Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-13433 Race in UGI.reloginFromKeytab. Contributed by Duo Zhang.

This commit is contained in:
Steve Loughran 2017-01-25 21:26:01 +00:00
parent 73497f08fc
commit bb46d40558
1 changed files with 49 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
View File

@ -24,6 +24,8 @@ import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_TOKEN_FI
import static org.apache.hadoop.security.UGIExceptionMessages.*; import static org.apache.hadoop.security.UGIExceptionMessages.*;
import static org.apache.hadoop.util.PlatformName.IBM_JAVA; import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
import com.google.common.annotations.VisibleForTesting;
import java.io.File; import java.io.File;
import java.io.FileNotFoundException; import java.io.FileNotFoundException;
import java.io.IOException; import java.io.IOException;
@ -45,6 +47,7 @@ import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.kerberos.KerberosPrincipal;
@ -76,8 +79,6 @@ import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.util.Shell; import org.apache.hadoop.util.Shell;
import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.util.Time; import org.apache.hadoop.util.Time;
import com.google.common.annotations.VisibleForTesting;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -1163,6 +1164,36 @@ public class UserGroupInformation {
reloginFromKeytab(); reloginFromKeytab();
} }
// if the first kerberos ticket is not TGT, then remove and destroy it since
// the kerberos library of jdk always use the first kerberos ticket as TGT.
// See HADOOP-13433 for more details.
private void fixKerberosTicketOrder() {
Set<Object> creds = getSubject().getPrivateCredentials();
synchronized (creds) {
for (Iterator<Object> iter = creds.iterator(); iter.hasNext();) {
Object cred = iter.next();
if (cred instanceof KerberosTicket) {
KerberosTicket ticket = (KerberosTicket) cred;
if (!ticket.getServer().getName().startsWith("krbtgt")) {
LOG.warn(
"The first kerberos ticket is not TGT"
+ "(the server principal is {}), remove and destroy it.",
ticket.getServer());
iter.remove();
try {
ticket.destroy();
} catch (DestroyFailedException e) {
LOG.warn("destroy ticket failed", e);
}
} else {
return;
}
}
}
}
LOG.warn("Warning, no kerberos ticket found while attempting to renew ticket");
}
/** /**
* Re-Login a user in from a keytab file. Loads a user identity from a keytab * Re-Login a user in from a keytab file. Loads a user identity from a keytab
* file and logs them in. They become the currently logged-in user. This * file and logs them in. They become the currently logged-in user. This
@ -1176,10 +1207,11 @@ public class UserGroupInformation {
@InterfaceAudience.Public @InterfaceAudience.Public
@InterfaceStability.Evolving @InterfaceStability.Evolving
public synchronized void reloginFromKeytab() throws IOException { public synchronized void reloginFromKeytab() throws IOException {
if (!isSecurityEnabled() || if (!isSecurityEnabled()
user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS || || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
!isKeytab) || !isKeytab) {
return; return;
}
long now = Time.now(); long now = Time.now();
if (!shouldRenewImmediatelyForTests && !hasSufficientTimeElapsed(now)) { if (!shouldRenewImmediatelyForTests && !hasSufficientTimeElapsed(now)) {
@ -1220,6 +1252,7 @@ public class UserGroupInformation {
} }
start = Time.now(); start = Time.now();
login.login(); login.login();
fixKerberosTicketOrder();
metrics.loginSuccess.add(Time.now() - start); metrics.loginSuccess.add(Time.now() - start);
setLogin(login); setLogin(login);
} }
@ -1245,10 +1278,11 @@ public class UserGroupInformation {
@InterfaceAudience.Public @InterfaceAudience.Public
@InterfaceStability.Evolving @InterfaceStability.Evolving
public synchronized void reloginFromTicketCache() throws IOException { public synchronized void reloginFromTicketCache() throws IOException {
if (!isSecurityEnabled() || if (!isSecurityEnabled()
user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS || || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS
!isKrbTkt) || !isKrbTkt) {
return; return;
}
LoginContext login = getLogin(); LoginContext login = getLogin();
if (login == null) { if (login == null) {
throw new KerberosAuthException(MUST_FIRST_LOGIN); throw new KerberosAuthException(MUST_FIRST_LOGIN);
@ -1276,6 +1310,7 @@ public class UserGroupInformation {
LOG.debug("Initiating re-login for " + getUserName()); LOG.debug("Initiating re-login for " + getUserName());
} }
login.login(); login.login();
fixKerberosTicketOrder();
setLogin(login); setLogin(login);
} catch (LoginException le) { } catch (LoginException le) {
KerberosAuthException kae = new KerberosAuthException(LOGIN_FAILURE, le); KerberosAuthException kae = new KerberosAuthException(LOGIN_FAILURE, le);
@ -1284,7 +1319,6 @@ public class UserGroupInformation {
} }
} }
/** /**
* Log a user in from a keytab file. Loads a user identity from a keytab * Log a user in from a keytab file. Loads a user identity from a keytab
* file and login them in. This new user does not affect the currently * file and login them in. This new user does not affect the currently