HADOOP-7070. JAAS configuration should delegate unknown application names to pre-existing configuration. Contributed by Todd Lipcon

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1055996 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -416,6 +416,9 @@ Release 0.22.0 - Unreleased
     HADOOP-7082. Configuration.writeXML should not hold lock while outputting
     (todd)
 
+    HADOOP-7070. JAAS configuration should delegate unknown application names
+    to pre-existing configuration. (todd)
+
 Release 0.21.1 - Unreleased
 
   IMPROVEMENTS

src/java/org/apache/hadoop/security/UserGroupInformation.java

@@ -245,8 +245,22 @@ public class UserGroupInformation {
     // Set the configuration for JAAS to be the Hadoop configuration. 
     // This is done here rather than a static initializer to avoid a
     // circular dependence.
-    javax.security.auth.login.Configuration.setConfiguration
+    javax.security.auth.login.Configuration existingConfig = null;
-        (new HadoopConfiguration());
+    try {
+      existingConfig =
+        javax.security.auth.login.Configuration.getConfiguration();
+    } catch (SecurityException se) {
+      // If no security configuration is on the classpath, then
+      // we catch this exception, and we don't need to delegate
+      // to anyone
+    }
+
+    if (existingConfig instanceof HadoopConfiguration) {
+      LOG.info("JAAS Configuration already set up for Hadoop, not re-installing.");
+    } else {
+      javax.security.auth.login.Configuration.setConfiguration(
+        new HadoopConfiguration(existingConfig));
+    }
 
     isInitialized = true;
     UserGroupInformation.conf = conf;
@@ -395,6 +409,12 @@ public class UserGroupInformation {
     private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
       new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
 
+    private final javax.security.auth.login.Configuration parent;
+
+    HadoopConfiguration(javax.security.auth.login.Configuration parent) {
+      this.parent = parent;
+    }
+
     @Override
     public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
       if (SIMPLE_CONFIG_NAME.equals(appName)) {
@@ -405,6 +425,8 @@ public class UserGroupInformation {
         KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
         KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
         return KEYTAB_KERBEROS_CONF;
+      } else if (parent != null) {
+        return parent.getAppConfigurationEntry(appName);
       }
       return null;
     }

src/test/core/org/apache/hadoop/security/TestUserGroupInformation.java

@@ -21,6 +21,7 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import org.mockito.Mockito;
 import static org.mockito.Mockito.mock;
 
 import java.io.BufferedReader;
@@ -31,6 +32,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.LoginContext;
 
 import junit.framework.Assert;
@@ -49,7 +51,11 @@ public class TestUserGroupInformation {
   final private static String[] GROUP_NAMES = 
     new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME};
   
+  private static javax.security.auth.login.Configuration mockJaasConf;
+
   static {
+    setupMockJaasParent();
+
     Configuration conf = new Configuration();
     conf.set("hadoop.security.auth_to_local",
         "RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +
@@ -346,4 +352,35 @@ public class TestUserGroupInformation {
       assertTrue(metrics.loginFailure.getPreviousIntervalAverageTime() > 0);
     }
   }
+
+  /**
+   * Setup a JAAS Configuration that handles a fake app.
+   * This runs before UserGroupInformation has been initialized,
+   * so UGI picks up this Configuration as the parent.
+   */
+  private static void setupMockJaasParent() {
+    javax.security.auth.login.Configuration existing = null;
+    try {
+      existing =javax.security.auth.login.Configuration.getConfiguration();
+      assertFalse("setupMockJaasParent should run before the Hadoop " +
+                  "configuration provider is installed.",
+                  existing.getClass().getCanonicalName()
+                  .startsWith("org.apache.hadoop"));
+    } catch (SecurityException se) {
+      // We get this if no configuration has been set. So it's OK.
+    }
+
+    mockJaasConf = mock(javax.security.auth.login.Configuration.class);
+    Mockito.doReturn(new AppConfigurationEntry[] {})
+      .when(mockJaasConf)
+      .getAppConfigurationEntry("foobar-app");
+    javax.security.auth.login.Configuration.setConfiguration(mockJaasConf);
+  }
+
+  @Test
+  public void testDelegateJaasConfiguration() throws Exception {
+    // This will throw if the Configuration doesn't have any entries
+    // for "foobar"
+    LoginContext login = new LoginContext("foobar-app");
+  }
 }