Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-12385. Include nested stack trace in SaslRpcClient.getServerToken() (stevel)

This commit is contained in:
Steve Loughran 2015-10-28 10:25:22 +00:00
parent 9f4dfdf4eb
commit ff2b2bea91
2 changed files with 40 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hadoop-common-project/hadoop-common/CHANGES.txt
View File

@ -246,6 +246,9 @@ Trunk (Unreleased)
HADOOP-12436. GlobPattern regex library has performance issues with HADOOP-12436. GlobPattern regex library has performance issues with
wildcard characters (Matthew Paduano via aw) wildcard characters (Matthew Paduano via aw)
HADOOP-12385. Include nested stack trace in SaslRpcClient.getServerToken()
(stevel)
BUG FIXES BUG FIXES
HADOOP-11473. test-patch says "-1 overall" even when all checks are +1 HADOOP-11473. test-patch says "-1 overall" even when all checks are +1

31
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
View File

@ -32,6 +32,7 @@ import java.net.InetSocketAddress;
import java.nio.ByteBuffer; import java.nio.ByteBuffer;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Locale;
import java.util.Map; import java.util.Map;
import javax.security.auth.callback.Callback; import javax.security.auth.callback.Callback;
@ -81,6 +82,7 @@ import com.google.re2j.Pattern;
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving @InterfaceStability.Evolving
public class SaslRpcClient { public class SaslRpcClient {
// This log is public as it is referenced in tests
public static final Log LOG = LogFactory.getLog(SaslRpcClient.class); public static final Log LOG = LogFactory.getLog(SaslRpcClient.class);
private final UserGroupInformation ugi; private final UserGroupInformation ugi;
@ -122,7 +124,6 @@ public class SaslRpcClient {
return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null; return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null;
} }
// the RPC Client has an inelegant way of handling expiration of TGTs // the RPC Client has an inelegant way of handling expiration of TGTs
// acquired via a keytab. any connection failure causes a relogin, so // acquired via a keytab. any connection failure causes a relogin, so
// the Client needs to know what authMethod was being attempted if an // the Client needs to know what authMethod was being attempted if an
@ -172,14 +173,13 @@ public class SaslRpcClient {
throw new AccessControlException( throw new AccessControlException(
"Client cannot authenticate via:" + serverAuthMethods); "Client cannot authenticate via:" + serverAuthMethods);
} }
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled() && selectedAuthType != null) {
LOG.debug("Use " + selectedAuthType.getMethod() + LOG.debug("Use " + selectedAuthType.getMethod() +
" authentication for protocol " + protocol.getSimpleName()); " authentication for protocol " + protocol.getSimpleName());
} }
return selectedAuthType; return selectedAuthType;
} }
private boolean isValidAuthType(SaslAuth authType) { private boolean isValidAuthType(SaslAuth authType) {
AuthMethod authMethod; AuthMethod authMethod;
try { try {
@ -218,7 +218,9 @@ public class SaslRpcClient {
case TOKEN: { case TOKEN: {
Token<?> token = getServerToken(authType); Token<?> token = getServerToken(authType);
if (token == null) { if (token == null) {
return null; // tokens aren't supported or user doesn't have one LOG.debug("tokens aren't supported for this protocol" +
" or user doesn't have one");
return null;
} }
saslCallback = new SaslClientCallbackHandler(token); saslCallback = new SaslClientCallbackHandler(token);
break; break;
@ -226,11 +228,13 @@ public class SaslRpcClient {
case KERBEROS: { case KERBEROS: {
if (ugi.getRealAuthenticationMethod().getAuthMethod() != if (ugi.getRealAuthenticationMethod().getAuthMethod() !=
AuthMethod.KERBEROS) { AuthMethod.KERBEROS) {
return null; // client isn't using kerberos LOG.debug("client isn't using kerberos");
return null;
} }
String serverPrincipal = getServerPrincipal(authType); String serverPrincipal = getServerPrincipal(authType);
if (serverPrincipal == null) { if (serverPrincipal == null) {
return null; // protocol doesn't use kerberos LOG.debug("protocol doesn't use kerberos");
return null;
} }
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled()) {
LOG.debug("RPC Server's Kerberos principal name for protocol=" LOG.debug("RPC Server's Kerberos principal name for protocol="
@ -256,7 +260,7 @@ public class SaslRpcClient {
* Try to locate the required token for the server. * Try to locate the required token for the server.
* *
* @param authType of the SASL client * @param authType of the SASL client
* @return Token<?> for server, or null if no token available * @return Token for server, or null if no token available
* @throws IOException - token selector cannot be instantiated * @throws IOException - token selector cannot be instantiated
*/ */
private Token<?> getServerToken(SaslAuth authType) throws IOException { private Token<?> getServerToken(SaslAuth authType) throws IOException {
@ -268,10 +272,8 @@ public class SaslRpcClient {
TokenSelector<?> tokenSelector = null; TokenSelector<?> tokenSelector = null;
try { try {
tokenSelector = tokenInfo.value().newInstance(); tokenSelector = tokenInfo.value().newInstance();
} catch (InstantiationException e) { } catch (InstantiationException | IllegalAccessException e) {
throw new IOException(e.toString()); throw new IOException(e.toString(), e);
} catch (IllegalAccessException e) {
throw new IOException(e.toString());
} }
return tokenSelector.selectToken( return tokenSelector.selectToken(
SecurityUtil.buildTokenService(serverAddr), ugi.getTokens()); SecurityUtil.buildTokenService(serverAddr), ugi.getTokens());
@ -337,7 +339,6 @@ public class SaslRpcClient {
return serverPrincipal; return serverPrincipal;
} }
/** /**
* Do client side SASL authentication with server via the given InputStream * Do client side SASL authentication with server via the given InputStream
* and OutputStream * and OutputStream
@ -510,7 +511,7 @@ public class SaslRpcClient {
String qop = (String) saslClient.getNegotiatedProperty(Sasl.QOP); String qop = (String) saslClient.getNegotiatedProperty(Sasl.QOP);
// SASL wrapping is only used if the connection has a QOP, and // SASL wrapping is only used if the connection has a QOP, and
// the value is not auth. ex. auth-int & auth-priv // the value is not auth. ex. auth-int & auth-priv
return qop != null && !"auth".equalsIgnoreCase(qop); return qop != null && !"auth".toLowerCase(Locale.ENGLISH).equals(qop);
} }
/** /**
@ -534,8 +535,8 @@ public class SaslRpcClient {
* otherwise return original stream. Can be called only after * otherwise return original stream. Can be called only after
* saslConnect() has been called. * saslConnect() has been called.
* *
* @param in - InputStream used to make the connection * @param out - OutputStream used to make the connection
* @return InputStream that may be using SASL unwrap * @return OutputStream that may be using wrapping
* @throws IOException * @throws IOException
*/ */
public OutputStream getOutputStream(OutputStream out) throws IOException { public OutputStream getOutputStream(OutputStream out) throws IOException {