YARN-2689 TestSecureRMRegistryOperations failing on windows: secure ZK won't start

This commit is contained in:
Steve Loughran 2014-10-16 14:21:38 -07:00
parent aef8dbde91
commit fddbf52caa
6 changed files with 81 additions and 19 deletions

View File

@ -609,6 +609,11 @@ Release 2.6.0 - UNRELEASED
YARN-2652 Add hadoop-yarn-registry package under hadoop-yarn. (stevel)
YARN-2668 yarn-registry JAR won't link against ZK 3.4.5. (stevel)
YARN-2689 TestSecureRMRegistryOperations failing on windows:
secure ZK won't start (stevel)
---
YARN-2598 GHS should show N/A instead of null for the inaccessible information
(Zhijie Shen via mayank)

View File

@ -249,9 +249,6 @@ public class CuratorService extends CompositeService
synchronized (CuratorService.class) {
// set the security options
//log them
securityConnectionDiagnostics = buildSecurityDiagnostics();
// build up the curator itself
CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder();
builder.ensembleProvider(ensembleProvider)
@ -264,7 +261,8 @@ public class CuratorService extends CompositeService
// set up the builder AND any JVM context
registrySecurity.applySecurityEnvironment(builder);
//log them
securityConnectionDiagnostics = buildSecurityDiagnostics();
framework = builder.build();
framework.start();
}
@ -275,7 +273,7 @@ public class CuratorService extends CompositeService
@Override
public String toString() {
return super.toString()
+ bindingDiagnosticDetails();
+ " " + bindingDiagnosticDetails();
}
/**
@ -386,7 +384,9 @@ public class CuratorService extends CompositeService
ioe = new PathIsNotEmptyDirectoryException(path);
} else if (exception instanceof KeeperException.AuthFailedException) {
ioe = new AuthenticationFailedException(path,
"Authentication Failed: " + exception, exception);
"Authentication Failed: " + exception
+ "; " + securityConnectionDiagnostics,
exception);
} else if (exception instanceof KeeperException.NoChildrenForEphemeralsException) {
ioe = new NoChildrenForEphemeralsException(path,
"Cannot create a path under an ephemeral node: " + exception,

View File

@ -596,6 +596,7 @@ public class RegistrySecurity extends AbstractService {
+ " %s required\n"
// kerberos module
+ " keyTab=\"%s\"\n"
+ " debug=true\n"
+ " principal=\"%s\"\n"
+ " useKeyTab=true\n"
+ " useTicketCache=false\n"
@ -621,12 +622,15 @@ public class RegistrySecurity extends AbstractService {
"invalid context");
Preconditions.checkArgument(keytab != null && keytab.isFile(),
"Keytab null or missing: ");
String keytabpath = keytab.getAbsolutePath();
// fix up for windows; no-op on unix
keytabpath = keytabpath.replace('\\', '/');
return String.format(
Locale.ENGLISH,
JAAS_ENTRY,
context,
getKerberosAuthModuleForJVM(),
keytab.getAbsolutePath(),
keytabpath,
principal);
}
@ -846,11 +850,11 @@ public class RegistrySecurity extends AbstractService {
StringBuilder builder = new StringBuilder();
builder.append(secureRegistry ? "secure registry; "
: "insecure registry; ");
builder.append("Access policy: ").append(access);
builder.append("Curator service access policy: ").append(access);
builder.append(", System ACLs: ").append(aclsToString(systemACLs));
builder.append(UgiInfo.fromCurrentUser());
builder.append(" Kerberos Realm: ").append(kerberosRealm).append(" ; ");
builder.append("; System ACLs: ").append(aclsToString(systemACLs));
builder.append("User: ").append(UgiInfo.fromCurrentUser());
builder.append("; Kerberos Realm: ").append(kerberosRealm);
builder.append(describeProperty(Environment.JAAS_CONF_KEY));
String sasl =
System.getProperty(PROP_ZK_ENABLE_SASL_CLIENT,
@ -859,7 +863,7 @@ public class RegistrySecurity extends AbstractService {
builder.append(describeProperty(PROP_ZK_ENABLE_SASL_CLIENT,
DEFAULT_ZK_ENABLE_SASL_CLIENT));
if (saslEnabled) {
builder.append("JAAS Client Identity")
builder.append("; JAAS Client Identity")
.append("=")
.append(jaasClientIdentity)
.append("; ");

