Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-14351. Azure: RemoteWasbAuthorizerImpl and RemoteSASKeyGeneratorImpl should not use Kerberos interactive user cache. Contributed by Santhosh G Nayak 

(cherry picked from commit 8b5f2c372e)
This commit is contained in:
Mingliang Liu 2017-04-26 13:46:59 -07:00
parent 894521673b
commit e84588eb03
4 changed files with 14 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java
View File

@ -2987,9 +2987,6 @@ public class NativeAzureFileSystem extends FileSystem {
if (connectUgi == null) {
connectUgi = ugi;
}
if (!connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
connectUgi.checkTGTAndReloginFromKeytab();
return connectUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
@Override

26
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteSASKeyGeneratorImpl.java
View File

@ -96,7 +96,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
private static final String RELATIVE_PATH_QUERY_PARAM_NAME =
"relative_path";
private String delegationToken = "";
private String delegationToken;
private String credServiceUrl = "";
private WasbRemoteCallHelper remoteCallHelper = null;
private boolean isSecurityEnabled;
@ -109,14 +109,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
public void initialize(Configuration conf) throws IOException {
LOG.debug("Initializing RemoteSASKeyGeneratorImpl instance");
try {
delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
} catch (IOException e) {
final String msg = "Error in fetching the WASB delegation token";
LOG.error(msg, e);
throw new IOException(msg, e);
}
setDelegationToken();
try {
credServiceUrl = SecurityUtils.getCredServiceUrls(conf);
} catch (UnknownHostException e) {
@ -145,6 +138,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
try {
LOG.debug("Generating Container SAS Key for Container {} "
+ "inside Storage Account {} ", container, storageAccount);
setDelegationToken();
URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
uriBuilder.setPath("/" + CONTAINER_SAS_OP);
uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
@ -165,10 +159,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
} else {
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
}
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
return getSASKey(uriBuilder.build(), connectUgi);
} catch (URISyntaxException uriSyntaxEx) {
throw new SASKeyGenerationException("Encountered URISyntaxException "
@ -187,6 +177,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
LOG.debug("Generating RelativePath SAS Key for relativePath {} inside"
+ " Container {} inside Storage Account {} ",
relativePath, container, storageAccount);
setDelegationToken();
URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
uriBuilder.setPath("/" + BLOB_SAS_OP);
uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
@ -211,10 +202,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
} else {
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
}
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
return getSASKey(uriBuilder.build(), connectUgi);
} catch (URISyntaxException uriSyntaxEx) {
throw new SASKeyGenerationException("Encountered URISyntaxException"
@ -230,7 +217,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
throws URISyntaxException, SASKeyGenerationException {
final RemoteSASKeyGenerationResponse sasKeyResponse;
try {
connectUgi.checkTGTAndReloginFromKeytab();
sasKeyResponse = connectUgi.doAs(
new PrivilegedExceptionAction<RemoteSASKeyGenerationResponse>() {
@Override
@ -310,6 +296,10 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
+ "accessing remote service to retrieve SAS Key", ioEx);
}
}
private void setDelegationToken() throws IOException {
this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
}
}
/**

22
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.java
View File

@ -29,8 +29,6 @@ import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.Authenticator;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticator;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
@ -42,7 +40,6 @@ import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import static org.apache.hadoop.fs.azure.WasbRemoteCallHelper.REMOTE_CALL_SUCCESS_CODE;
@ -104,15 +101,7 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
public void init(Configuration conf)
throws WasbAuthorizationException, IOException {
LOG.debug("Initializing RemoteWasbAuthorizerImpl instance");
Iterator<Token<? extends TokenIdentifier>> tokenIterator = null;
try {
delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
} catch (IOException e) {
final String msg = "Error in fetching the WASB delegation token";
LOG.error(msg, e);
throw new IOException(msg, e);
}
setDelegationToken();
remoteAuthorizerServiceUrl = SecurityUtils
.getRemoteAuthServiceUrls(conf);
@ -139,6 +128,7 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
return true;
}
setDelegationToken();
final URIBuilder uriBuilder = new URIBuilder(remoteAuthorizerServiceUrl);
uriBuilder.setPath("/" + CHECK_AUTHORIZATION_OP);
uriBuilder.addParameter(WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME,
@ -158,10 +148,6 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
} else {
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
}
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
connectUgi.checkTGTAndReloginFromKeytab();
try {
responseBody = connectUgi
@ -217,6 +203,10 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
throw new WasbAuthorizationException(ex);
}
}
private void setDelegationToken() throws IOException {
this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
}
}
/**

6
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/security/WasbTokenRenewer.java
View File

@ -81,9 +81,6 @@ public class WasbTokenRenewer extends TokenRenewer {
if (connectUgi == null) {
connectUgi = ugi;
}
if (!connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
connectUgi.checkTGTAndReloginFromKeytab();
final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
authToken
@ -123,9 +120,6 @@ public class WasbTokenRenewer extends TokenRenewer {
if (connectUgi == null) {
connectUgi = ugi;
}
if (!connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
connectUgi.checkTGTAndReloginFromKeytab();
final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
authToken