From e84a9c976a04c6227de6c84a95ae99fc9dc265f1 Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Thu, 16 Jun 2016 20:11:32 -0700 Subject: [PATCH] HADOOP-13255. KMSClientProvider should check and renew tgt when doing delegation token operations. Contributed by Xiao Chen. (cherry picked from commit ddf66427ff92a3886f94954e21d59e998412059b) --- .../org/apache/hadoop/crypto/key/kms/KMSClientProvider.java | 2 -- .../token/delegation/web/DelegationTokenAuthenticator.java | 3 +++ .../hadoop-kms/src/test/resources/log4j.properties | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index ac2e7189568..4044870f771 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -536,8 +536,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, UserGroupInformation.AuthenticationMethod.PROXY) ? currentUgi.getShortUserName() : null; - // check and renew TGT to handle potential expiration - actualUgi.checkTGTAndReloginFromKeytab(); // creating the HTTP connection using the current UGI at constructor time conn = actualUgi.doAs(new PrivilegedExceptionAction() { @Override diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java index 46a0b1f32df..53978a6245b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java @@ -20,6 +20,7 @@ package org.apache.hadoop.security.token.delegation.web; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.client.AuthenticatedURL; import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.Authenticator; @@ -143,6 +144,8 @@ public abstract class DelegationTokenAuthenticator implements Authenticator { public void authenticate(URL url, AuthenticatedURL.Token token) throws IOException, AuthenticationException { if (!hasDelegationToken(url, token)) { + // check and renew TGT to handle potential expiration + UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab(); authenticator.authenticate(url, token); } } diff --git a/hadoop-common-project/hadoop-kms/src/test/resources/log4j.properties b/hadoop-common-project/hadoop-kms/src/test/resources/log4j.properties index 5cd037a49c6..b347d275e2f 100644 --- a/hadoop-common-project/hadoop-kms/src/test/resources/log4j.properties +++ b/hadoop-common-project/hadoop-kms/src/test/resources/log4j.properties @@ -22,7 +22,7 @@ log4j.appender.stdout.Target=System.out log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=%d{ISO8601} %-5p %c{1} - %m%n -log4j.rootLogger=WARN, stdout +log4j.rootLogger=INFO, stdout log4j.logger.org.apache.hadoop.conf=ERROR log4j.logger.org.apache.hadoop.crytpo.key.kms.server=ALL log4j.logger.com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator=OFF