {
-      throw new IOException(ex.getUndeclaredThrowable());
    } catch (Exception ex) {
      throw new IOException(ex);
    }
--- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
@ -602,31 +602,7 @@ $ keytool -genkey -alias tomcat -keyalg RSA

 *** HTTP Kerberos Principals Configuration

-  When KMS instances are behind a load-balancer or VIP, clients will use the
-  hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the
-  URL is used to construct the Kerberos service name of the server,
-  <<<HTTP/#HOSTNAME#>>>. This means that all KMS instances must have have a
-  Kerberos service name with the load-balancer or VIP hostname.
-
-  In order to be able to access directly a specific KMS instance, the KMS
-  instance must also have Kebero service name with its own hostname. This is
-  require for monitoring and admin purposes.
-
-  Both Kerberos service principal credentials (for the load-balancer/VIP
-  hostname and for the actual KMS instance hostname) must be in the keytab file
-  configured for authentication. And the principal name specified in the
-  configuration must be '*'. For example:
-
-+---+
-  <property>
-    <name>hadoop.kms.authentication.kerberos.principal</name>
-    <value>*</value>
-  </property>
-+---+
-
-  <<NOTE:>> If using HTTPS, the SSL certificate used by the KMS instance must
-  be configured to support multiple hostnames (see Java 7
-  <<<keytool>> SAN extension support for details on how to do this).
+  TBD

 *** HTTP Authentication Signature

--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
@ -32,7 +32,6 @@ import org.apache.hadoop.minikdc.MiniKdc;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authorize.AuthorizationException;
 import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
 import org.junit.AfterClass;
@ -210,7 +209,6 @@ public class TestKMS {
    keytab = new File(kdcDir, "keytab");
    List<String> principals = new ArrayList<String>();
    principals.add("HTTP/localhost");
-    principals.add("HTTP/127.0.0.1");
    principals.add("client");
    principals.add("hdfs");
    principals.add("otheradmin");
@ -253,8 +251,8 @@ public class TestKMS {
    }
  }

-  public void testStartStop(final boolean ssl, final boolean kerberos,
-      final boolean multipleServerPrincipals) throws Exception {
+  public void testStartStop(final boolean ssl, final boolean kerberos)
+      throws Exception {
    Configuration conf = new Configuration();
    if (kerberos) {
      conf.set("hadoop.security.authentication", "kerberos");
@ -280,12 +278,7 @@ public class TestKMS {
      conf.set("hadoop.kms.authentication.type", "kerberos");
      conf.set("hadoop.kms.authentication.kerberos.keytab",
          keytab.getAbsolutePath());
-      if (multipleServerPrincipals) {
-        conf.set("hadoop.kms.authentication.kerberos.principal", "*");
-      } else {
-        conf.set("hadoop.kms.authentication.kerberos.principal",
-            "HTTP/localhost");
-      }
+      conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
      conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    }

@ -298,42 +291,21 @@ public class TestKMS {
        URL url = getKMSUrl();
        Assert.assertEquals(keystore != null,
            url.getProtocol().equals("https"));
+        final URI uri = createKMSUri(getKMSUrl());

        if (kerberos) {
          for (String user : new String[]{"client", "client/host"}) {
            doAs(user, new PrivilegedExceptionAction<Void>() {
              @Override
              public Void run() throws Exception {
-                URI uri = createKMSUri(getKMSUrl());
-                KeyProvider kp = new KMSClientProvider(uri, conf);
+                final KeyProvider kp = new KMSClientProvider(uri, conf);
                // getKeys() empty
                Assert.assertTrue(kp.getKeys().isEmpty());
-
-                if (!ssl) {
-                  String url = getKMSUrl().toString();
-                  url = url.replace("localhost", "127.0.0.1");
-                  uri = createKMSUri(new URL(url));
-                  if (multipleServerPrincipals) {
-                    kp = new KMSClientProvider(uri, conf);
-                    // getKeys() empty
-                    Assert.assertTrue(kp.getKeys().isEmpty());
-                  } else {
-                    kp = new KMSClientProvider(uri, conf);
-                    try {
-                      kp.getKeys().isEmpty();
-                      Assert.fail();
-                    } catch (IOException ex) {
-                      Assert.assertEquals(AuthenticationException.class,
-                          ex.getCause().getClass());
-                    }
-                  }
-                }
                return null;
              }
            });
          }
        } else {
-          URI uri = createKMSUri(getKMSUrl());
          KeyProvider kp = new KMSClientProvider(uri, conf);
          // getKeys() empty
          Assert.assertTrue(kp.getKeys().isEmpty());
@ -345,27 +317,22 @@ public class TestKMS {

  @Test
  public void testStartStopHttpPseudo() throws Exception {
-    testStartStop(false, false, false);
+    testStartStop(false, false);
  }

  @Test
  public void testStartStopHttpsPseudo() throws Exception {
-    testStartStop(true, false, false);
+    testStartStop(true, false);
  }

  @Test
  public void testStartStopHttpKerberos() throws Exception {
-    testStartStop(false, true, false);
+    testStartStop(false, true);
  }

  @Test
  public void testStartStopHttpsKerberos() throws Exception {
-    testStartStop(true, true, false);
-  }
-
-  @Test
-  public void testStartStopHttpsKerberosMultiplePrincipals() throws Exception {
-    testStartStop(false, true, true);
+    testStartStop(true, true);
  }

  @Test
@ -1373,8 +1340,7 @@ public class TestKMS {
          KeyProvider kp = new KMSClientProvider(uri, conf);
          kp.createKey("kA", new KeyProvider.Options(conf));
        } catch (IOException ex) {
-          Assert.assertEquals(AuthenticationException.class,
-              ex.getCause().getClass());
+          System.out.println(ex.getMessage());
        }

        doAs("client", new PrivilegedExceptionAction<Void>() {