From 658aac369d2b56bc45713fc442edc4d4ea78e8f7 Mon Sep 17 00:00:00 2001 From: Aaron Myers Date: Tue, 20 Mar 2012 19:05:08 +0000 Subject: [PATCH] HDFS-3083. Cannot run an MR job with HA and security enabled when second-listed NN active. Contributed by Aaron T. Myers. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1303099 13f79535-47bb-0310-9956-ffa450edef68 --- .../src/main/java/org/apache/hadoop/ipc/Server.java | 1 + .../apache/hadoop/security/token/SecretManager.java | 12 ++++++++++++ hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt | 3 +++ .../delegation/DelegationTokenSecretManager.java | 12 ++++++++++++ .../hadoop/hdfs/server/namenode/FSNamesystem.java | 2 +- 5 files changed, 29 insertions(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java index 5f642c4f69d..21d5c0ab024 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java @@ -1131,6 +1131,7 @@ public abstract class Server { throw new AccessControlException( "Server is not configured to do DIGEST authentication."); } + secretManager.checkAvailableForRead(); saslServer = Sasl.createSaslServer(AuthMethod.DIGEST .getMechanismName(), null, SaslRpcServer.SASL_DEFAULT_REALM, SaslRpcServer.SASL_PROPS, new SaslDigestCallbackHandler( diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java index 80e7b1ae820..cda36fe659c 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java @@ -29,6 +29,7 @@ import javax.crypto.spec.SecretKeySpec; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; +import org.apache.hadoop.ipc.StandbyException; /** @@ -72,6 +73,17 @@ public abstract class SecretManager { * @return the newly created empty token identifier */ public abstract T createIdentifier(); + + /** + * No-op if the secret manager is available for reading tokens, throw a + * StandbyException otherwise. + * + * @throws StandbyException if the secret manager is not available to read + * tokens + */ + public void checkAvailableForRead() throws StandbyException { + // Default to being available for read. + } /** * The name of the hashing algorithm. diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index 695ca721fcb..891951c838d 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -225,6 +225,9 @@ Release 0.23.3 - UNRELEASED HDFS-3062. Fix bug which prevented MR job submission from creating delegation tokens on an HA cluster. (Mingjie Lai via todd) + HDFS-3083. Cannot run an MR job with HA and security enabled when + second-listed NN active. (atm) + BREAKDOWN OF HDFS-1623 SUBTASKS HDFS-2179. Add fencing framework and mechanisms for NameNode HA. (todd) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java index ba62a2c225c..a25ba5b52fd 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java @@ -30,7 +30,9 @@ import org.apache.commons.logging.LogFactory; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.hdfs.server.namenode.FSNamesystem; import org.apache.hadoop.hdfs.server.namenode.NameNode; +import org.apache.hadoop.hdfs.server.namenode.NameNode.OperationCategory; import org.apache.hadoop.io.Text; +import org.apache.hadoop.ipc.StandbyException; import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; @@ -73,6 +75,16 @@ public class DelegationTokenSecretManager public DelegationTokenIdentifier createIdentifier() { return new DelegationTokenIdentifier(); } + + @Override //SecretManager + public void checkAvailableForRead() throws StandbyException { + namesystem.readLock(); + try { + namesystem.checkOperation(OperationCategory.READ); + } finally { + namesystem.readUnlock(); + } + } /** * Returns expiry time of a token given its identifier. diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java index bff7fcc0b92..ef06f725eef 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java @@ -646,7 +646,7 @@ public class FSNamesystem implements Namesystem, FSClusterStats, } - void checkOperation(OperationCategory op) throws StandbyException { + public void checkOperation(OperationCategory op) throws StandbyException { if (haContext != null) { // null in some unit tests haContext.checkOperation(op);