svn merge -c 1511823 from trunk to branch-2 to FIX HADOOP-9850. RPC kerberos errors don't trigger relogin.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1511824 13f79535-47bb-0310-9956-ffa450edef68

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -432,6 +432,8 @@ Release 2.1.0-beta - 2013-08-06
 
     HADOOP-9816. RPC Sasl QOP is broken (daryn)
 
+    HADOOP-9850. RPC kerberos errors don't trigger relogin. (daryn via kihwal)
+
   BREAKDOWN OF HADOOP-8562 SUBTASKS AND RELATED JIRAS
 
     HADOOP-8924. Hadoop Common creating package-info.java must not depend on

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java

@@ -713,6 +713,7 @@ public AuthMethod run()
                     }
                   });
             } catch (Exception ex) {
+              authMethod = saslRpcClient.getAuthMethod();
               if (rand == null) {
                 rand = new Random();
               }

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java

@@ -83,6 +83,7 @@ public class SaslRpcClient {
   private final Configuration conf;
 
   private SaslClient saslClient;
+  private AuthMethod authMethod;
   
   private static final RpcRequestHeaderProto saslHeader = ProtoUtil
       .makeRpcRequestHeader(RpcKind.RPC_PROTOCOL_BUFFER,
@@ -113,6 +114,18 @@ public Object getNegotiatedProperty(String key) {
     return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null;
   }
   
+
+  // the RPC Client has an inelegant way of handling expiration of TGTs
+  // acquired via a keytab.  any connection failure causes a relogin, so
+  // the Client needs to know what authMethod was being attempted if an
+  // exception occurs.  the SASL prep for a kerberos connection should
+  // ideally relogin if necessary instead of exposing this detail to the
+  // Client
+  @InterfaceAudience.Private
+  public AuthMethod getAuthMethod() {
+    return authMethod;
+  }
+  
   /**
    * Instantiate a sasl client for the first supported auth type in the
    * given list.  The auth type must be defined, enabled, and the user
@@ -319,8 +332,9 @@ public AuthMethod saslConnect(InputStream inS, OutputStream outS)
     DataOutputStream outStream = new DataOutputStream(new BufferedOutputStream(
         outS));
     
-    // redefined if/when a SASL negotiation completes
+    // redefined if/when a SASL negotiation starts, can be queried if the
-    AuthMethod authMethod = AuthMethod.SIMPLE;
+    // negotiation fails
+    authMethod = AuthMethod.SIMPLE;
     
     sendSaslMessage(outStream, negotiateRequest);
     
@@ -357,6 +371,7 @@ public AuthMethod saslConnect(InputStream inS, OutputStream outS)
         case NEGOTIATE: {
           // create a compatible SASL client, throws if no supported auths
           SaslAuth saslAuthType = selectSaslClient(saslMessage.getAuthsList());
+          // define auth being attempted, caller can query if connect fails
           authMethod = AuthMethod.valueOf(saslAuthType.getMethod());
           
           byte[] responseToken = null;