From ea8aeaeab61f95cf004098f15974e2b176613682 Mon Sep 17 00:00:00 2001 From: Kihwal Lee Date: Thu, 8 Aug 2013 15:05:20 +0000 Subject: [PATCH] svn merge -c 1511823 from trunk to branch-2 to FIX HADOOP-9850. RPC kerberos errors don't trigger relogin. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1511824 13f79535-47bb-0310-9956-ffa450edef68 --- .../hadoop-common/CHANGES.txt | 2 ++ .../java/org/apache/hadoop/ipc/Client.java | 1 + .../apache/hadoop/security/SaslRpcClient.java | 19 +++++++++++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 220559ef029..7945e07fa53 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -432,6 +432,8 @@ Release 2.1.0-beta - 2013-08-06 HADOOP-9816. RPC Sasl QOP is broken (daryn) + HADOOP-9850. RPC kerberos errors don't trigger relogin. (daryn via kihwal) + BREAKDOWN OF HADOOP-8562 SUBTASKS AND RELATED JIRAS HADOOP-8924. Hadoop Common creating package-info.java must not depend on diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java index c5ad8df44fe..08e86c8d4c1 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java @@ -713,6 +713,7 @@ public AuthMethod run() } }); } catch (Exception ex) { + authMethod = saslRpcClient.getAuthMethod(); if (rand == null) { rand = new Random(); } diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java index a6fcd97d726..da8d474b5bd 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java @@ -83,6 +83,7 @@ public class SaslRpcClient { private final Configuration conf; private SaslClient saslClient; + private AuthMethod authMethod; private static final RpcRequestHeaderProto saslHeader = ProtoUtil .makeRpcRequestHeader(RpcKind.RPC_PROTOCOL_BUFFER, @@ -113,6 +114,18 @@ public Object getNegotiatedProperty(String key) { return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null; } + + // the RPC Client has an inelegant way of handling expiration of TGTs + // acquired via a keytab. any connection failure causes a relogin, so + // the Client needs to know what authMethod was being attempted if an + // exception occurs. the SASL prep for a kerberos connection should + // ideally relogin if necessary instead of exposing this detail to the + // Client + @InterfaceAudience.Private + public AuthMethod getAuthMethod() { + return authMethod; + } + /** * Instantiate a sasl client for the first supported auth type in the * given list. The auth type must be defined, enabled, and the user @@ -319,8 +332,9 @@ public AuthMethod saslConnect(InputStream inS, OutputStream outS) DataOutputStream outStream = new DataOutputStream(new BufferedOutputStream( outS)); - // redefined if/when a SASL negotiation completes - AuthMethod authMethod = AuthMethod.SIMPLE; + // redefined if/when a SASL negotiation starts, can be queried if the + // negotiation fails + authMethod = AuthMethod.SIMPLE; sendSaslMessage(outStream, negotiateRequest); @@ -357,6 +371,7 @@ public AuthMethod saslConnect(InputStream inS, OutputStream outS) case NEGOTIATE: { // create a compatible SASL client, throws if no supported auths SaslAuth saslAuthType = selectSaslClient(saslMessage.getAuthsList()); + // define auth being attempted, caller can query if connect fails authMethod = AuthMethod.valueOf(saslAuthType.getMethod()); byte[] responseToken = null;