From b4bd2b1d4204e6fab244698b056faff9dd972096 Mon Sep 17 00:00:00 2001 From: Alejandro Abdelnur Date: Wed, 7 Dec 2011 22:20:30 +0000 Subject: [PATCH] Merge -r 1211672:1211673 from trunk to branch. FIXES: HADOOP-7887 git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.23@1211675 13f79535-47bb-0310-9956-ffa450edef68 --- .../server/KerberosAuthenticationHandler.java | 7 +++++ .../authentication/util/KerberosName.java | 9 ++++++ .../TestKerberosAuthenticationHandler.java | 30 +++++++++++++++++++ .../hadoop-common/CHANGES.txt | 4 +++ .../hadoop/security/HadoopKerberosName.java | 11 +++++-- 5 files changed, 59 insertions(+), 2 deletions(-) diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java index 38b51cbaa75..79bff01d75a 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java @@ -55,6 +55,8 @@ import java.util.Set; * It does not have a default value. *
  • kerberos.keytab: the keytab file containing the credentials for the Kerberos principal. * It does not have a default value.
  • + *
  • kerberos.name.rules: kerberos names rules to resolve principal names, see + * {@link KerberosName#setRules(String)}
  • * */ public class KerberosAuthenticationHandler implements AuthenticationHandler { @@ -151,6 +153,11 @@ public class KerberosAuthenticationHandler implements AuthenticationHandler { throw new ServletException("Keytab does not exist: " + keytab); } + String nameRules = config.getProperty(NAME_RULES, null); + if (nameRules != null) { + KerberosName.setRules(nameRules); + } + Set principals = new HashSet(); principals.add(new KerberosPrincipal(principal)); Subject subject = new Subject(false, principals, new HashSet(), new HashSet()); diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java index 6a7ae0e4124..ad4741a6886 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java @@ -385,6 +385,15 @@ public class KerberosName { rules = parseRules(ruleString); } + /** + * Indicates if the name rules have been set. + * + * @return if the name rules have been set. + */ + public static boolean hasRulesBeenSet() { + return rules != null; + } + static void printRules() throws IOException { int i = 0; for(Rule r: rules) { diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java index 8187c9ec661..161839ddcd8 100644 --- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java @@ -18,6 +18,7 @@ import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; import junit.framework.TestCase; import org.apache.commons.codec.binary.Base64; +import org.apache.hadoop.security.authentication.util.KerberosName; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSManager; import org.ietf.jgss.GSSName; @@ -59,6 +60,35 @@ public class TestKerberosAuthenticationHandler extends TestCase { super.tearDown(); } + public void testNameRules() throws Exception { + KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal()); + assertEquals(KerberosTestUtils.getRealm(), kn.getRealm()); + + //destroy handler created in setUp() + handler.destroy(); + + KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT"); + + handler = new KerberosAuthenticationHandler(); + Properties props = new Properties(); + props.setProperty(KerberosAuthenticationHandler.PRINCIPAL, KerberosTestUtils.getServerPrincipal()); + props.setProperty(KerberosAuthenticationHandler.KEYTAB, KerberosTestUtils.getKeytabFile()); + props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"); + try { + handler.init(props); + } catch (Exception ex) { + } + kn = new KerberosName("bar@BAR"); + assertEquals("bar", kn.getShortName()); + kn = new KerberosName("bar@FOO"); + try { + kn.getShortName(); + fail(); + } + catch (Exception ex) { + } + } + public void testInit() throws Exception { assertEquals(KerberosTestUtils.getServerPrincipal(), handler.getPrincipal()); assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab()); diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 4af52c78634..9a88ac9f5c0 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -61,6 +61,10 @@ Release 0.23.1 - Unreleased HADOOP-7874. native libs should be under lib/native/ dir. (tucu) + HADOOP-7887. KerberosAuthenticatorHandler is not setting KerberosName + name rules from configuration. (tucu) + + Release 0.23.0 - 2011-11-01 INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/HadoopKerberosName.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/HadoopKerberosName.java index 36f1943f506..6c3285bb295 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/HadoopKerberosName.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/HadoopKerberosName.java @@ -56,12 +56,19 @@ public class HadoopKerberosName extends KerberosName { } /** * Set the static configuration to get the rules. + *

    + * IMPORTANT: This method does a NOP if the rules have been set already. + * If there is a need to reset the rules, the {@link KerberosName#setRules(String)} + * method should be invoked directly. + * * @param conf the new configuration * @throws IOException */ public static void setConfiguration(Configuration conf) throws IOException { - String ruleString = conf.get("hadoop.security.auth_to_local", "DEFAULT"); - setRules(ruleString); + if (!hasRulesBeenSet()) { + String ruleString = conf.get("hadoop.security.auth_to_local", "DEFAULT"); + setRules(ruleString); + } } public static void main(String[] args) throws Exception {