HADOOP-10786. Fix UGI#reloginFromKeytab on Java 8. Contributed by Stephen Chu.
This commit is contained in:
Haohui Mai
parent
43cd07b408
commit
a37a993453
|
|
@ -728,6 +728,8 @@ Release 2.6.0 - UNRELEASED
|
|||
|
||||
HADOOP-11247. Fix a couple javac warnings in NFS. (Brandon Li via wheat9)
|
||||
|
||||
HADOOP-10786. Fix UGI#reloginFromKeytab on Java 8. (Stephen Chu via wheat9)
|
||||
|
||||
BUG FIXES
|
||||
|
||||
HADOOP-11182. GraphiteSink emits wrong timestamps (Sascha Coenen via raviprak)
|
||||
|
|
|
|||
|
|
@ -88,9 +88,21 @@ public class UserGroupInformation {
|
|||
* Percentage of the ticket window to use before we renew ticket.
|
||||
*/
|
||||
private static final float TICKET_RENEW_WINDOW = 0.80f;
|
||||
private static boolean shouldRenewImmediatelyForTests = false;
|
||||
static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
|
||||
static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
|
||||
|
||||
|
||||
/**
|
||||
* For the purposes of unit tests, we want to test login
|
||||
* from keytab and don't want to wait until the renew
|
||||
* window (controlled by TICKET_RENEW_WINDOW).
|
||||
* @param immediate true if we should login without waiting for ticket window
|
||||
*/
|
||||
@VisibleForTesting
|
||||
static void setShouldRenewImmediatelyForTests(boolean immediate) {
|
||||
shouldRenewImmediatelyForTests = immediate;
|
||||
}
|
||||
|
||||
/**
|
||||
* UgiMetrics maintains UGI activity statistics
|
||||
* and publishes them through the metrics interfaces.
|
||||
|
|
@ -598,6 +610,20 @@ public class UserGroupInformation {
|
|||
user.setLogin(login);
|
||||
}
|
||||
|
||||
private static Class<?> KEY_TAB_CLASS = KerberosKey.class;
|
||||
static {
|
||||
try {
|
||||
// We use KEY_TAB_CLASS to determine if the UGI is logged in from
|
||||
// keytab. In JDK6 and JDK7, if useKeyTab and storeKey are specified
|
||||
// in the Krb5LoginModule, then some number of KerberosKey objects
|
||||
// are added to the Subject's private credentials. However, in JDK8,
|
||||
// a KeyTab object is added instead. More details in HADOOP-10786.
|
||||
KEY_TAB_CLASS = Class.forName("javax.security.auth.kerberos.KeyTab");
|
||||
} catch (ClassNotFoundException cnfe) {
|
||||
// Ignore. javax.security.auth.kerberos.KeyTab does not exist in JDK6.
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a UserGroupInformation for the given subject.
|
||||
* This does not change the subject or acquire new credentials.
|
||||
|
|
@ -606,7 +632,7 @@ public class UserGroupInformation {
|
|||
UserGroupInformation(Subject subject) {
|
||||
this.subject = subject;
|
||||
this.user = subject.getPrincipals(User.class).iterator().next();
|
||||
this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
|
||||
this.isKeytab = !subject.getPrivateCredentials(KEY_TAB_CLASS).isEmpty();
|
||||
this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
|
||||
}
|
||||
|
||||
|
|
@ -962,7 +988,8 @@ public class UserGroupInformation {
|
|||
|| !isKeytab)
|
||||
return;
|
||||
KerberosTicket tgt = getTGT();
|
||||
if (tgt != null && Time.now() < getRefreshTime(tgt)) {
|
||||
if (tgt != null && !shouldRenewImmediatelyForTests &&
|
||||
Time.now() < getRefreshTime(tgt)) {
|
||||
return;
|
||||
}
|
||||
reloginFromKeytab();
|
||||
|
|
@ -987,13 +1014,14 @@ public class UserGroupInformation {
|
|||
return;
|
||||
|
||||
long now = Time.now();
|
||||
if (!hasSufficientTimeElapsed(now)) {
|
||||
if (!shouldRenewImmediatelyForTests && !hasSufficientTimeElapsed(now)) {
|
||||
return;
|
||||
}
|
||||
|
||||
KerberosTicket tgt = getTGT();
|
||||
//Return if TGT is valid and is not going to expire soon.
|
||||
if (tgt != null && now < getRefreshTime(tgt)) {
|
||||
if (tgt != null && !shouldRenewImmediatelyForTests &&
|
||||
now < getRefreshTime(tgt)) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,91 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.apache.hadoop.security;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||
import org.apache.hadoop.minikdc.MiniKdc;
|
||||
import org.junit.After;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Before;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.TemporaryFolder;
|
||||
|
||||
import java.io.File;
|
||||
|
||||
/**
|
||||
* Verify UGI login from keytab. Check that the UGI is
|
||||
* configured to use keytab to catch regressions like
|
||||
* HADOOP-10786.
|
||||
*/
|
||||
public class TestUGILoginFromKeytab {
|
||||
|
||||
private MiniKdc kdc;
|
||||
private File workDir;
|
||||
|
||||
@Rule
|
||||
public final TemporaryFolder folder = new TemporaryFolder();
|
||||
|
||||
@Before
|
||||
public void startMiniKdc() throws Exception {
|
||||
// This setting below is required. If not enabled, UGI will abort
|
||||
// any attempt to loginUserFromKeytab.
|
||||
Configuration conf = new Configuration();
|
||||
conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
|
||||
"kerberos");
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
workDir = folder.getRoot();
|
||||
kdc = new MiniKdc(MiniKdc.createConf(), workDir);
|
||||
kdc.start();
|
||||
}
|
||||
|
||||
@After
|
||||
public void stopMiniKdc() {
|
||||
if (kdc != null) {
|
||||
kdc.stop();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Login from keytab using the MiniKDC and verify the UGI can successfully
|
||||
* relogin from keytab as well. This will catch regressions like HADOOP-10786.
|
||||
*/
|
||||
@Test
|
||||
public void testUGILoginFromKeytab() throws Exception {
|
||||
UserGroupInformation.setShouldRenewImmediatelyForTests(true);
|
||||
String principal = "foo";
|
||||
File keytab = new File(workDir, "foo.keytab");
|
||||
kdc.createPrincipal(keytab, principal);
|
||||
|
||||
UserGroupInformation.loginUserFromKeytab(principal, keytab.getPath());
|
||||
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
|
||||
Assert.assertTrue("UGI should be configured to login from keytab",
|
||||
ugi.isFromKeytab());
|
||||
|
||||
// Verify relogin from keytab.
|
||||
User user = ugi.getSubject().getPrincipals(User.class).iterator().next();
|
||||
final long firstLogin = user.getLastLogin();
|
||||
ugi.reloginFromKeytab();
|
||||
final long secondLogin = user.getLastLogin();
|
||||
Assert.assertTrue("User should have been able to relogin from keytab",
|
||||
secondLogin > firstLogin);
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue