YARN-874. Making common RPC to switch to not switch to simple when other mechanisms are enabled and thus fix YARN/MR test failures after HADOOP-9421. Contributed by Daryn Sharp and Vinod Kumar Vavilapalli.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1496692 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
03601136dd
commit
b3a8d99817
|
@ -72,17 +72,20 @@ import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
|
||||||
import org.apache.hadoop.io.DataOutputBuffer;
|
import org.apache.hadoop.io.DataOutputBuffer;
|
||||||
import org.apache.hadoop.io.Writable;
|
import org.apache.hadoop.io.Writable;
|
||||||
import org.apache.hadoop.io.WritableUtils;
|
import org.apache.hadoop.io.WritableUtils;
|
||||||
import org.apache.hadoop.ipc.ProtobufRpcEngine.RpcResponseWrapper;
|
|
||||||
import org.apache.hadoop.ipc.ProtobufRpcEngine.RpcRequestMessageWrapper;
|
import org.apache.hadoop.ipc.ProtobufRpcEngine.RpcRequestMessageWrapper;
|
||||||
|
import org.apache.hadoop.ipc.ProtobufRpcEngine.RpcResponseWrapper;
|
||||||
import org.apache.hadoop.ipc.RPC.RpcInvoker;
|
import org.apache.hadoop.ipc.RPC.RpcInvoker;
|
||||||
import org.apache.hadoop.ipc.RPC.VersionMismatch;
|
import org.apache.hadoop.ipc.RPC.VersionMismatch;
|
||||||
import org.apache.hadoop.ipc.metrics.RpcDetailedMetrics;
|
import org.apache.hadoop.ipc.metrics.RpcDetailedMetrics;
|
||||||
import org.apache.hadoop.ipc.metrics.RpcMetrics;
|
import org.apache.hadoop.ipc.metrics.RpcMetrics;
|
||||||
import org.apache.hadoop.ipc.protobuf.IpcConnectionContextProtos.IpcConnectionContextProto;
|
import org.apache.hadoop.ipc.protobuf.IpcConnectionContextProtos.IpcConnectionContextProto;
|
||||||
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcResponseHeaderProto.RpcStatusProto;
|
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcKindProto;
|
||||||
|
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcRequestHeaderProto;
|
||||||
|
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcResponseHeaderProto;
|
||||||
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcResponseHeaderProto.RpcErrorCodeProto;
|
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcResponseHeaderProto.RpcErrorCodeProto;
|
||||||
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcSaslProto.*;
|
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcResponseHeaderProto.RpcStatusProto;
|
||||||
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.*;
|
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcSaslProto;
|
||||||
|
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos.RpcSaslProto.SaslState;
|
||||||
import org.apache.hadoop.net.NetUtils;
|
import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.security.AccessControlException;
|
import org.apache.hadoop.security.AccessControlException;
|
||||||
import org.apache.hadoop.security.SaslRpcServer;
|
import org.apache.hadoop.security.SaslRpcServer;
|
||||||
|
@ -1494,7 +1497,9 @@ public abstract class Server {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case SASL: {
|
case SASL: {
|
||||||
if (isSimpleEnabled) { // switch to simple hack
|
// switch to simple hack, but don't switch if other auths are
|
||||||
|
// supported, ex. tokens
|
||||||
|
if (isSimpleEnabled && enabledAuthMethods.size() == 1) {
|
||||||
skipInitialSaslHandshake = true;
|
skipInitialSaslHandshake = true;
|
||||||
doSaslReply(buildSaslResponse(SaslState.SUCCESS, null));
|
doSaslReply(buildSaslResponse(SaslState.SUCCESS, null));
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,8 +18,14 @@
|
||||||
|
|
||||||
package org.apache.hadoop.ipc;
|
package org.apache.hadoop.ipc;
|
||||||
|
|
||||||
import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.*;
|
import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.KERBEROS;
|
||||||
import static org.junit.Assert.*;
|
