svn merge -c 1511823 from trunk to branch-2 to FIX HADOOP-9850. RPC kerberos errors don't trigger relogin.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1511824 13f79535-47bb-0310-9956-ffa450edef68
2013-08-08 15:05:20 +00:00 · 2013-08-08 15:05:20 +00:00 · ea8aeaeab6
parent 50950fd3ff
commit ea8aeaeab6
3 changed files with 20 additions and 2 deletions
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@ -432,6 +432,8 @@ Release 2.1.0-beta - 2013-08-06

    HADOOP-9816. RPC Sasl QOP is broken (daryn)

+    HADOOP-9850. RPC kerberos errors don't trigger relogin. (daryn via kihwal)
+
  BREAKDOWN OF HADOOP-8562 SUBTASKS AND RELATED JIRAS

    HADOOP-8924. Hadoop Common creating package-info.java must not depend on
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java
@ -713,6 +713,7 @@ public AuthMethod run()
                    }
                  });
            } catch (Exception ex) {
+              authMethod = saslRpcClient.getAuthMethod();
              if (rand == null) {
                rand = new Random();
              }
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
@ -83,6 +83,7 @@ public class SaslRpcClient {
  private final Configuration conf;

  private SaslClient saslClient;
+  private AuthMethod authMethod;
  
  private static final RpcRequestHeaderProto saslHeader = ProtoUtil
      .makeRpcRequestHeader(RpcKind.RPC_PROTOCOL_BUFFER,
@ -113,6 +114,18 @@ public Object getNegotiatedProperty(String key) {
    return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null;
  }
  
+
+  // the RPC Client has an inelegant way of handling expiration of TGTs
+  // acquired via a keytab.  any connection failure causes a relogin, so
+  // the Client needs to know what authMethod was being attempted if an
+  // exception occurs.  the SASL prep for a kerberos connection should
+  // ideally relogin if necessary instead of exposing this detail to the
+  // Client
+  @InterfaceAudience.Private
+  public AuthMethod getAuthMethod() {
+    return authMethod;
+  }
+  
  /**
   * Instantiate a sasl client for the first supported auth type in the
   * given list.  The auth type must be defined, enabled, and the user
@ -319,8 +332,9 @@ public AuthMethod saslConnect(InputStream inS, OutputStream outS)
    DataOutputStream outStream = new DataOutputStream(new BufferedOutputStream(
        outS));
    
-    // redefined if/when a SASL negotiation completes
-    AuthMethod authMethod = AuthMethod.SIMPLE;
+    // redefined if/when a SASL negotiation starts, can be queried if the
+    // negotiation fails
+    authMethod = AuthMethod.SIMPLE;
    
    sendSaslMessage(outStream, negotiateRequest);
    
@ -357,6 +371,7 @@ public AuthMethod saslConnect(InputStream inS, OutputStream outS)
        case NEGOTIATE: {
          // create a compatible SASL client, throws if no supported auths
          SaslAuth saslAuthType = selectSaslClient(saslMessage.getAuthsList());
+          // define auth being attempted, caller can query if connect fails
          authMethod = AuthMethod.valueOf(saslAuthType.getMethod());
          
          byte[] responseToken = null;