From e96f0c6aae7dffc2079ffd6ff863433e96724670 Mon Sep 17 00:00:00 2001 From: "Aaron T. Myers" Date: Wed, 5 Nov 2014 17:47:22 -0800 Subject: [PATCH] HADOOP-11272. Allow ZKSignerSecretProvider and ZKDelegationTokenSecretManager to use the same curator client. Contributed by Arun Suresh. (cherry picked from commit 8a261e68e4177b47be01ceae7310ea56aeb7ca38) --- .../server/AuthenticationFilter.java | 21 +++- .../server/TestAuthenticationFilter.java | 2 + .../hadoop-common/CHANGES.txt | 3 + .../ZKDelegationTokenSecretManager.java | 6 +- .../DelegationTokenAuthenticationFilter.java | 22 ++-- .../hadoop/crypto/key/kms/server/TestKMS.java | 101 ++++++++++++++++++ 6 files changed, 142 insertions(+), 13 deletions(-) diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java index a070345a710..58d97cada76 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java @@ -219,6 +219,19 @@ public class AuthenticationFilter implements Filter { authHandlerClassName = authHandlerName; } + validity = Long.parseLong(config.getProperty(AUTH_TOKEN_VALIDITY, "36000")) + * 1000; //10 hours + initializeSecretProvider(filterConfig); + + initializeAuthHandler(authHandlerClassName, filterConfig); + + + cookieDomain = config.getProperty(COOKIE_DOMAIN, null); + cookiePath = config.getProperty(COOKIE_PATH, null); + } + + protected void initializeAuthHandler(String authHandlerClassName, FilterConfig filterConfig) + throws ServletException { try { Class klass = Thread.currentThread().getContextClassLoader().loadClass(authHandlerClassName); authHandler = (AuthenticationHandler) klass.newInstance(); @@ -230,9 +243,10 @@ public class AuthenticationFilter implements Filter { } catch (IllegalAccessException ex) { throw new ServletException(ex); } + } - validity = Long.parseLong(config.getProperty(AUTH_TOKEN_VALIDITY, "36000")) - * 1000; //10 hours + protected void initializeSecretProvider(FilterConfig filterConfig) + throws ServletException { secretProvider = (SignerSecretProvider) filterConfig.getServletContext(). getAttribute(SIGNER_SECRET_PROVIDER_ATTRIBUTE); if (secretProvider == null) { @@ -254,9 +268,6 @@ public class AuthenticationFilter implements Filter { customSecretProvider = true; } signer = new Signer(secretProvider); - - cookieDomain = config.getProperty(COOKIE_DOMAIN, null); - cookiePath = config.getProperty(COOKIE_PATH, null); } @SuppressWarnings("unchecked") diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java index 5d93fcfa1c4..3b6b958ac1e 100644 --- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java @@ -283,6 +283,8 @@ public class TestAuthenticationFilter { filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); + ServletContext sc = Mockito.mock(ServletContext.class); + Mockito.when(config.getServletContext()).thenReturn(sc); Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn("kerberos"); Mockito.when(config.getInitParameterNames()).thenReturn( new Vector(Arrays.asList(AuthenticationFilter.AUTH_TYPE)).elements()); diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 563ed8463af..735962f3a19 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -66,6 +66,9 @@ Release 2.7.0 - UNRELEASED HADOOP-10714. AmazonS3Client.deleteObjects() need to be limited to 1000 entries per call. (Juan Yu via atm) + HADOOP-11272. Allow ZKSignerSecretProvider and + ZKDelegationTokenSecretManager to use the same curator client. (Arun Suresh via atm) + Release 2.6.0 - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/ZKDelegationTokenSecretManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/ZKDelegationTokenSecretManager.java index 82dd2da7e16..ebc45a5b431 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/ZKDelegationTokenSecretManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/ZKDelegationTokenSecretManager.java @@ -136,7 +136,11 @@ public abstract class ZKDelegationTokenSecretManager c = + new KMSCallable() { + @Override + public KeyProvider call() throws Exception { + final Configuration conf = new Configuration(); + conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128); + final URI uri = createKMSUri(getKMSUrl()); + + final KeyProvider kp = + doAs("SET_KEY_MATERIAL", + new PrivilegedExceptionAction() { + @Override + public KeyProvider run() throws Exception { + KMSClientProvider kp = new KMSClientProvider(uri, conf); + kp.createKey("k1", new byte[16], + new KeyProvider.Options(conf)); + kp.createKey("k2", new byte[16], + new KeyProvider.Options(conf)); + kp.createKey("k3", new byte[16], + new KeyProvider.Options(conf)); + return kp; + } + }); + return kp; + } + }; + + runServer(null, null, testDir, c); + } finally { + if (zkServer != null) { + zkServer.stop(); + zkServer.close(); + } + } + + } + + @Test public void testProxyUserKerb() throws Exception { doProxyUserTest(true);