HADOOP-13255. KMSClientProvider should check and renew tgt when doing delegation token operations. Contributed by Xiao Chen.

(cherry picked from commit ddf66427ff)
2016-06-16 20:11:32 -07:00 · 2016-06-16 20:11:32 -07:00 · e84a9c976a
parent 408848d1e9
commit e84a9c976a
3 changed files with 4 additions and 3 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@ -536,8 +536,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
          UserGroupInformation.AuthenticationMethod.PROXY)
                              ? currentUgi.getShortUserName() : null;

-      // check and renew TGT to handle potential expiration
-      actualUgi.checkTGTAndReloginFromKeytab();
      // creating the HTTP connection using the current UGI at constructor time
      conn = actualUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
        @Override
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java
@ -20,6 +20,7 @@ package org.apache.hadoop.security.token.delegation.web;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.Authenticator;
@ -143,6 +144,8 @@ public abstract class DelegationTokenAuthenticator implements Authenticator {
  public void authenticate(URL url, AuthenticatedURL.Token token)
      throws IOException, AuthenticationException {
    if (!hasDelegationToken(url, token)) {
+      // check and renew TGT to handle potential expiration
+      UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab();
      authenticator.authenticate(url, token);
    }
  }
--- a/hadoop-common-project/hadoop-kms/src/test/resources/log4j.properties
+++ b/hadoop-common-project/hadoop-kms/src/test/resources/log4j.properties
@ -22,7 +22,7 @@ log4j.appender.stdout.Target=System.out
 log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
 log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p %c{1} - %m%n

-log4j.rootLogger=WARN, stdout
+log4j.rootLogger=INFO, stdout
 log4j.logger.org.apache.hadoop.conf=ERROR
 log4j.logger.org.apache.hadoop.crytpo.key.kms.server=ALL
 log4j.logger.com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator=OFF