YARN-2689 TestSecureRMRegistryOperations failing on windows: secure ZK won't start
This commit is contained in:
parent
aef8dbde91
commit
fddbf52caa
|
@ -609,6 +609,11 @@ Release 2.6.0 - UNRELEASED
|
||||||
YARN-2652 Add hadoop-yarn-registry package under hadoop-yarn. (stevel)
|
YARN-2652 Add hadoop-yarn-registry package under hadoop-yarn. (stevel)
|
||||||
|
|
||||||
YARN-2668 yarn-registry JAR won't link against ZK 3.4.5. (stevel)
|
YARN-2668 yarn-registry JAR won't link against ZK 3.4.5. (stevel)
|
||||||
|
|
||||||
|
YARN-2689 TestSecureRMRegistryOperations failing on windows:
|
||||||
|
secure ZK won't start (stevel)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
YARN-2598 GHS should show N/A instead of null for the inaccessible information
|
YARN-2598 GHS should show N/A instead of null for the inaccessible information
|
||||||
(Zhijie Shen via mayank)
|
(Zhijie Shen via mayank)
|
||||||
|
|
|
@ -249,9 +249,6 @@ public class CuratorService extends CompositeService
|
||||||
synchronized (CuratorService.class) {
|
synchronized (CuratorService.class) {
|
||||||
// set the security options
|
// set the security options
|
||||||
|
|
||||||
//log them
|
|
||||||
securityConnectionDiagnostics = buildSecurityDiagnostics();
|
|
||||||
|
|
||||||
// build up the curator itself
|
// build up the curator itself
|
||||||
CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder();
|
CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder();
|
||||||
builder.ensembleProvider(ensembleProvider)
|
builder.ensembleProvider(ensembleProvider)
|
||||||
|
@ -264,7 +261,8 @@ public class CuratorService extends CompositeService
|
||||||
|
|
||||||
// set up the builder AND any JVM context
|
// set up the builder AND any JVM context
|
||||||
registrySecurity.applySecurityEnvironment(builder);
|
registrySecurity.applySecurityEnvironment(builder);
|
||||||
|
//log them
|
||||||
|
securityConnectionDiagnostics = buildSecurityDiagnostics();
|
||||||
framework = builder.build();
|
framework = builder.build();
|
||||||
framework.start();
|
framework.start();
|
||||||
}
|
}
|
||||||
|
@ -275,7 +273,7 @@ public class CuratorService extends CompositeService
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return super.toString()
|
return super.toString()
|
||||||
+ bindingDiagnosticDetails();
|
+ " " + bindingDiagnosticDetails();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -386,7 +384,9 @@ public class CuratorService extends CompositeService
|
||||||
ioe = new PathIsNotEmptyDirectoryException(path);
|
ioe = new PathIsNotEmptyDirectoryException(path);
|
||||||
} else if (exception instanceof KeeperException.AuthFailedException) {
|
} else if (exception instanceof KeeperException.AuthFailedException) {
|
||||||
ioe = new AuthenticationFailedException(path,
|
ioe = new AuthenticationFailedException(path,
|
||||||
"Authentication Failed: " + exception, exception);
|
"Authentication Failed: " + exception
|
||||||
|
+ "; " + securityConnectionDiagnostics,
|
||||||
|
exception);
|
||||||
} else if (exception instanceof KeeperException.NoChildrenForEphemeralsException) {
|
} else if (exception instanceof KeeperException.NoChildrenForEphemeralsException) {
|
||||||
ioe = new NoChildrenForEphemeralsException(path,
|
ioe = new NoChildrenForEphemeralsException(path,
|
||||||
"Cannot create a path under an ephemeral node: " + exception,
|
"Cannot create a path under an ephemeral node: " + exception,
|
||||||
|
|
|
@ -596,6 +596,7 @@ public class RegistrySecurity extends AbstractService {
|
||||||
+ " %s required\n"
|
+ " %s required\n"
|
||||||
// kerberos module
|
// kerberos module
|
||||||
+ " keyTab=\"%s\"\n"
|
+ " keyTab=\"%s\"\n"
|
||||||
|
+ " debug=true\n"
|
||||||
+ " principal=\"%s\"\n"
|
+ " principal=\"%s\"\n"
|
||||||
+ " useKeyTab=true\n"
|
+ " useKeyTab=true\n"
|
||||||
+ " useTicketCache=false\n"
|
+ " useTicketCache=false\n"
|
||||||
|
@ -621,12 +622,15 @@ public class RegistrySecurity extends AbstractService {
|
||||||
"invalid context");
|
"invalid context");
|
||||||
Preconditions.checkArgument(keytab != null && keytab.isFile(),