import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.SIMPLE;
|
||||||
|
import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.TOKEN;
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.junit.Assert.assertFalse;
|
||||||
|
import static org.junit.Assert.assertNotNull;
|
||||||
|
import static org.junit.Assert.assertNull;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
|
|
||||||
import java.io.DataInput;
|
import java.io.DataInput;
|
||||||
import java.io.DataOutput;
|
import java.io.DataOutput;
|
||||||
|
@ -32,8 +38,17 @@ import java.util.Collection;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.regex.Pattern;
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
import javax.security.auth.callback.*;
|
import javax.security.auth.callback.Callback;
|
||||||
import javax.security.sasl.*;
|
import javax.security.auth.callback.CallbackHandler;
|
||||||
|
import javax.security.auth.callback.NameCallback;
|
||||||
|
import javax.security.auth.callback.PasswordCallback;
|
||||||
|
import javax.security.auth.callback.UnsupportedCallbackException;
|
||||||
|
import javax.security.sasl.AuthorizeCallback;
|
||||||
|
import javax.security.sasl.Sasl;
|
||||||
|
import javax.security.sasl.SaslClient;
|
||||||
|
import javax.security.sasl.SaslException;
|
||||||
|
import javax.security.sasl.SaslServer;
|
||||||
|
|
||||||
import junit.framework.Assert;
|
import junit.framework.Assert;
|
||||||
|
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
|
@ -45,16 +60,23 @@ import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
|
||||||
import org.apache.hadoop.io.Text;
|
import org.apache.hadoop.io.Text;
|
||||||
import org.apache.hadoop.ipc.Client.ConnectionId;
|
import org.apache.hadoop.ipc.Client.ConnectionId;
|
||||||
import org.apache.hadoop.net.NetUtils;
|
import org.apache.hadoop.net.NetUtils;
|
||||||
import org.apache.hadoop.security.*;
|
import org.apache.hadoop.security.KerberosInfo;
|
||||||
|
import org.apache.hadoop.security.SaslInputStream;
|
||||||
|
import org.apache.hadoop.security.SaslPlainServer;
|
||||||
|
import org.apache.hadoop.security.SaslRpcClient;
|
||||||
|
import org.apache.hadoop.security.SaslRpcServer;
|
||||||
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
|
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
|
||||||
|
import org.apache.hadoop.security.SecurityInfo;
|
||||||
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
|
import org.apache.hadoop.security.TestUserGroupInformation;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||||
import org.apache.hadoop.security.token.SecretManager;
|
import org.apache.hadoop.security.token.SecretManager;
|
||||||
|
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||||
import org.apache.hadoop.security.token.TokenInfo;
|
import org.apache.hadoop.security.token.TokenInfo;
|
||||||
import org.apache.hadoop.security.token.TokenSelector;
|
import org.apache.hadoop.security.token.TokenSelector;
|
||||||
import org.apache.hadoop.security.token.SecretManager.InvalidToken;
|
|
||||||
|
|
||||||
import org.apache.log4j.Level;
|
import org.apache.log4j.Level;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
|
@ -73,7 +95,13 @@ public class TestSaslRPC {
|
||||||
static final String SERVER_PRINCIPAL_1 = "p1/foo@BAR";
|
static final String SERVER_PRINCIPAL_1 = "p1/foo@BAR";
|
||||||
static final String SERVER_PRINCIPAL_2 = "p2/foo@BAR";
|
static final String SERVER_PRINCIPAL_2 = "p2/foo@BAR";
|
||||||
private static Configuration conf;
|
private static Configuration conf;
|
||||||
|
// If this is set to true AND the auth-method is not simple, secretManager
|
||||||
|
// will be enabled.
|
||||||
|
static Boolean enableSecretManager = null;
|
||||||
|
// If this is set to true, secretManager will be forecefully enabled
|
||||||
|
// irrespective of auth-method.
|
||||||
static Boolean forceSecretManager = null;
|
static Boolean forceSecretManager = null;
|
||||||
|
static Boolean clientFallBackToSimpleAllowed = true;
|
||||||
|
|
||||||
@BeforeClass
|
@BeforeClass
|
||||||
public static void setupKerb() {
|
public static void setupKerb() {
|
||||||
|
@ -87,7 +115,7 @@ public class TestSaslRPC {
|
||||||
conf = new Configuration();
|
conf = new Configuration();
|
||||||
SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
|
SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
|
||||||
UserGroupInformation.setConfiguration(conf);
|
UserGroupInformation.setConfiguration(conf);
|
||||||
forceSecretManager = null;
|
enableSecretManager = null;
|
||||||
}
|
}
|
||||||
|
|
||||||
static {
|
static {
|
||||||
|
@ -590,11 +618,44 @@ public class TestSaslRPC {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSimpleServerWithTokens() throws Exception {
|
public void testSimpleServerWithTokensWithNoClientFallbackToSimple()
|
||||||
// Tokens are ignored because client is reverted to simple
|
throws Exception {
|
||||||
assertAuthEquals(SIMPLE, getAuthMethod(SIMPLE, SIMPLE, true));
|
|
||||||
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, true));
|
clientFallBackToSimpleAllowed = false;
|
||||||
|
|
||||||
|
try{
|
||||||
|
// Client has a token even though its configs says simple auth. Server
|
||||||
|
// is configured for simple auth, but as client sends the token, and
|
||||||
|
// server asks to switch to simple, this should fail.
|
||||||
|
getAuthMethod(SIMPLE, SIMPLE, true);
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
Assert
|
||||||
|
.assertTrue(ioe.getMessage().contains("Failed on local exception: " +
|
||||||
|
"java.io.IOException: java.io.IOException: " +
|
||||||
|
"Server asks us to fall back to SIMPLE auth, " +
|
||||||
|
"but this client is configured to only allow secure connections"
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now set server to simple and also force the secret-manager. Now server
|
||||||
|
// should have both simple and token enabled.
|
||||||
forceSecretManager = true;
|
forceSecretManager = true;
|
||||||
|
assertAuthEquals(TOKEN, getAuthMethod(SIMPLE, SIMPLE, true));
|
||||||
|
forceSecretManager = false;
|
||||||
|
clientFallBackToSimpleAllowed = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSimpleServerWithTokens() throws Exception {
|
||||||
|
// Client not using tokens
|
||||||
|
assertAuthEquals(SIMPLE, getAuthMethod(SIMPLE, SIMPLE));
|
||||||
|
// SASL methods are reverted to SIMPLE, but test setup fails
|
||||||
|
assertAuthEquals(KrbFailed, getAuthMethod(KERBEROS, SIMPLE));
|
||||||
|
|
||||||
|
// Use tokens. But tokens are ignored because client is reverted to simple
|
||||||
|
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, true));
|
||||||
|
|
||||||
|
enableSecretManager = true;
|
||||||
assertAuthEquals(SIMPLE, getAuthMethod(SIMPLE, SIMPLE, true));
|
assertAuthEquals(SIMPLE, getAuthMethod(SIMPLE, SIMPLE, true));
|
||||||
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, true));
|
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, true));
|
||||||
}
|
}
|
||||||
|
@ -604,7 +665,7 @@ public class TestSaslRPC {
|
||||||
// Tokens are ignored because client is reverted to simple
|
// Tokens are ignored because client is reverted to simple
|
||||||
assertAuthEquals(SIMPLE, getAuthMethod(SIMPLE, SIMPLE, false));
|
assertAuthEquals(SIMPLE, getAuthMethod(SIMPLE, SIMPLE, false));
|
||||||
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, false));
|
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, false));
|
||||||
forceSecretManager = true;
|
enableSecretManager = true;
|
||||||
assertAuthEquals(SIMPLE, getAuthMethod(SIMPLE, SIMPLE, false));
|
assertAuthEquals(SIMPLE, getAuthMethod(SIMPLE, SIMPLE, false));
|
||||||
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, false));
|
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, false));
|
||||||
}
|
}
|
||||||
|
@ -622,7 +683,7 @@ public class TestSaslRPC {
|
||||||
public void testTokenOnlyServerWithTokens() throws Exception {
|
public void testTokenOnlyServerWithTokens() throws Exception {
|
||||||
assertAuthEquals(TOKEN, getAuthMethod(SIMPLE, TOKEN, true));
|
assertAuthEquals(TOKEN, getAuthMethod(SIMPLE, TOKEN, true));
|
||||||
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, TOKEN, true));
|
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, TOKEN, true));
|
||||||
forceSecretManager = false;
|
enableSecretManager = false;
|
||||||
assertAuthEquals(NoTokenAuth, getAuthMethod(SIMPLE, TOKEN, true));
|
assertAuthEquals(NoTokenAuth, getAuthMethod(SIMPLE, TOKEN, true));
|
||||||
assertAuthEquals(NoTokenAuth, getAuthMethod(KERBEROS, TOKEN, true));
|
assertAuthEquals(NoTokenAuth, getAuthMethod(KERBEROS, TOKEN, true));
|
||||||
}
|
}
|
||||||
|
@ -631,7 +692,7 @@ public class TestSaslRPC {
|
||||||
public void testTokenOnlyServerWithInvalidTokens() throws Exception {
|
public void testTokenOnlyServerWithInvalidTokens() throws Exception {
|
||||||
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, TOKEN, false));
|
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, TOKEN, false));
|
||||||
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, TOKEN, false));
|
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, TOKEN, false));
|
||||||
forceSecretManager = false;
|
enableSecretManager = false;
|
||||||
assertAuthEquals(NoTokenAuth, getAuthMethod(SIMPLE, TOKEN, false));
|
assertAuthEquals(NoTokenAuth, getAuthMethod(SIMPLE, TOKEN, false));
|
||||||
assertAuthEquals(NoTokenAuth, getAuthMethod(KERBEROS, TOKEN, false));
|
assertAuthEquals(NoTokenAuth, getAuthMethod(KERBEROS, TOKEN, false));
|
||||||
}
|
}
|
||||||
|
@ -651,7 +712,7 @@ public class TestSaslRPC {
|
||||||
assertAuthEquals(TOKEN, getAuthMethod(SIMPLE, KERBEROS, true));
|
assertAuthEquals(TOKEN, getAuthMethod(SIMPLE, KERBEROS, true));
|
||||||
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, KERBEROS, true));
|
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, KERBEROS, true));
|
||||||
// can't fallback to simple when using kerberos w/o tokens
|
// can't fallback to simple when using kerberos w/o tokens
|
||||||
forceSecretManager = false;
|
enableSecretManager = false;
|
||||||
assertAuthEquals(Denied(TOKEN), getAuthMethod(SIMPLE, KERBEROS, true));
|
assertAuthEquals(Denied(TOKEN), getAuthMethod(SIMPLE, KERBEROS, true));
|
||||||
assertAuthEquals(Denied(TOKEN), getAuthMethod(KERBEROS, KERBEROS, true));
|
assertAuthEquals(Denied(TOKEN), getAuthMethod(KERBEROS, KERBEROS, true));
|
||||||
}
|
}
|
||||||
|
@ -660,7 +721,7 @@ public class TestSaslRPC {
|
||||||
public void testKerberosServerWithInvalidTokens() throws Exception {
|
public void testKerberosServerWithInvalidTokens() throws Exception {
|
||||||
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, KERBEROS, false));
|
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, KERBEROS, false));
|
||||||
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, KERBEROS, false));
|
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, KERBEROS, false));
|
||||||
