YARN-7942. Add check for JAAS configuration for Yarn Service.

Contributed by Billie Rinaldi
2018-02-22 16:12:40 -05:00 · 2018-02-22 16:12:40 -05:00 · 95904f6b3c
parent 190969006d
commit 95904f6b3c
1 changed files with 33 additions and 11 deletions
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java
@ -736,8 +736,10 @@ public class RegistrySecurity extends AbstractService {
   * Apply the security environment to this curator instance. This
   * may include setting up the ZK system properties for SASL
   * @param builder curator builder
   * @throws IOException if jaas configuration can't be generated or found
   */
-  public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) {
+  public void applySecurityEnvironment(CuratorFrameworkFactory.Builder
      builder) throws IOException {
    if (isSecureRegistry()) {
      switch (access) {
@ -752,16 +754,36 @@ public class RegistrySecurity extends AbstractService {
          break;
        case sasl:
-          JaasConfiguration jconf =
+          String existingJaasConf = System.getProperty(
-              new JaasConfiguration(jaasClientEntry, principal, keytab);
+              "java.security.auth.login.config");
-          javax.security.auth.login.Configuration.setConfiguration(jconf);
+          if (existingJaasConf == null || existingJaasConf.isEmpty()) {
-          setSystemPropertyIfUnset(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY,
+            if (principal == null || keytab == null) {
-              "true");
+              throw new IOException("SASL is configured for registry, " +
-          setSystemPropertyIfUnset(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
+                  "but neither keytab/principal nor java.security.auth.login" +
-              jaasClientEntry);
+                  ".config system property are specified");
-          LOG.info(
+            }
-              "Enabling ZK sasl client: jaasClientEntry = " + jaasClientEntry
+            // in this case, keytab and principal are specified and no jaas
-                  + ", principal = " + principal + ", keytab = " + keytab);
+            // config is specified, so we will create one
            LOG.info(
                "Enabling ZK sasl client: jaasClientEntry = " + jaasClientEntry
                    + ", principal = " + principal + ", keytab = " + keytab);
            JaasConfiguration jconf =
                new JaasConfiguration(jaasClientEntry, principal, keytab);
            javax.security.auth.login.Configuration.setConfiguration(jconf);
            setSystemPropertyIfUnset(ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY,
                "true");
            setSystemPropertyIfUnset(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY,
                jaasClientEntry);
          } else {
            // in this case, jaas config is specified so we will not change it
            LOG.info("Using existing ZK sasl configuration: " +
                "jaasClientEntry = " + System.getProperty(
                    ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") +
                ", sasl client = " + System.getProperty(
                    ZooKeeperSaslClient.ENABLE_CLIENT_SASL_KEY,
                    ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT) +
                ", jaas = " + existingJaasConf);
          }
          break;
        default: