YARN-2689 TestSecureRMRegistryOperations failing on windows: secure ZK won't start

This commit is contained in:
Steve Loughran 2014-10-16 14:21:38 -07:00
parent aef8dbde91
commit fddbf52caa
6 changed files with 81 additions and 19 deletions

View File

@ -609,6 +609,11 @@ Release 2.6.0 - UNRELEASED
YARN-2652 Add hadoop-yarn-registry package under hadoop-yarn. (stevel) YARN-2652 Add hadoop-yarn-registry package under hadoop-yarn. (stevel)
YARN-2668 yarn-registry JAR won't link against ZK 3.4.5. (stevel) YARN-2668 yarn-registry JAR won't link against ZK 3.4.5. (stevel)
YARN-2689 TestSecureRMRegistryOperations failing on windows:
secure ZK won't start (stevel)
---
YARN-2598 GHS should show N/A instead of null for the inaccessible information YARN-2598 GHS should show N/A instead of null for the inaccessible information
(Zhijie Shen via mayank) (Zhijie Shen via mayank)

View File

@ -249,9 +249,6 @@ public class CuratorService extends CompositeService
synchronized (CuratorService.class) { synchronized (CuratorService.class) {
// set the security options // set the security options
//log them
securityConnectionDiagnostics = buildSecurityDiagnostics();
// build up the curator itself // build up the curator itself
CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder(); CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder();
builder.ensembleProvider(ensembleProvider) builder.ensembleProvider(ensembleProvider)
@ -264,7 +261,8 @@ public class CuratorService extends CompositeService
// set up the builder AND any JVM context // set up the builder AND any JVM context
registrySecurity.applySecurityEnvironment(builder); registrySecurity.applySecurityEnvironment(builder);
//log them
securityConnectionDiagnostics = buildSecurityDiagnostics();
framework = builder.build(); framework = builder.build();
framework.start(); framework.start();
} }
@ -275,7 +273,7 @@ public class CuratorService extends CompositeService
@Override @Override
public String toString() { public String toString() {
return super.toString() return super.toString()
+ bindingDiagnosticDetails(); + " " + bindingDiagnosticDetails();
} }
/** /**
@ -386,7 +384,9 @@ public class CuratorService extends CompositeService
ioe = new PathIsNotEmptyDirectoryException(path); ioe = new PathIsNotEmptyDirectoryException(path);
} else if (exception instanceof KeeperException.AuthFailedException) { } else if (exception instanceof KeeperException.AuthFailedException) {
ioe = new AuthenticationFailedException(path, ioe = new AuthenticationFailedException(path,
"Authentication Failed: " + exception, exception); "Authentication Failed: " + exception
+ "; " + securityConnectionDiagnostics,
exception);
} else if (exception instanceof KeeperException.NoChildrenForEphemeralsException) { } else if (exception instanceof KeeperException.NoChildrenForEphemeralsException) {
ioe = new NoChildrenForEphemeralsException(path, ioe = new NoChildrenForEphemeralsException(path,
"Cannot create a path under an ephemeral node: " + exception, "Cannot create a path under an ephemeral node: " + exception,

View File

@ -596,6 +596,7 @@ public class RegistrySecurity extends AbstractService {
+ " %s required\n" + " %s required\n"
// kerberos module // kerberos module
+ " keyTab=\"%s\"\n" + " keyTab=\"%s\"\n"
+ " debug=true\n"
+ " principal=\"%s\"\n" + " principal=\"%s\"\n"
+ " useKeyTab=true\n" + " useKeyTab=true\n"
+ " useTicketCache=false\n" + " useTicketCache=false\n"
@ -621,12 +622,15 @@ public class RegistrySecurity extends AbstractService {
"invalid context"); "invalid context");
Preconditions.checkArgument(keytab != null && keytab.isFile(), Preconditions.checkArgument(keytab != null && keytab.isFile(),
"Keytab null or missing: "); "Keytab null or missing: ");
String keytabpath = keytab.getAbsolutePath();
// fix up for windows; no-op on unix
keytabpath = keytabpath.replace('\\', '/');
return String.format( return String.format(
Locale.ENGLISH, Locale.ENGLISH,
JAAS_ENTRY, JAAS_ENTRY,
context, context,
getKerberosAuthModuleForJVM(), getKerberosAuthModuleForJVM(),
keytab.getAbsolutePath(), keytabpath,
principal); principal);
} }
@ -846,11 +850,11 @@ public class RegistrySecurity extends AbstractService {
StringBuilder builder = new StringBuilder(); StringBuilder builder = new StringBuilder();
builder.append(secureRegistry ? "secure registry; " builder.append(secureRegistry ? "secure registry; "
: "insecure registry; "); : "insecure registry; ");
builder.append("Access policy: ").append(access); builder.append("Curator service access policy: ").append(access);
builder.append(", System ACLs: ").append(aclsToString(systemACLs)); builder.append("; System ACLs: ").append(aclsToString(systemACLs));
builder.append(UgiInfo.fromCurrentUser()); builder.append("User: ").append(UgiInfo.fromCurrentUser());
builder.append(" Kerberos Realm: ").append(kerberosRealm).append(" ; "); builder.append("; Kerberos Realm: ").append(kerberosRealm);
builder.append(describeProperty(Environment.JAAS_CONF_KEY)); builder.append(describeProperty(Environment.JAAS_CONF_KEY));
String sasl = String sasl =
System.getProperty(PROP_ZK_ENABLE_SASL_CLIENT, System.getProperty(PROP_ZK_ENABLE_SASL_CLIENT,
@ -859,7 +863,7 @@ public class RegistrySecurity extends AbstractService {
builder.append(describeProperty(PROP_ZK_ENABLE_SASL_CLIENT, builder.append(describeProperty(PROP_ZK_ENABLE_SASL_CLIENT,
DEFAULT_ZK_ENABLE_SASL_CLIENT)); DEFAULT_ZK_ENABLE_SASL_CLIENT));
if (saslEnabled) { if (saslEnabled) {
builder.append("JAAS Client Identity") builder.append("; JAAS Client Identity")
.append("=") .append("=")
.append(jaasClientIdentity) .append(jaasClientIdentity)
.append("; "); .append("; ");

View File

@ -46,6 +46,7 @@ import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException; import javax.security.auth.login.LoginException;
import java.io.File; import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException; import java.io.IOException;
import java.security.Principal; import java.security.Principal;
import java.util.HashSet; import java.util.HashSet;
@ -319,11 +320,16 @@ public class AbstractSecureRegistryTest extends RegistryTestHelper {
* @param keytab keytab * @param keytab keytab
* @return the logged in context * @return the logged in context
* @throws LoginException failure to log in * @throws LoginException failure to log in
* @throws FileNotFoundException no keytab
*/ */
protected LoginContext login(String principal, protected LoginContext login(String principal,
String context, File keytab) throws LoginException { String context, File keytab) throws LoginException,
FileNotFoundException {
LOG.info("Logging in as {} in context {} with keytab {}", LOG.info("Logging in as {} in context {} with keytab {}",
principal, context, keytab); principal, context, keytab);
if (!keytab.exists()) {
throw new FileNotFoundException(keytab.getAbsolutePath());
}
Set<Principal> principals = new HashSet<Principal>(); Set<Principal> principals = new HashSet<Principal>();
principals.add(new KerberosPrincipal(principal)); principals.add(new KerberosPrincipal(principal));
Subject subject = new Subject(false, principals, new HashSet<Object>(), Subject subject = new Subject(false, principals, new HashSet<Object>(),

View File

@ -99,12 +99,25 @@ public class TestSecureLogins extends AbstractSecureRegistryTest {
ALICE_CLIENT_CONTEXT, ALICE_CLIENT_CONTEXT,
keytab_alice); keytab_alice);
logLoginDetails(ALICE_LOCALHOST, client); try {
String confFilename = System.getProperty(Environment.JAAS_CONF_KEY); logLoginDetails(ALICE_LOCALHOST, client);
assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename); String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
String config = FileUtils.readFileToString(new File(confFilename)); assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
LOG.info("{}=\n{}", confFilename, config); String config = FileUtils.readFileToString(new File(confFilename));
RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT); LOG.info("{}=\n{}", confFilename, config);
RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
} finally {
client.logout();
}
}
@Test
public void testZKServerContextLogin() throws Throwable {
LoginContext client = login(ZOOKEEPER_LOCALHOST,
ZOOKEEPER_SERVER_CONTEXT,
keytab_zk);
logLoginDetails(ZOOKEEPER_LOCALHOST, client);
client.logout(); client.logout();
} }

View File

@ -24,12 +24,16 @@ import org.apache.hadoop.registry.client.impl.zk.ZKPathDumper;
import org.apache.hadoop.registry.client.impl.zk.CuratorService; import org.apache.hadoop.registry.client.impl.zk.CuratorService;
import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity; import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.Login;
import org.apache.zookeeper.server.ZooKeeperSaslServer;
import org.apache.zookeeper.server.auth.SaslServerCallbackHandler;
import org.junit.After; import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginContext;
import static org.apache.hadoop.registry.client.api.RegistryConstants.*; import static org.apache.hadoop.registry.client.api.RegistryConstants.*;
@ -52,6 +56,36 @@ public class TestSecureRegistry extends AbstractSecureRegistryTest {
RegistrySecurity.clearZKSaslClientProperties(); RegistrySecurity.clearZKSaslClientProperties();
} }
/**
* this is a cut and paste of some of the ZK internal code that was
* failing on windows and swallowing its exceptions
*/
@Test
public void testLowlevelZKSaslLogin() throws Throwable {
RegistrySecurity.bindZKToServerJAASContext(ZOOKEEPER_SERVER_CONTEXT);
String serverSection =
System.getProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY,
ZooKeeperSaslServer.DEFAULT_LOGIN_CONTEXT_NAME);
assertEquals(ZOOKEEPER_SERVER_CONTEXT, serverSection);
AppConfigurationEntry entries[];
entries = javax.security.auth.login.Configuration.getConfiguration()
.getAppConfigurationEntry(
serverSection);
assertNotNull("null entries", entries);
SaslServerCallbackHandler saslServerCallbackHandler =
new SaslServerCallbackHandler(
javax.security.auth.login.Configuration.getConfiguration());
Login login = new Login(serverSection, saslServerCallbackHandler);
try {
login.startThreadIfNeeded();
} finally {
login.shutdown();
}
}
@Test @Test
public void testCreateSecureZK() throws Throwable { public void testCreateSecureZK() throws Throwable {
startSecureZK(); startSecureZK();