forceSecretManager = false;
|
enableSecretManager = false;
|
||||||
assertAuthEquals(Denied(TOKEN), getAuthMethod(SIMPLE, KERBEROS, false));
|
assertAuthEquals(Denied(TOKEN), getAuthMethod(SIMPLE, KERBEROS, false));
|
||||||
assertAuthEquals(Denied(TOKEN), getAuthMethod(KERBEROS, KERBEROS, false));
|
assertAuthEquals(Denied(TOKEN), getAuthMethod(KERBEROS, KERBEROS, false));
|
||||||
}
|
}
|
||||||
|
@ -709,8 +770,11 @@ public class TestSaslRPC {
|
||||||
|
|
||||||
final TestTokenSecretManager sm = new TestTokenSecretManager();
|
final TestTokenSecretManager sm = new TestTokenSecretManager();
|
||||||
boolean useSecretManager = (serverAuth != SIMPLE);
|
boolean useSecretManager = (serverAuth != SIMPLE);
|
||||||
|
if (enableSecretManager != null) {
|
||||||
|
useSecretManager &= enableSecretManager.booleanValue();
|
||||||
|
}
|
||||||
if (forceSecretManager != null) {
|
if (forceSecretManager != null) {
|
||||||
useSecretManager &= forceSecretManager.booleanValue();
|
useSecretManager |= forceSecretManager.booleanValue();
|
||||||
}
|
}
|
||||||
final SecretManager<?> serverSm = useSecretManager ? sm : null;
|
final SecretManager<?> serverSm = useSecretManager ? sm : null;
|
||||||
|
|
||||||
|
@ -730,10 +794,10 @@ public class TestSaslRPC {
|
||||||
|
|
||||||
final Configuration clientConf = new Configuration(conf);
|
final Configuration clientConf = new Configuration(conf);
|
||||||
SecurityUtil.setAuthenticationMethod(clientAuth, clientConf);
|
SecurityUtil.setAuthenticationMethod(clientAuth, clientConf);
|
||||||
UserGroupInformation.setConfiguration(clientConf);
|
|
||||||
clientConf.setBoolean(
|
clientConf.setBoolean(
|
||||||
CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
|
CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
|
||||||
true);
|
clientFallBackToSimpleAllowed);
|
||||||
|
UserGroupInformation.setConfiguration(clientConf);
|
||||||
|
|
||||||
final UserGroupInformation clientUgi =
|
final UserGroupInformation clientUgi =
|
||||||
UserGroupInformation.createRemoteUser(currentUser + "-CLIENT");
|
UserGroupInformation.createRemoteUser(currentUser + "-CLIENT");
|
||||||
|
|
|
@ -638,6 +638,10 @@ Release 2.1.0-beta - UNRELEASED
|
||||||
YARN-861. TestContainerManager is failing. (Vinod Kumar Vavilapalli via
|
YARN-861. TestContainerManager is failing. (Vinod Kumar Vavilapalli via
|
||||||
hitesh)
|
hitesh)
|
||||||
|
|
||||||
|
YARN-874. Making common RPC to switch to not switch to simple when other
|
||||||
|
mechanisms are enabled and thus fix YARN/MR test failures after HADOOP-9421.
|
||||||
|
(Daryn Sharp and Vinod Kumar Vavilapalli via vinodkv)
|
||||||
|
|
||||||
BREAKDOWN OF HADOOP-8562 SUBTASKS AND RELATED JIRAS
|
BREAKDOWN OF HADOOP-8562 SUBTASKS AND RELATED JIRAS
|
||||||
|
|
||||||
YARN-158. Yarn creating package-info.java must not depend on sh.
|
YARN-158. Yarn creating package-info.java must not depend on sh.
|
||||||
|
|
|
@ -231,7 +231,7 @@ public class TestAMAuthorization {
|
||||||
// server side will assume we are trying simple auth.
|
// server side will assume we are trying simple auth.
|
||||||
Assert.assertTrue(e.getCause().getMessage().contains(
|
Assert.assertTrue(e.getCause().getMessage().contains(
|
||||||
"SIMPLE authentication is not enabled. "
|
"SIMPLE authentication is not enabled. "
|
||||||
+ "Available:[KERBEROS, DIGEST]"));
|
+ "Available:[TOKEN, KERBEROS]"));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Now try to validate invalid authorization.
|
// Now try to validate invalid authorization.
|
||||||
|
|
Loading…
Reference in New Issue