|
Preconditions.checkArgument(keytab != null && keytab.isFile(),
|
||||||
"Keytab null or missing: ");
|
"Keytab null or missing: ");
|
||||||
|
String keytabpath = keytab.getAbsolutePath();
|
||||||
|
// fix up for windows; no-op on unix
|
||||||
|
keytabpath = keytabpath.replace('\\', '/');
|
||||||
return String.format(
|
return String.format(
|
||||||
Locale.ENGLISH,
|
Locale.ENGLISH,
|
||||||
JAAS_ENTRY,
|
JAAS_ENTRY,
|
||||||
context,
|
context,
|
||||||
getKerberosAuthModuleForJVM(),
|
getKerberosAuthModuleForJVM(),
|
||||||
keytab.getAbsolutePath(),
|
keytabpath,
|
||||||
principal);
|
principal);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -846,11 +850,11 @@ public class RegistrySecurity extends AbstractService {
|
||||||
StringBuilder builder = new StringBuilder();
|
StringBuilder builder = new StringBuilder();
|
||||||
builder.append(secureRegistry ? "secure registry; "
|
builder.append(secureRegistry ? "secure registry; "
|
||||||
: "insecure registry; ");
|
: "insecure registry; ");
|
||||||
builder.append("Access policy: ").append(access);
|
builder.append("Curator service access policy: ").append(access);
|
||||||
|
|
||||||
builder.append(", System ACLs: ").append(aclsToString(systemACLs));
|
builder.append("; System ACLs: ").append(aclsToString(systemACLs));
|
||||||
builder.append(UgiInfo.fromCurrentUser());
|
builder.append("User: ").append(UgiInfo.fromCurrentUser());
|
||||||
builder.append(" Kerberos Realm: ").append(kerberosRealm).append(" ; ");
|
builder.append("; Kerberos Realm: ").append(kerberosRealm);
|
||||||
builder.append(describeProperty(Environment.JAAS_CONF_KEY));
|
builder.append(describeProperty(Environment.JAAS_CONF_KEY));
|
||||||
String sasl =
|
String sasl =
|
||||||
System.getProperty(PROP_ZK_ENABLE_SASL_CLIENT,
|
System.getProperty(PROP_ZK_ENABLE_SASL_CLIENT,
|
||||||
|
@ -859,7 +863,7 @@ public class RegistrySecurity extends AbstractService {
|
||||||
builder.append(describeProperty(PROP_ZK_ENABLE_SASL_CLIENT,
|
builder.append(describeProperty(PROP_ZK_ENABLE_SASL_CLIENT,
|
||||||
DEFAULT_ZK_ENABLE_SASL_CLIENT));
|
DEFAULT_ZK_ENABLE_SASL_CLIENT));
|
||||||
if (saslEnabled) {
|
if (saslEnabled) {
|
||||||
builder.append("JAAS Client Identity")
|
builder.append("; JAAS Client Identity")
|
||||||
.append("=")
|
.append("=")
|
||||||
.append(jaasClientIdentity)
|
.append(jaasClientIdentity)
|
||||||
.append("; ");
|
.append("; ");
|
||||||
|
|
|
@ -46,6 +46,7 @@ import javax.security.auth.kerberos.KerberosPrincipal;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
import javax.security.auth.login.LoginException;
|
import javax.security.auth.login.LoginException;
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.security.Principal;
|
import java.security.Principal;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
|
@ -319,11 +320,16 @@ public class AbstractSecureRegistryTest extends RegistryTestHelper {
|
||||||
* @param keytab keytab
|
* @param keytab keytab
|
||||||
* @return the logged in context
|
* @return the logged in context
|
||||||
* @throws LoginException failure to log in
|
* @throws LoginException failure to log in
|
||||||
|
* @throws FileNotFoundException no keytab
|
||||||
*/
|
*/
|
||||||
protected LoginContext login(String principal,
|
protected LoginContext login(String principal,
|
||||||
String context, File keytab) throws LoginException {
|
String context, File keytab) throws LoginException,
|
||||||
|
FileNotFoundException {
|
||||||
LOG.info("Logging in as {} in context {} with keytab {}",
|
LOG.info("Logging in as {} in context {} with keytab {}",
|
||||||
principal, context, keytab);
|
principal, context, keytab);
|
||||||
|
if (!keytab.exists()) {
|
||||||
|
throw new FileNotFoundException(keytab.getAbsolutePath());
|
||||||
|
}
|
||||||
Set<Principal> principals = new HashSet<Principal>();
|
Set<Principal> principals = new HashSet<Principal>();
|
||||||
principals.add(new KerberosPrincipal(principal));
|
principals.add(new KerberosPrincipal(principal));
|
||||||
Subject subject = new Subject(false, principals, new HashSet<Object>(),
|
Subject subject = new Subject(false, principals, new HashSet<Object>(),
|
||||||
|
|
|
@ -99,12 +99,25 @@ public class TestSecureLogins extends AbstractSecureRegistryTest {
|
||||||
ALICE_CLIENT_CONTEXT,
|
ALICE_CLIENT_CONTEXT,
|
||||||
keytab_alice);
|
keytab_alice);
|
||||||
|
|
||||||
logLoginDetails(ALICE_LOCALHOST, client);
|
try {
|
||||||
String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
|
logLoginDetails(ALICE_LOCALHOST, client);
|
||||||
assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
|
String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
|
||||||
String config = FileUtils.readFileToString(new File(confFilename));
|
assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
|
||||||
LOG.info("{}=\n{}", confFilename, config);
|
String config = FileUtils.readFileToString(new File(confFilename));
|
||||||
RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
|
LOG.info("{}=\n{}", confFilename, config);
|
||||||
|
RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
|
||||||
|
} finally {
|
||||||
|
client.logout();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testZKServerContextLogin() throws Throwable {
|
||||||
|
LoginContext client = login(ZOOKEEPER_LOCALHOST,
|
||||||
|
ZOOKEEPER_SERVER_CONTEXT,
|
||||||
|
keytab_zk);
|
||||||
|
logLoginDetails(ZOOKEEPER_LOCALHOST, client);
|
||||||
|
|
||||||
client.logout();
|
client.logout();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -24,12 +24,16 @@ import org.apache.hadoop.registry.client.impl.zk.ZKPathDumper;
|
||||||
import org.apache.hadoop.registry.client.impl.zk.CuratorService;
|
import org.apache.hadoop.registry.client.impl.zk.CuratorService;
|
||||||
import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
|
import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
|
||||||
import org.apache.zookeeper.CreateMode;
|
import org.apache.zookeeper.CreateMode;
|
||||||
|
import org.apache.zookeeper.Login;
|
||||||
|
import org.apache.zookeeper.server.ZooKeeperSaslServer;
|
||||||
|
import org.apache.zookeeper.server.auth.SaslServerCallbackHandler;
|
||||||
import org.junit.After;
|
import org.junit.After;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
|
|
||||||
import static org.apache.hadoop.registry.client.api.RegistryConstants.*;
|
import static org.apache.hadoop.registry.client.api.RegistryConstants.*;
|
||||||
|
@ -52,6 +56,36 @@ public class TestSecureRegistry extends AbstractSecureRegistryTest {
|
||||||
RegistrySecurity.clearZKSaslClientProperties();
|
RegistrySecurity.clearZKSaslClientProperties();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* this is a cut and paste of some of the ZK internal code that was
|
||||||
|
* failing on windows and swallowing its exceptions
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testLowlevelZKSaslLogin() throws Throwable {
|
||||||
|
RegistrySecurity.bindZKToServerJAASContext(ZOOKEEPER_SERVER_CONTEXT);
|
||||||
|
String serverSection =
|
||||||
|
System.getProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY,
|
||||||
|
ZooKeeperSaslServer.DEFAULT_LOGIN_CONTEXT_NAME);
|
||||||
|
assertEquals(ZOOKEEPER_SERVER_CONTEXT, serverSection);
|
||||||
|
|
||||||
|
AppConfigurationEntry entries[];
|
||||||
|
entries = javax.security.auth.login.Configuration.getConfiguration()
|
||||||
|
.getAppConfigurationEntry(
|
||||||
|
serverSection);
|
||||||
|
|
||||||
|
assertNotNull("null entries", entries);
|
||||||
|
|
||||||
|
SaslServerCallbackHandler saslServerCallbackHandler =
|
||||||
|
new SaslServerCallbackHandler(
|
||||||
|
javax.security.auth.login.Configuration.getConfiguration());
|
||||||
|
Login login = new Login(serverSection, saslServerCallbackHandler);
|
||||||
|
try {
|
||||||
|
login.startThreadIfNeeded();
|
||||||
|
} finally {
|
||||||
|
login.shutdown();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testCreateSecureZK() throws Throwable {
|
public void testCreateSecureZK() throws Throwable {
|
||||||
startSecureZK();
|
startSecureZK();
|
||||||
|
|
Loading…
Reference in New Issue