HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to

build a new UGI. (Larry McCay via omalley)


git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1568525 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Owen O'Malley 2014-02-14 21:25:12 +00:00
parent 990cffdcfa
commit 943d3f641c
5 changed files with 94 additions and 2 deletions

View File

@ -118,6 +118,9 @@ Trunk (Unreleased)
HADOOP-10325. Improve jenkins javadoc warnings from test-patch.sh (cmccabe)
HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
build a new UGI. (Larry McCay via omalley)
BUG FIXES
HADOOP-9451. Fault single-layer config if node group topology is enabled.

View File

@ -649,7 +649,7 @@ public class Client {
// try re-login
if (UserGroupInformation.isLoginKeytabBased()) {
UserGroupInformation.getLoginUser().reloginFromKeytab();
} else {
} else if (UserGroupInformation.isLoginTicketBased()) {
UserGroupInformation.getLoginUser().reloginFromTicketCache();
}
// have granularity of milliseconds

View File

@ -702,6 +702,35 @@ public class UserGroupInformation {
}
}
/**
* Create a UserGroupInformation from a Subject with Kerberos principal.
*
* @param user The KerberosPrincipal to use in UGI
*
* @throws IOException if the kerberos login fails
*/
public static UserGroupInformation getUGIFromSubject(Subject subject)
throws IOException {
if (subject == null) {
throw new IOException("Subject must not be null");
}
if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
throw new IOException("Provided Subject must contain a KerberosPrincipal");
}
KerberosPrincipal principal =
subject.getPrincipals(KerberosPrincipal.class).iterator().next();
User ugiUser = new User(principal.getName(),
AuthenticationMethod.KERBEROS, null);
subject.getPrincipals().add(ugiUser);
UserGroupInformation ugi = new UserGroupInformation(subject);
ugi.setLogin(null);
ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
return ugi;
}
/**
* Get the currently logged in user.
* @return the logged in user
@ -1101,6 +1130,14 @@ public class UserGroupInformation {
return getLoginUser().isKeytab;
}
/**
* Did the login happen via ticket cache
* @return true or false
*/
public static boolean isLoginTicketBased() throws IOException {
return getLoginUser().isKrbTkt;
}
/**
* Create a user from a login name. It is intended to be used for remote
* users in RPC, since it won't have any credentials.
@ -1619,5 +1656,4 @@ public class UserGroupInformation {
System.out.println("Keytab " + loginUser.isKeytab);
}
}
}

View File

@ -17,8 +17,14 @@
package org.apache.hadoop.security;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.util.Set;
import javax.security.auth.kerberos.KerberosPrincipal;
import junit.framework.Assert;
import static org.junit.Assert.*;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
@ -72,4 +78,40 @@ public class TestUGIWithSecurityOn {
ex.printStackTrace();
}
}
@Test
public void testGetUGIFromKerberosSubject() throws IOException {
String user1keyTabFilepath = System.getProperty("kdc.resource.dir")
+ "/keytabs/user1.keytab";
UserGroupInformation ugi = UserGroupInformation
.loginUserFromKeytabAndReturnUGI("user1@EXAMPLE.COM",
user1keyTabFilepath);
Set<KerberosPrincipal> principals = ugi.getSubject().getPrincipals(
KerberosPrincipal.class);
if (principals.isEmpty()) {
Assert.fail("There should be a kerberos principal in the subject.");
}
else {
UserGroupInformation ugi2 = UserGroupInformation.getUGIFromSubject(
ugi.getSubject());
if (ugi2 != null) {
ugi2.doAs(new PrivilegedAction<Object>() {
@Override
public Object run() {
try {
UserGroupInformation ugi3 = UserGroupInformation.getCurrentUser();
String doAsUserName = ugi3.getUserName();
assertEquals(doAsUserName, "user1@EXAMPLE.COM");
System.out.println("DO AS USERNAME: " + doAsUserName);
} catch (IOException e) {
e.printStackTrace();
}
return null;
}
});
}
}
}
}

View File

@ -28,6 +28,7 @@ import org.apache.hadoop.util.Shell;
import org.junit.*;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import java.io.BufferedReader;
@ -768,6 +769,16 @@ public class TestUserGroupInformation {
});
}
@Test (timeout = 30000)
public void testGetUGIFromSubject() throws Exception {
KerberosPrincipal p = new KerberosPrincipal("guest");
Subject subject = new Subject();
subject.getPrincipals().add(p);
UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject);
assertNotNull(ugi);
assertEquals("guest@DEFAULT.REALM", ugi.getUserName());
}
/** Test hasSufficientTimeElapsed method */
@Test (timeout = 30000)
public void testHasSufficientTimeElapsed() throws Exception {