HADOOP-10786. Fix UGI#reloginFromKeytab on Java 8. Contributed by Stephen Chu.

This commit is contained in:
Haohui Mai 2014-11-09 17:48:26 -08:00
parent 43cd07b408
commit a37a993453
3 changed files with 126 additions and 5 deletions

View File

@ -728,6 +728,8 @@ Release 2.6.0 - UNRELEASED
HADOOP-11247. Fix a couple javac warnings in NFS. (Brandon Li via wheat9)
HADOOP-10786. Fix UGI#reloginFromKeytab on Java 8. (Stephen Chu via wheat9)
BUG FIXES
HADOOP-11182. GraphiteSink emits wrong timestamps (Sascha Coenen via raviprak)

View File

@ -88,9 +88,21 @@ public class UserGroupInformation {
* Percentage of the ticket window to use before we renew ticket.
*/
private static final float TICKET_RENEW_WINDOW = 0.80f;
private static boolean shouldRenewImmediatelyForTests = false;
static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
/**
* For the purposes of unit tests, we want to test login
* from keytab and don't want to wait until the renew
* window (controlled by TICKET_RENEW_WINDOW).
* @param immediate true if we should login without waiting for ticket window
*/
@VisibleForTesting
static void setShouldRenewImmediatelyForTests(boolean immediate) {
shouldRenewImmediatelyForTests = immediate;
}
/**
* UgiMetrics maintains UGI activity statistics
* and publishes them through the metrics interfaces.
@ -598,6 +610,20 @@ public class UserGroupInformation {
user.setLogin(login);
}
private static Class<?> KEY_TAB_CLASS = KerberosKey.class;
static {
try {
// We use KEY_TAB_CLASS to determine if the UGI is logged in from
// keytab. In JDK6 and JDK7, if useKeyTab and storeKey are specified
// in the Krb5LoginModule, then some number of KerberosKey objects
// are added to the Subject's private credentials. However, in JDK8,
// a KeyTab object is added instead. More details in HADOOP-10786.
KEY_TAB_CLASS = Class.forName("javax.security.auth.kerberos.KeyTab");
} catch (ClassNotFoundException cnfe) {
// Ignore. javax.security.auth.kerberos.KeyTab does not exist in JDK6.
}
}
/**
* Create a UserGroupInformation for the given subject.
* This does not change the subject or acquire new credentials.
@ -606,7 +632,7 @@ public class UserGroupInformation {
UserGroupInformation(Subject subject) {
this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next();
this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
this.isKeytab = !subject.getPrivateCredentials(KEY_TAB_CLASS).isEmpty();
this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
}
@ -962,7 +988,8 @@ public class UserGroupInformation {
|| !isKeytab)
return;
KerberosTicket tgt = getTGT();
if (tgt != null && Time.now() < getRefreshTime(tgt)) {
if (tgt != null && !shouldRenewImmediatelyForTests &&
Time.now() < getRefreshTime(tgt)) {
return;
}
reloginFromKeytab();
@ -987,13 +1014,14 @@ public class UserGroupInformation {
return;
long now = Time.now();
if (!hasSufficientTimeElapsed(now)) {
if (!shouldRenewImmediatelyForTests && !hasSufficientTimeElapsed(now)) {
return;
}
KerberosTicket tgt = getTGT();
//Return if TGT is valid and is not going to expire soon.
if (tgt != null && now < getRefreshTime(tgt)) {
if (tgt != null && !shouldRenewImmediatelyForTests &&
now < getRefreshTime(tgt)) {
return;
}

View File

@ -0,0 +1,91 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.security;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.minikdc.MiniKdc;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import java.io.File;
/**
* Verify UGI login from keytab. Check that the UGI is
* configured to use keytab to catch regressions like
* HADOOP-10786.
*/
public class TestUGILoginFromKeytab {
private MiniKdc kdc;
private File workDir;
@Rule
public final TemporaryFolder folder = new TemporaryFolder();
@Before
public void startMiniKdc() throws Exception {
// This setting below is required. If not enabled, UGI will abort
// any attempt to loginUserFromKeytab.
Configuration conf = new Configuration();
conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
"kerberos");
UserGroupInformation.setConfiguration(conf);
workDir = folder.getRoot();
kdc = new MiniKdc(MiniKdc.createConf(), workDir);
kdc.start();
}
@After
public void stopMiniKdc() {
if (kdc != null) {
kdc.stop();
}
}
/**
* Login from keytab using the MiniKDC and verify the UGI can successfully
* relogin from keytab as well. This will catch regressions like HADOOP-10786.
*/
@Test
public void testUGILoginFromKeytab() throws Exception {
UserGroupInformation.setShouldRenewImmediatelyForTests(true);
String principal = "foo";
File keytab = new File(workDir, "foo.keytab");
kdc.createPrincipal(keytab, principal);
UserGroupInformation.loginUserFromKeytab(principal, keytab.getPath());
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
Assert.assertTrue("UGI should be configured to login from keytab",
ugi.isFromKeytab());
// Verify relogin from keytab.
User user = ugi.getSubject().getPrincipals(User.class).iterator().next();
final long firstLogin = user.getLastLogin();
ugi.reloginFromKeytab();
final long secondLogin = user.getLastLogin();
Assert.assertTrue("User should have been able to relogin from keytab",
secondLogin > firstLogin);
}
}