HDFS-3083. Cannot run an MR job with HA and security enabled when second-listed NN active. Contributed by Aaron T. Myers.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1303099 13f79535-47bb-0310-9956-ffa450edef68

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java

@@ -1131,6 +1131,7 @@ public abstract class Server {
                 throw new AccessControlException(
                     "Server is not configured to do DIGEST authentication.");
               }
+              secretManager.checkAvailableForRead();
               saslServer = Sasl.createSaslServer(AuthMethod.DIGEST
                   .getMechanismName(), null, SaslRpcServer.SASL_DEFAULT_REALM,
                   SaslRpcServer.SASL_PROPS, new SaslDigestCallbackHandler(

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java

@@ -29,6 +29,7 @@ import javax.crypto.spec.SecretKeySpec;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.ipc.StandbyException;
 
 
 /**
@@ -72,6 +73,17 @@ public abstract class SecretManager<T extends TokenIdentifier> {
    * @return the newly created empty token identifier
    */
   public abstract T createIdentifier();
+
+  /**
+   * No-op if the secret manager is available for reading tokens, throw a
+   * StandbyException otherwise.
+   * 
+   * @throws StandbyException if the secret manager is not available to read
+   *         tokens
+   */
+  public void checkAvailableForRead() throws StandbyException {
+    // Default to being available for read.
+  }
   
   /**
    * The name of the hashing algorithm.

hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt

@@ -225,6 +225,9 @@ Release 0.23.3 - UNRELEASED
     HDFS-3062. Fix bug which prevented MR job submission from creating
     delegation tokens on an HA cluster. (Mingjie Lai via todd)
 
+    HDFS-3083. Cannot run an MR job with HA and security enabled when
+    second-listed NN active. (atm)
+
   BREAKDOWN OF HDFS-1623 SUBTASKS
 
     HDFS-2179. Add fencing framework and mechanisms for NameNode HA. (todd)

hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java

@@ -30,7 +30,9 @@ import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.hdfs.server.namenode.FSNamesystem;
 import org.apache.hadoop.hdfs.server.namenode.NameNode;
+import org.apache.hadoop.hdfs.server.namenode.NameNode.OperationCategory;
 import org.apache.hadoop.io.Text;
+import org.apache.hadoop.ipc.StandbyException;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -73,6 +75,16 @@ public class DelegationTokenSecretManager
   public DelegationTokenIdentifier createIdentifier() {
     return new DelegationTokenIdentifier();
   }
+  
+  @Override //SecretManager
+  public void checkAvailableForRead() throws StandbyException {
+    namesystem.readLock();
+    try {
+      namesystem.checkOperation(OperationCategory.READ);
+    } finally {
+      namesystem.readUnlock();
+    }
+  }
 
   /**
    * Returns expiry time of a token given its identifier.

hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java

@@ -646,7 +646,7 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
   }
   
   
-  void checkOperation(OperationCategory op) throws StandbyException {
+  public void checkOperation(OperationCategory op) throws StandbyException {
     if (haContext != null) {
       // null in some unit tests
       haContext.checkOperation(op);