HADOOP-14351. Azure: RemoteWasbAuthorizerImpl and RemoteSASKeyGeneratorImpl should not use Kerberos interactive user cache. Contributed by Santhosh G Nayak
(cherry picked from commit 8b5f2c372e)
This commit is contained in:
Mingliang Liu
parent
894521673b
commit
e84588eb03
|
|
@ -2987,9 +2987,6 @@ public class NativeAzureFileSystem extends FileSystem {
|
||||||
if (connectUgi == null) {
|
if (connectUgi == null) {
|
||||||
connectUgi = ugi;
|
connectUgi = ugi;
|
||||||
}
|
}
|
||||||
if (!connectUgi.hasKerberosCredentials()) {
|
|
||||||
connectUgi = UserGroupInformation.getLoginUser();
|
|
||||||
}
|
|
||||||
connectUgi.checkTGTAndReloginFromKeytab();
|
connectUgi.checkTGTAndReloginFromKeytab();
|
||||||
return connectUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
|
return connectUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
|
||||||
@Override
|
@Override
|
||||||
|
|
|
||||||
|
|
@ -96,7 +96,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
|
||||||
private static final String RELATIVE_PATH_QUERY_PARAM_NAME =
|
private static final String RELATIVE_PATH_QUERY_PARAM_NAME =
|
||||||
"relative_path";
|
"relative_path";
|
||||||
|
|
||||||
private String delegationToken = "";
|
private String delegationToken;
|
||||||
private String credServiceUrl = "";
|
private String credServiceUrl = "";
|
||||||
private WasbRemoteCallHelper remoteCallHelper = null;
|
private WasbRemoteCallHelper remoteCallHelper = null;
|
||||||
private boolean isSecurityEnabled;
|
private boolean isSecurityEnabled;
|
||||||
|
|
@ -109,14 +109,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
|
||||||
public void initialize(Configuration conf) throws IOException {
|
public void initialize(Configuration conf) throws IOException {
|
||||||
|
|
||||||
LOG.debug("Initializing RemoteSASKeyGeneratorImpl instance");
|
LOG.debug("Initializing RemoteSASKeyGeneratorImpl instance");
|
||||||
try {
|
setDelegationToken();
|
||||||
delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
|
|
||||||
} catch (IOException e) {
|
|
||||||
final String msg = "Error in fetching the WASB delegation token";
|
|
||||||
LOG.error(msg, e);
|
|
||||||
throw new IOException(msg, e);
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
credServiceUrl = SecurityUtils.getCredServiceUrls(conf);
|
credServiceUrl = SecurityUtils.getCredServiceUrls(conf);
|
||||||
} catch (UnknownHostException e) {
|
} catch (UnknownHostException e) {
|
||||||
|
|
@ -145,6 +138,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
|
||||||
try {
|
try {
|
||||||
LOG.debug("Generating Container SAS Key for Container {} "
|
LOG.debug("Generating Container SAS Key for Container {} "
|
||||||
+ "inside Storage Account {} ", container, storageAccount);
|
+ "inside Storage Account {} ", container, storageAccount);
|
||||||
|
setDelegationToken();
|
||||||
URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
|
URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
|
||||||
uriBuilder.setPath("/" + CONTAINER_SAS_OP);
|
uriBuilder.setPath("/" + CONTAINER_SAS_OP);
|
||||||
uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
|
uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
|
||||||
|
|
@ -165,10 +159,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
|
||||||
} else {
|
} else {
|
||||||
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
|
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
|
|
||||||
connectUgi = UserGroupInformation.getLoginUser();
|
|
||||||
}
|
|
||||||
return getSASKey(uriBuilder.build(), connectUgi);
|
return getSASKey(uriBuilder.build(), connectUgi);
|
||||||
} catch (URISyntaxException uriSyntaxEx) {
|
} catch (URISyntaxException uriSyntaxEx) {
|
||||||
throw new SASKeyGenerationException("Encountered URISyntaxException "
|
throw new SASKeyGenerationException("Encountered URISyntaxException "
|
||||||
|
|
@ -187,6 +177,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
|
||||||
LOG.debug("Generating RelativePath SAS Key for relativePath {} inside"
|
LOG.debug("Generating RelativePath SAS Key for relativePath {} inside"
|
||||||
+ " Container {} inside Storage Account {} ",
|
+ " Container {} inside Storage Account {} ",
|
||||||
relativePath, container, storageAccount);
|
relativePath, container, storageAccount);
|
||||||
|
setDelegationToken();
|
||||||
URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
|
URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
|
||||||
uriBuilder.setPath("/" + BLOB_SAS_OP);
|
uriBuilder.setPath("/" + BLOB_SAS_OP);
|
||||||
uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
|
uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
|
||||||
|
|
@ -211,10 +202,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
|
||||||
} else {
|
} else {
|
||||||
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
|
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
|
|
||||||
connectUgi = UserGroupInformation.getLoginUser();
|
|
||||||
}
|
|
||||||
return getSASKey(uriBuilder.build(), connectUgi);
|
return getSASKey(uriBuilder.build(), connectUgi);
|
||||||
} catch (URISyntaxException uriSyntaxEx) {
|
} catch (URISyntaxException uriSyntaxEx) {
|
||||||
throw new SASKeyGenerationException("Encountered URISyntaxException"
|
throw new SASKeyGenerationException("Encountered URISyntaxException"
|
||||||
|
|
@ -230,7 +217,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
|
||||||
throws URISyntaxException, SASKeyGenerationException {
|
throws URISyntaxException, SASKeyGenerationException {
|
||||||
final RemoteSASKeyGenerationResponse sasKeyResponse;
|
final RemoteSASKeyGenerationResponse sasKeyResponse;
|
||||||
try {
