HADOOP-13255. KMSClientProvider should check and renew tgt when doing delegation token operations. Contributed by Xiao Chen.
This commit is contained in:
parent
1ef89a767d
commit
ddf66427ff
|
@ -536,8 +536,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
|
||||||
UserGroupInformation.AuthenticationMethod.PROXY)
|
UserGroupInformation.AuthenticationMethod.PROXY)
|
||||||
? currentUgi.getShortUserName() : null;
|
? currentUgi.getShortUserName() : null;
|
||||||
|
|
||||||
// check and renew TGT to handle potential expiration
|
|
||||||
actualUgi.checkTGTAndReloginFromKeytab();
|
|
||||||
// creating the HTTP connection using the current UGI at constructor time
|
// creating the HTTP connection using the current UGI at constructor time
|
||||||
conn = actualUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
|
conn = actualUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -20,6 +20,7 @@ package org.apache.hadoop.security.token.delegation.web;
|
||||||
import org.apache.hadoop.classification.InterfaceAudience;
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
import org.apache.hadoop.classification.InterfaceStability;
|
import org.apache.hadoop.classification.InterfaceStability;
|
||||||
import org.apache.hadoop.security.SecurityUtil;
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
|
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||||
import org.apache.hadoop.security.authentication.client.Authenticator;
|
import org.apache.hadoop.security.authentication.client.Authenticator;
|
||||||
|
@ -143,6 +144,8 @@ public abstract class DelegationTokenAuthenticator implements Authenticator {
|
||||||
public void authenticate(URL url, AuthenticatedURL.Token token)
|
public void authenticate(URL url, AuthenticatedURL.Token token)
|
||||||
throws IOException, AuthenticationException {
|
throws IOException, AuthenticationException {
|
||||||
if (!hasDelegationToken(url, token)) {
|
if (!hasDelegationToken(url, token)) {
|
||||||
|
// check and renew TGT to handle potential expiration
|
||||||
|
UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab();
|
||||||
authenticator.authenticate(url, token);
|
authenticator.authenticate(url, token);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,7 +22,7 @@ log4j.appender.stdout.Target=System.out
|
||||||
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
|
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
|
||||||
log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p %c{1} - %m%n
|
log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p %c{1} - %m%n
|
||||||
|
|
||||||
log4j.rootLogger=WARN, stdout
|
log4j.rootLogger=INFO, stdout
|
||||||
log4j.logger.org.apache.hadoop.conf=ERROR
|
log4j.logger.org.apache.hadoop.conf=ERROR
|
||||||
log4j.logger.org.apache.hadoop.crytpo.key.kms.server=ALL
|
log4j.logger.org.apache.hadoop.crytpo.key.kms.server=ALL
|
||||||
log4j.logger.com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator=OFF
|
log4j.logger.com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator=OFF
|
||||||
|
|
Loading…
Reference in New Issue