View File

@ -46,6 +46,7 @@ import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.Principal;
import java.util.HashSet;
@ -319,11 +320,16 @@ public class AbstractSecureRegistryTest extends RegistryTestHelper {
* @param keytab keytab
* @return the logged in context
* @throws LoginException failure to log in
* @throws FileNotFoundException no keytab
*/
protected LoginContext login(String principal,
String context, File keytab) throws LoginException {
String context, File keytab) throws LoginException,
FileNotFoundException {
LOG.info("Logging in as {} in context {} with keytab {}",
principal, context, keytab);
if (!keytab.exists()) {
throw new FileNotFoundException(keytab.getAbsolutePath());
}
Set<Principal> principals = new HashSet<Principal>();
principals.add(new KerberosPrincipal(principal));
Subject subject = new Subject(false, principals, new HashSet<Object>(),

View File

@ -99,12 +99,25 @@ public class TestSecureLogins extends AbstractSecureRegistryTest {
ALICE_CLIENT_CONTEXT,
keytab_alice);
logLoginDetails(ALICE_LOCALHOST, client);
String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
String config = FileUtils.readFileToString(new File(confFilename));
LOG.info("{}=\n{}", confFilename, config);
RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
try {
logLoginDetails(ALICE_LOCALHOST, client);
String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
String config = FileUtils.readFileToString(new File(confFilename));
LOG.info("{}=\n{}", confFilename, config);
RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
} finally {
client.logout();
}
}
@Test
public void testZKServerContextLogin() throws Throwable {
LoginContext client = login(ZOOKEEPER_LOCALHOST,
ZOOKEEPER_SERVER_CONTEXT,
keytab_zk);
logLoginDetails(ZOOKEEPER_LOCALHOST, client);
client.logout();
}

View File

@ -24,12 +24,16 @@ import org.apache.hadoop.registry.client.impl.zk.ZKPathDumper;
import org.apache.hadoop.registry.client.impl.zk.CuratorService;
import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.Login;
import org.apache.zookeeper.server.ZooKeeperSaslServer;
import org.apache.zookeeper.server.auth.SaslServerCallbackHandler;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import static org.apache.hadoop.registry.client.api.RegistryConstants.*;
@ -52,6 +56,36 @@ public class TestSecureRegistry extends AbstractSecureRegistryTest {
RegistrySecurity.clearZKSaslClientProperties();
}
/**
* this is a cut and paste of some of the ZK internal code that was
* failing on windows and swallowing its exceptions
*/
@Test
public void testLowlevelZKSaslLogin() throws Throwable {
RegistrySecurity.bindZKToServerJAASContext(ZOOKEEPER_SERVER_CONTEXT);
String serverSection =
System.getProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY,
ZooKeeperSaslServer.DEFAULT_LOGIN_CONTEXT_NAME);
assertEquals(ZOOKEEPER_SERVER_CONTEXT, serverSection);
AppConfigurationEntry entries[];
entries = javax.security.auth.login.Configuration.getConfiguration()
.getAppConfigurationEntry(
serverSection);
assertNotNull("null entries", entries);
SaslServerCallbackHandler saslServerCallbackHandler =
new SaslServerCallbackHandler(
javax.security.auth.login.Configuration.getConfiguration());
Login login = new Login(serverSection, saslServerCallbackHandler);
try {
login.startThreadIfNeeded();
} finally {
login.shutdown();
}
}
@Test
public void testCreateSecureZK() throws Throwable {
startSecureZK();