|
try {
|
||||||
connectUgi.checkTGTAndReloginFromKeytab();
|
|
||||||
sasKeyResponse = connectUgi.doAs(
|
sasKeyResponse = connectUgi.doAs(
|
||||||
new PrivilegedExceptionAction<RemoteSASKeyGenerationResponse>() {
|
new PrivilegedExceptionAction<RemoteSASKeyGenerationResponse>() {
|
||||||
@Override
|
@Override
|
||||||
|
|
@ -310,6 +296,10 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
|
||||||
+ "accessing remote service to retrieve SAS Key", ioEx);
|
+ "accessing remote service to retrieve SAS Key", ioEx);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void setDelegationToken() throws IOException {
|
||||||
|
this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -29,8 +29,6 @@ import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
|
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||||
import org.apache.hadoop.security.authentication.client.Authenticator;
|
import org.apache.hadoop.security.authentication.client.Authenticator;
|
||||||
import org.apache.hadoop.security.token.Token;
|
|
||||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
|
||||||
import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticator;
|
import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticator;
|
||||||
import org.apache.http.client.methods.HttpGet;
|
import org.apache.http.client.methods.HttpGet;
|
||||||
import org.apache.http.client.utils.URIBuilder;
|
import org.apache.http.client.utils.URIBuilder;
|
||||||
|
|
@ -42,7 +40,6 @@ import org.slf4j.LoggerFactory;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.URISyntaxException;
|
import java.net.URISyntaxException;
|
||||||
import java.security.PrivilegedExceptionAction;
|
import java.security.PrivilegedExceptionAction;
|
||||||
import java.util.Iterator;
|
|
||||||
|
|
||||||
import static org.apache.hadoop.fs.azure.WasbRemoteCallHelper.REMOTE_CALL_SUCCESS_CODE;
|
import static org.apache.hadoop.fs.azure.WasbRemoteCallHelper.REMOTE_CALL_SUCCESS_CODE;
|
||||||
|
|
||||||
|
|
@ -104,15 +101,7 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
|
||||||
public void init(Configuration conf)
|
public void init(Configuration conf)
|
||||||
throws WasbAuthorizationException, IOException {
|
throws WasbAuthorizationException, IOException {
|
||||||
LOG.debug("Initializing RemoteWasbAuthorizerImpl instance");
|
LOG.debug("Initializing RemoteWasbAuthorizerImpl instance");
|
||||||
Iterator<Token<? extends TokenIdentifier>> tokenIterator = null;
|
setDelegationToken();
|
||||||
try {
|
|
||||||
delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
|
|
||||||
} catch (IOException e) {
|
|
||||||
final String msg = "Error in fetching the WASB delegation token";
|
|
||||||
LOG.error(msg, e);
|
|
||||||
throw new IOException(msg, e);
|
|
||||||
}
|
|
||||||
|
|
||||||
remoteAuthorizerServiceUrl = SecurityUtils
|
remoteAuthorizerServiceUrl = SecurityUtils
|
||||||
.getRemoteAuthServiceUrls(conf);
|
.getRemoteAuthServiceUrls(conf);
|
||||||
|
|
||||||
|
|
@ -139,6 +128,7 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
setDelegationToken();
|
||||||
final URIBuilder uriBuilder = new URIBuilder(remoteAuthorizerServiceUrl);
|
final URIBuilder uriBuilder = new URIBuilder(remoteAuthorizerServiceUrl);
|
||||||
uriBuilder.setPath("/" + CHECK_AUTHORIZATION_OP);
|
uriBuilder.setPath("/" + CHECK_AUTHORIZATION_OP);
|
||||||
uriBuilder.addParameter(WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME,
|
uriBuilder.addParameter(WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME,
|
||||||
|
|
@ -158,10 +148,6 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
|
||||||
} else {
|
} else {
|
||||||
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
|
uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
|
||||||
}
|
}
|
||||||
if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
|
|
||||||
connectUgi = UserGroupInformation.getLoginUser();
|
|
||||||
}
|
|
||||||
connectUgi.checkTGTAndReloginFromKeytab();
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
responseBody = connectUgi
|
responseBody = connectUgi
|
||||||
|
|
@ -217,6 +203,10 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
|
||||||
throw new WasbAuthorizationException(ex);
|
throw new WasbAuthorizationException(ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void setDelegationToken() throws IOException {
|
||||||
|
this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -81,9 +81,6 @@ public class WasbTokenRenewer extends TokenRenewer {
|
||||||
if (connectUgi == null) {
|
if (connectUgi == null) {
|
||||||
connectUgi = ugi;
|
connectUgi = ugi;
|
||||||
}
|
}
|
||||||
if (!connectUgi.hasKerberosCredentials()) {
|
|
||||||
connectUgi = UserGroupInformation.getLoginUser();
|
|
||||||
}
|
|
||||||
connectUgi.checkTGTAndReloginFromKeytab();
|
connectUgi.checkTGTAndReloginFromKeytab();
|
||||||
final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
|
final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
|
||||||
authToken
|
authToken
|
||||||
|
|
@ -123,9 +120,6 @@ public class WasbTokenRenewer extends TokenRenewer {
|
||||||
if (connectUgi == null) {
|
if (connectUgi == null) {
|
||||||
connectUgi = ugi;
|
connectUgi = ugi;
|
||||||
}
|
}
|
||||||
if (!connectUgi.hasKerberosCredentials()) {
|
|
||||||
connectUgi = UserGroupInformation.getLoginUser();
|
|
||||||
}
|
|
||||||
connectUgi.checkTGTAndReloginFromKeytab();
|
connectUgi.checkTGTAndReloginFromKeytab();
|
||||||
final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
|
final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
|
||||||
authToken
|
authToken
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue