From c5c3241da84a46152a0f2647a31864f8de01702e Mon Sep 17 00:00:00 2001 From: Suresh Srinivas Date: Fri, 30 May 2014 21:56:58 +0000 Subject: [PATCH] HADOOP-10342. Merging branch-2 equivalent of commit 1568525 from trunk git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1598754 13f79535-47bb-0310-9956-ffa450edef68 --- .../hadoop-common/CHANGES.txt | 3 ++ .../java/org/apache/hadoop/ipc/Client.java | 2 +- .../hadoop/security/UserGroupInformation.java | 37 +++++++++++++++++++ .../security/TestUserGroupInformation.java | 13 ++++++- 4 files changed, 53 insertions(+), 2 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 0c07d433300..97e6bd50e79 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -171,6 +171,9 @@ Release 2.5.0 - UNRELEASED HADOOP-10638. Updating hadoop-daemon.sh to work as expected when nfs is started as a privileged user. (Manikandan Narayanaswamy via atm) + HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to + build a new UGI. (Larry McCay via omalley) + Release 2.4.1 - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java index 88cdb2380cb..44c1aaa1c13 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java @@ -652,7 +652,7 @@ public Object run() throws IOException, InterruptedException { // try re-login if (UserGroupInformation.isLoginKeytabBased()) { UserGroupInformation.getLoginUser().reloginFromKeytab(); - } else { + } else if (UserGroupInformation.isLoginTicketBased()) { UserGroupInformation.getLoginUser().reloginFromTicketCache(); } // have granularity of milliseconds diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 5e68159f17a..5039ba1bf63 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -692,6 +692,35 @@ public static UserGroupInformation getUGIFromTicketCache( } } + /** + * Create a UserGroupInformation from a Subject with Kerberos principal. + * + * @param user The KerberosPrincipal to use in UGI + * + * @throws IOException if the kerberos login fails + */ + public static UserGroupInformation getUGIFromSubject(Subject subject) + throws IOException { + if (subject == null) { + throw new IOException("Subject must not be null"); + } + + if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) { + throw new IOException("Provided Subject must contain a KerberosPrincipal"); + } + + KerberosPrincipal principal = + subject.getPrincipals(KerberosPrincipal.class).iterator().next(); + + User ugiUser = new User(principal.getName(), + AuthenticationMethod.KERBEROS, null); + subject.getPrincipals().add(ugiUser); + UserGroupInformation ugi = new UserGroupInformation(subject); + ugi.setLogin(null); + ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS); + return ugi; + } + /** * Get the currently logged in user. * @return the logged in user @@ -1099,6 +1128,14 @@ public synchronized static boolean isLoginKeytabBased() throws IOException { return getLoginUser().isKeytab; } + /** + * Did the login happen via ticket cache + * @return true or false + */ + public static boolean isLoginTicketBased() throws IOException { + return getLoginUser().isKrbTkt; + } + /** * Create a user from a login name. It is intended to be used for remote * users in RPC, since it won't have any credentials. diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index 3832875b80e..c6206e3de5a 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -28,6 +28,7 @@ import org.junit.*; import javax.security.auth.Subject; +import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.LoginContext; import java.io.BufferedReader; @@ -767,7 +768,17 @@ public Void run() throws IOException { } }); } - + + @Test (timeout = 30000) + public void testGetUGIFromSubject() throws Exception { + KerberosPrincipal p = new KerberosPrincipal("guest"); + Subject subject = new Subject(); + subject.getPrincipals().add(p); + UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject); + assertNotNull(ugi); + assertEquals("guest@DEFAULT.REALM", ugi.getUserName()); + } + @Test(timeout=1000) public void testSetLoginUser() throws IOException { UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test-user");