YARN-9002. Improve keytab loading for YARN Service.
Contributed by Gour Saha
This commit is contained in:
Eric Yang
parent
daad077121
commit
5ec0a34151
|
|
@ -1131,31 +1131,21 @@ public class ServiceClient extends AppAdminClient implements SliderExitCodes,
|
|||
throw new YarnException(e);
|
||||
}
|
||||
|
||||
if (keytabURI.getScheme() != null) {
|
||||
switch (keytabURI.getScheme()) {
|
||||
case "hdfs":
|
||||
Path keytabOnhdfs = new Path(keytabURI);
|
||||
if (!fileSystem.getFileSystem().exists(keytabOnhdfs)) {
|
||||
LOG.warn(service.getName() + "'s keytab (principalName = "
|
||||
+ principalName + ") doesn't exist at: " + keytabOnhdfs);
|
||||
return;
|
||||
}
|
||||
LocalResource keytabRes = fileSystem.createAmResource(keytabOnhdfs,
|
||||
LocalResourceType.FILE);
|
||||
localResource.put(String.format(YarnServiceConstants.KEYTAB_LOCATION,
|
||||
service.getName()), keytabRes);
|
||||
LOG.info("Adding " + service.getName() + "'s keytab for "
|
||||
+ "localization, uri = " + keytabOnhdfs);
|
||||
break;
|
||||
case "file":
|
||||
LOG.info("Using a keytab from localhost: " + keytabURI);
|
||||
break;
|
||||
default:
|
||||
LOG.warn("Unsupported keytab URI scheme " + keytabURI);
|
||||
break;
|
||||
}
|
||||
if ("file".equals(keytabURI.getScheme())) {
|
||||
LOG.info("Using a keytab from localhost: " + keytabURI);
|
||||
} else {
|
||||
LOG.warn("Unsupported keytab URI scheme " + keytabURI);
|
||||
Path keytabOnhdfs = new Path(keytabURI);
|
||||
if (!fileSystem.getFileSystem().exists(keytabOnhdfs)) {
|
||||
LOG.warn(service.getName() + "'s keytab (principalName = "
|
||||
+ principalName + ") doesn't exist at: " + keytabOnhdfs);
|
||||
return;
|
||||
}
|
||||
LocalResource keytabRes = fileSystem.createAmResource(keytabOnhdfs,
|
||||
LocalResourceType.FILE);
|
||||
localResource.put(String.format(YarnServiceConstants.KEYTAB_LOCATION,
|
||||
service.getName()), keytabRes);
|
||||
LOG.info("Adding " + service.getName() + "'s keytab for "
|
||||
+ "localization, uri = " + keytabOnhdfs);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -117,8 +117,6 @@ public interface RestApiErrorMessages {
|
|||
+ "expression element name %s specified in placement policy of component "
|
||||
+ "%s. Expression element names should be a valid constraint name or an "
|
||||
+ "expression name defined for this component only.";
|
||||
String ERROR_KEYTAB_URI_SCHEME_INVALID = "Unsupported keytab URI scheme: %s";
|
||||
String ERROR_KEYTAB_URI_INVALID = "Invalid keytab URI: %s";
|
||||
|
||||
String ERROR_COMP_INSTANCE_DOES_NOT_NEED_UPGRADE = "The component instance " +
|
||||
"(%s) does not need an upgrade.";
|
||||
|
|
|
|||
|
|
@ -53,8 +53,6 @@ import org.slf4j.Logger;
|
|||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.HashSet;
|
||||
|
|
@ -244,21 +242,6 @@ public class ServiceApiUtil {
|
|||
throw new IllegalArgumentException(
|
||||
RestApiErrorMessages.ERROR_KERBEROS_PRINCIPAL_MISSING);
|
||||
}
|
||||
if (!StringUtils.isEmpty(kerberosPrincipal.getKeytab())) {
|
||||
try {
|
||||
// validate URI format
|
||||
URI keytabURI = new URI(kerberosPrincipal.getKeytab());
|
||||
if (keytabURI.getScheme() == null) {
|
||||
throw new IllegalArgumentException(String.format(
|
||||
RestApiErrorMessages.ERROR_KEYTAB_URI_SCHEME_INVALID,
|
||||
kerberosPrincipal.getKeytab()));
|
||||
}
|
||||
} catch (URISyntaxException e) {
|
||||
throw new IllegalArgumentException(
|
||||
String.format(RestApiErrorMessages.ERROR_KEYTAB_URI_INVALID,
|
||||
e.getLocalizedMessage()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static void validateDockerClientConfiguration(Service service,
|
||||
|
|
|
|||
|
|
@ -48,7 +48,6 @@ import static org.apache.hadoop.yarn.service.conf.RestApiConstants.DEFAULT_UNLIM
|
|||
import static org.apache.hadoop.yarn.service.exceptions.RestApiErrorMessages.*;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
/**
|
||||
* Test for ServiceApiUtil helper methods.
|
||||
|
|
@ -592,33 +591,19 @@ public class TestServiceApiUtil {
|
|||
SliderFileSystem sfs = ServiceTestUtils.initMockFs();
|
||||
Service app = createValidApplication("comp-a");
|
||||
KerberosPrincipal kp = new KerberosPrincipal();
|
||||
kp.setKeytab("/some/path");
|
||||
kp.setKeytab("file:///tmp/a.keytab");
|
||||
kp.setPrincipalName("user/_HOST@domain.com");
|
||||
app.setKerberosPrincipal(kp);
|
||||
|
||||
// This should succeed
|
||||
try {
|
||||
ServiceApiUtil.validateKerberosPrincipal(app.getKerberosPrincipal());
|
||||
Assert.fail(EXCEPTION_PREFIX + "service with invalid keytab URI scheme");
|
||||
} catch (IllegalArgumentException e) {
|
||||
assertEquals(
|
||||
String.format(RestApiErrorMessages.ERROR_KEYTAB_URI_SCHEME_INVALID,
|
||||
kp.getKeytab()),
|
||||
e.getMessage());
|
||||
Assert.fail(NO_EXCEPTION_PREFIX + e.getMessage());
|
||||
}
|
||||
|
||||
kp.setKeytab("/ blank / in / paths");
|
||||
try {
|
||||
ServiceApiUtil.validateKerberosPrincipal(app.getKerberosPrincipal());
|
||||
Assert.fail(EXCEPTION_PREFIX + "service with invalid keytab");
|
||||
} catch (IllegalArgumentException e) {
|
||||
// strip out the %s at the end of the RestApiErrorMessages string constant
|
||||
assertTrue(e.getMessage().contains(
|
||||
RestApiErrorMessages.ERROR_KEYTAB_URI_INVALID.substring(0,
|
||||
RestApiErrorMessages.ERROR_KEYTAB_URI_INVALID.length() - 2)));
|
||||
}
|
||||
|
||||
kp.setKeytab("file:///tmp/a.keytab");
|
||||
// now it should succeed
|
||||
// Keytab with no URI scheme should succeed too
|
||||
kp.setKeytab("/some/path");
|
||||
try {
|
||||
ServiceApiUtil.validateKerberosPrincipal(app.getKerberosPrincipal());
|
||||
} catch (IllegalArgumentException e) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue