HDFS-5842. Merge change r1562603 from trunk.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1562608 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
b7221017f2
commit
698ed255fd
|
@ -316,6 +316,9 @@ Release 2.4.0 - UNRELEASED
|
||||||
HDFS-5721. sharedEditsImage in Namenode#initializeSharedEdits() should be
|
HDFS-5721. sharedEditsImage in Namenode#initializeSharedEdits() should be
|
||||||
closed before method returns (Ted Yu via todd)
|
closed before method returns (Ted Yu via todd)
|
||||||
|
|
||||||
|
HDFS-5842. Cannot create hftp filesystem when using a proxy user ugi and a doAs
|
||||||
|
on a secure cluster. (jing9)
|
||||||
|
|
||||||
BREAKDOWN OF HDFS-2832 SUBTASKS AND RELATED JIRAS
|
BREAKDOWN OF HDFS-2832 SUBTASKS AND RELATED JIRAS
|
||||||
|
|
||||||
HDFS-4985. Add storage type to the protocol and expose it in block report
|
HDFS-4985. Add storage type to the protocol and expose it in block report
|
||||||
|
|
|
@ -186,8 +186,8 @@ public class DelegationTokenFetcher {
|
||||||
} else {
|
} else {
|
||||||
// otherwise we are fetching
|
// otherwise we are fetching
|
||||||
if (webUrl != null) {
|
if (webUrl != null) {
|
||||||
Credentials creds = getDTfromRemote(connectionFactory, new URI(webUrl),
|
Credentials creds = getDTfromRemote(connectionFactory, new URI(
|
||||||
renewer);
|
webUrl), renewer, null);
|
||||||
creds.writeTokenStorageFile(tokenFile, conf);
|
creds.writeTokenStorageFile(tokenFile, conf);
|
||||||
for (Token<?> token : creds.getAllTokens()) {
|
for (Token<?> token : creds.getAllTokens()) {
|
||||||
System.out.println("Fetched token via " + webUrl + " for "
|
System.out.println("Fetched token via " + webUrl + " for "
|
||||||
|
@ -210,12 +210,17 @@ public class DelegationTokenFetcher {
|
||||||
}
|
}
|
||||||
|
|
||||||
static public Credentials getDTfromRemote(URLConnectionFactory factory,
|
static public Credentials getDTfromRemote(URLConnectionFactory factory,
|
||||||
URI nnUri, String renewer) throws IOException {
|
URI nnUri, String renewer, String proxyUser) throws IOException {
|
||||||
StringBuilder buf = new StringBuilder(nnUri.toString())
|
StringBuilder buf = new StringBuilder(nnUri.toString())
|
||||||
.append(GetDelegationTokenServlet.PATH_SPEC);
|
.append(GetDelegationTokenServlet.PATH_SPEC);
|
||||||
|
String separator = "?";
|
||||||
if (renewer != null) {
|
if (renewer != null) {
|
||||||
buf.append("?").append(GetDelegationTokenServlet.RENEWER).append("=")
|
buf.append("?").append(GetDelegationTokenServlet.RENEWER).append("=")
|
||||||
.append(renewer);
|
.append(renewer);
|
||||||
|
separator = "&";
|
||||||
|
}
|
||||||
|
if (proxyUser != null) {
|
||||||
|
buf.append(separator).append("doas=").append(proxyUser);
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean isHttps = nnUri.getScheme().equals("https");
|
boolean isHttps = nnUri.getScheme().equals("https");
|
||||||
|
|
|
@ -57,7 +57,6 @@ import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.security.Credentials;
|
import org.apache.hadoop.security.Credentials;
|
||||||
import org.apache.hadoop.security.SecurityUtil;
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||||
import org.apache.hadoop.util.Progressable;
|
import org.apache.hadoop.util.Progressable;
|
||||||
|
@ -234,17 +233,23 @@ public class HftpFileSystem extends FileSystem
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized Token<?> getDelegationToken(final String renewer
|
public synchronized Token<?> getDelegationToken(final String renewer)
|
||||||
) throws IOException {
|
throws IOException {
|
||||||
try {
|
try {
|
||||||
//Renew TGT if needed
|
// Renew TGT if needed
|
||||||
ugi.checkTGTAndReloginFromKeytab();
|
UserGroupInformation connectUgi = ugi.getRealUser();
|
||||||
return ugi.doAs(new PrivilegedExceptionAction<Token<?>>() {
|
final String proxyUser = connectUgi == null ? null : ugi
|
||||||
|
.getShortUserName();
|
||||||
|
if (connectUgi == null) {
|
||||||
|
connectUgi = ugi;
|
||||||
|
}
|
||||||
|
return connectUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
|
||||||
@Override
|
@Override
|
||||||
public Token<?> run() throws IOException {
|
public Token<?> run() throws IOException {
|
||||||
Credentials c;
|
Credentials c;
|
||||||
try {
|
try {
|
||||||
c = DelegationTokenFetcher.getDTfromRemote(connectionFactory, nnUri, renewer);
|
c = DelegationTokenFetcher.getDTfromRemote(connectionFactory,
|
||||||
|
nnUri, renewer, proxyUser);
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
if (e.getCause() instanceof ConnectException) {
|
if (e.getCause() instanceof ConnectException) {
|
||||||
LOG.warn("Couldn't connect to " + nnUri +
|
LOG.warn("Couldn't connect to " + nnUri +
|
||||||
|
@ -299,13 +304,13 @@ public class HftpFileSystem extends FileSystem
|
||||||
* @return user_shortname,group1,group2...
|
* @return user_shortname,group1,group2...
|
||||||
*/
|
*/
|
||||||
private String getEncodedUgiParameter() {
|
private String getEncodedUgiParameter() {
|
||||||
StringBuilder ugiParamenter = new StringBuilder(
|
StringBuilder ugiParameter = new StringBuilder(
|
||||||
ServletUtil.encodeQueryValue(ugi.getShortUserName()));
|
ServletUtil.encodeQueryValue(ugi.getShortUserName()));
|
||||||
for(String g: ugi.getGroupNames()) {
|
for(String g: ugi.getGroupNames()) {
|
||||||
ugiParamenter.append(",");
|
ugiParameter.append(",");
|
||||||
ugiParamenter.append(ServletUtil.encodeQueryValue(g));
|
ugiParameter.append(ServletUtil.encodeQueryValue(g));
|
||||||
}
|
}
|
||||||
return ugiParamenter.toString();
|
return ugiParameter.toString();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -675,30 +680,48 @@ public class HftpFileSystem extends FileSystem
|
||||||
|
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
@Override
|
@Override
|
||||||
public long renewDelegationToken(Token<?> token) throws IOException {
|
public long renewDelegationToken(final Token<?> token) throws IOException {
|
||||||
// update the kerberos credentials, if they are coming from a keytab
|
// update the kerberos credentials, if they are coming from a keytab
|
||||||
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
|
UserGroupInformation connectUgi = ugi.getRealUser();
|
||||||
InetSocketAddress serviceAddr = SecurityUtil.getTokenServiceAddr(token);
|
if (connectUgi == null) {
|
||||||
|
connectUgi = ugi;
|
||||||
|
}
|
||||||
try {
|
try {
|
||||||
return DelegationTokenFetcher.renewDelegationToken(connectionFactory,
|
return connectUgi.doAs(new PrivilegedExceptionAction<Long>() {
|
||||||
DFSUtil.createUri(getUnderlyingProtocol(), serviceAddr),
|
@Override
|
||||||
(Token<DelegationTokenIdentifier>) token);
|
public Long run() throws Exception {
|
||||||
} catch (AuthenticationException e) {
|
InetSocketAddress serviceAddr = SecurityUtil
|
||||||
|
.getTokenServiceAddr(token);
|
||||||
|
return DelegationTokenFetcher.renewDelegationToken(connectionFactory,
|
||||||
|
DFSUtil.createUri(getUnderlyingProtocol(), serviceAddr),
|
||||||
|
(Token<DelegationTokenIdentifier>) token);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (InterruptedException e) {
|
||||||
throw new IOException(e);
|
throw new IOException(e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
@Override
|
@Override
|
||||||
public void cancelDelegationToken(Token<?> token) throws IOException {
|
public void cancelDelegationToken(final Token<?> token) throws IOException {
|
||||||
// update the kerberos credentials, if they are coming from a keytab
|
UserGroupInformation connectUgi = ugi.getRealUser();
|
||||||
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
|
if (connectUgi == null) {
|
||||||
InetSocketAddress serviceAddr = SecurityUtil.getTokenServiceAddr(token);
|
connectUgi = ugi;
|
||||||
|
}
|
||||||
try {
|
try {
|
||||||
DelegationTokenFetcher.cancelDelegationToken(connectionFactory, DFSUtil
|
connectUgi.doAs(new PrivilegedExceptionAction<Void>() {
|
||||||
.createUri(getUnderlyingProtocol(), serviceAddr),
|
@Override
|
||||||
(Token<DelegationTokenIdentifier>) token);
|
public Void run() throws Exception {
|
||||||
} catch (AuthenticationException e) {
|
InetSocketAddress serviceAddr = SecurityUtil
|
||||||
|
.getTokenServiceAddr(token);
|
||||||
|
DelegationTokenFetcher.cancelDelegationToken(connectionFactory,
|
||||||
|
DFSUtil.createUri(getUnderlyingProtocol(), serviceAddr),
|
||||||
|
(Token<DelegationTokenIdentifier>) token);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (InterruptedException e) {
|
||||||
throw new IOException(e);
|
throw new IOException(e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue