HADOOP-12385. Include nested stack trace in SaslRpcClient.getServerToken() (stevel)
This commit is contained in:
Steve Loughran
parent
9f4dfdf4eb
commit
ff2b2bea91
|
|
@ -246,6 +246,9 @@ Trunk (Unreleased)
|
|||
HADOOP-12436. GlobPattern regex library has performance issues with
|
||||
wildcard characters (Matthew Paduano via aw)
|
||||
|
||||
HADOOP-12385. Include nested stack trace in SaslRpcClient.getServerToken()
|
||||
(stevel)
|
||||
|
||||
BUG FIXES
|
||||
|
||||
HADOOP-11473. test-patch says "-1 overall" even when all checks are +1
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@
|
|||
import java.nio.ByteBuffer;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.security.auth.callback.Callback;
|
||||
|
|
@ -81,6 +82,7 @@
|
|||
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
|
||||
@InterfaceStability.Evolving
|
||||
public class SaslRpcClient {
|
||||
// This log is public as it is referenced in tests
|
||||
public static final Log LOG = LogFactory.getLog(SaslRpcClient.class);
|
||||
|
||||
private final UserGroupInformation ugi;
|
||||
|
|
@ -122,7 +124,6 @@ public Object getNegotiatedProperty(String key) {
|
|||
return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null;
|
||||
}
|
||||
|
||||
|
||||
// the RPC Client has an inelegant way of handling expiration of TGTs
|
||||
// acquired via a keytab. any connection failure causes a relogin, so
|
||||
// the Client needs to know what authMethod was being attempted if an
|
||||
|
|
@ -172,14 +173,13 @@ private SaslAuth selectSaslClient(List<SaslAuth> authTypes)
|
|||
throw new AccessControlException(
|
||||
"Client cannot authenticate via:" + serverAuthMethods);
|
||||
}
|
||||
if (LOG.isDebugEnabled()) {
|
||||
if (LOG.isDebugEnabled() && selectedAuthType != null) {
|
||||
LOG.debug("Use " + selectedAuthType.getMethod() +
|
||||
" authentication for protocol " + protocol.getSimpleName());
|
||||
}
|
||||
return selectedAuthType;
|
||||
}
|
||||
|
||||
|
||||
private boolean isValidAuthType(SaslAuth authType) {
|
||||
AuthMethod authMethod;
|
||||
try {
|
||||
|
|
@ -218,7 +218,9 @@ private SaslClient createSaslClient(SaslAuth authType)
|
|||
case TOKEN: {
|
||||
Token<?> token = getServerToken(authType);
|
||||
if (token == null) {
|
||||
return null; // tokens aren't supported or user doesn't have one
|
||||
LOG.debug("tokens aren't supported for this protocol" +
|
||||
" or user doesn't have one");
|
||||
return null;
|
||||
}
|
||||
saslCallback = new SaslClientCallbackHandler(token);
|
||||
break;
|
||||
|
|
@ -226,11 +228,13 @@ private SaslClient createSaslClient(SaslAuth authType)
|
|||
case KERBEROS: {
|
||||
if (ugi.getRealAuthenticationMethod().getAuthMethod() !=
|
||||
AuthMethod.KERBEROS) {
|
||||
return null; // client isn't using kerberos
|
||||
LOG.debug("client isn't using kerberos");
|
||||
return null;
|
||||
}
|
||||
String serverPrincipal = getServerPrincipal(authType);
|
||||
if (serverPrincipal == null) {
|
||||
return null; // protocol doesn't use kerberos
|
||||
LOG.debug("protocol doesn't use kerberos");
|
||||
return null;
|
||||
}
|
||||
if (LOG.isDebugEnabled()) {
|
||||
LOG.debug("RPC Server's Kerberos principal name for protocol="
|
||||
|
|
@ -256,7 +260,7 @@ private SaslClient createSaslClient(SaslAuth authType)
|
|||
* Try to locate the required token for the server.
|
||||
*
|
||||
* @param authType of the SASL client
|
||||
* @return Token<?> for server, or null if no token available
|
||||
* @return Token for server, or null if no token available
|
||||
* @throws IOException - token selector cannot be instantiated
|
||||
*/
|
||||
private Token<?> getServerToken(SaslAuth authType) throws IOException {
|
||||
|
|
@ -268,10 +272,8 @@ private Token<?> getServerToken(SaslAuth authType) throws IOException {
|
|||
TokenSelector<?> tokenSelector = null;
|
||||
try {
|
||||
tokenSelector = tokenInfo.value().newInstance();
|
||||
} catch (InstantiationException e) {
|
||||
throw new IOException(e.toString());
|
||||
} catch (IllegalAccessException e) {
|
||||
throw new IOException(e.toString());
|
||||
} catch (InstantiationException | IllegalAccessException e) {
|
||||
throw new IOException(e.toString(), e);
|
||||
}
|
||||
return tokenSelector.selectToken(
|
||||
SecurityUtil.buildTokenService(serverAddr), ugi.getTokens());
|
||||
|
|
@ -337,7 +339,6 @@ String getServerPrincipal(SaslAuth authType) throws IOException {
|
|||
return serverPrincipal;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Do client side SASL authentication with server via the given InputStream
|
||||
* and OutputStream
|
||||
|
|
@ -510,7 +511,7 @@ private boolean useWrap() {
|
|||
String qop = (String) saslClient.getNegotiatedProperty(Sasl.QOP);
|
||||
// SASL wrapping is only used if the connection has a QOP, and
|
||||
// the value is not auth. ex. auth-int & auth-priv
|
||||
return qop != null && !"auth".equalsIgnoreCase(qop);
|
||||
return qop != null && !"auth".toLowerCase(Locale.ENGLISH).equals(qop);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -534,8 +535,8 @@ public InputStream getInputStream(InputStream in) throws IOException {
|
|||
* otherwise return original stream. Can be called only after
|
||||
* saslConnect() has been called.
|
||||
*
|
||||
* @param in - InputStream used to make the connection
|
||||
* @return InputStream that may be using SASL unwrap
|
||||
* @param out - OutputStream used to make the connection
|
||||
* @return OutputStream that may be using wrapping
|
||||
* @throws IOException
|
||||
*/
|
||||
public OutputStream getOutputStream(OutputStream out) throws IOException {
|
||||
|
|
|
|||
Loading…
Reference in New Issue