HDFS-3083. Cannot run an MR job with HA and security enabled when second-listed NN active. Contributed by Aaron T. Myers.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1303099 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
21bd7c348d
commit
658aac369d
|
@ -1131,6 +1131,7 @@ public abstract class Server {
|
|||
throw new AccessControlException(
|
||||
"Server is not configured to do DIGEST authentication.");
|
||||
}
|
||||
secretManager.checkAvailableForRead();
|
||||
saslServer = Sasl.createSaslServer(AuthMethod.DIGEST
|
||||
.getMechanismName(), null, SaslRpcServer.SASL_DEFAULT_REALM,
|
||||
SaslRpcServer.SASL_PROPS, new SaslDigestCallbackHandler(
|
||||
|
|
|
@ -29,6 +29,7 @@ import javax.crypto.spec.SecretKeySpec;
|
|||
|
||||
import org.apache.hadoop.classification.InterfaceAudience;
|
||||
import org.apache.hadoop.classification.InterfaceStability;
|
||||
import org.apache.hadoop.ipc.StandbyException;
|
||||
|
||||
|
||||
/**
|
||||
|
@ -72,6 +73,17 @@ public abstract class SecretManager<T extends TokenIdentifier> {
|
|||
* @return the newly created empty token identifier
|
||||
*/
|
||||
public abstract T createIdentifier();
|
||||
|
||||
/**
|
||||
* No-op if the secret manager is available for reading tokens, throw a
|
||||
* StandbyException otherwise.
|
||||
*
|
||||
* @throws StandbyException if the secret manager is not available to read
|
||||
* tokens
|
||||
*/
|
||||
public void checkAvailableForRead() throws StandbyException {
|
||||
// Default to being available for read.
|
||||
}
|
||||
|
||||
/**
|
||||
* The name of the hashing algorithm.
|
||||
|
|
|
@ -225,6 +225,9 @@ Release 0.23.3 - UNRELEASED
|
|||
HDFS-3062. Fix bug which prevented MR job submission from creating
|
||||
delegation tokens on an HA cluster. (Mingjie Lai via todd)
|
||||
|
||||
HDFS-3083. Cannot run an MR job with HA and security enabled when
|
||||
second-listed NN active. (atm)
|
||||
|
||||
BREAKDOWN OF HDFS-1623 SUBTASKS
|
||||
|
||||
HDFS-2179. Add fencing framework and mechanisms for NameNode HA. (todd)
|
||||
|
|
|
@ -30,7 +30,9 @@ import org.apache.commons.logging.LogFactory;
|
|||
import org.apache.hadoop.classification.InterfaceAudience;
|
||||
import org.apache.hadoop.hdfs.server.namenode.FSNamesystem;
|
||||
import org.apache.hadoop.hdfs.server.namenode.NameNode;
|
||||
import org.apache.hadoop.hdfs.server.namenode.NameNode.OperationCategory;
|
||||
import org.apache.hadoop.io.Text;
|
||||
import org.apache.hadoop.ipc.StandbyException;
|
||||
import org.apache.hadoop.security.Credentials;
|
||||
import org.apache.hadoop.security.SecurityUtil;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
|
@ -73,6 +75,16 @@ public class DelegationTokenSecretManager
|
|||
public DelegationTokenIdentifier createIdentifier() {
|
||||
return new DelegationTokenIdentifier();
|
||||
}
|
||||
|
||||
@Override //SecretManager
|
||||
public void checkAvailableForRead() throws StandbyException {
|
||||
namesystem.readLock();
|
||||
try {
|
||||
namesystem.checkOperation(OperationCategory.READ);
|
||||
} finally {
|
||||
namesystem.readUnlock();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns expiry time of a token given its identifier.
|
||||
|
|
|
@ -646,7 +646,7 @@ public class FSNamesystem implements Namesystem, FSClusterStats,
|
|||
}
|
||||
|
||||
|
||||
void checkOperation(OperationCategory op) throws StandbyException {
|
||||
public void checkOperation(OperationCategory op) throws StandbyException {
|
||||
if (haContext != null) {
|
||||
// null in some unit tests
|
||||
haContext.checkOperation(op);
|
||||
|
|
Loading…
Reference in New Issue