HADOOP-12385. Include nested stack trace in SaslRpcClient.getServerToken() (stevel)

This commit is contained in:
Steve Loughran 2015-10-28 10:25:22 +00:00
parent 9f4dfdf4eb
commit ff2b2bea91
2 changed files with 40 additions and 36 deletions

View File

@ -246,6 +246,9 @@ Trunk (Unreleased)
HADOOP-12436. GlobPattern regex library has performance issues with
wildcard characters (Matthew Paduano via aw)
HADOOP-12385. Include nested stack trace in SaslRpcClient.getServerToken()
(stevel)
BUG FIXES
HADOOP-11473. test-patch says "-1 overall" even when all checks are +1

View File

@ -32,6 +32,7 @@ import java.net.InetSocketAddress;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.security.auth.callback.Callback;
@ -81,6 +82,7 @@ import com.google.re2j.Pattern;
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
public class SaslRpcClient {
// This log is public as it is referenced in tests
public static final Log LOG = LogFactory.getLog(SaslRpcClient.class);
private final UserGroupInformation ugi;
@ -122,7 +124,6 @@ public class SaslRpcClient {
return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null;
}
// the RPC Client has an inelegant way of handling expiration of TGTs
// acquired via a keytab. any connection failure causes a relogin, so
// the Client needs to know what authMethod was being attempted if an
@ -172,14 +173,13 @@ public class SaslRpcClient {
throw new AccessControlException(
"Client cannot authenticate via:" + serverAuthMethods);
}
if (LOG.isDebugEnabled()) {
if (LOG.isDebugEnabled() && selectedAuthType != null) {
LOG.debug("Use " + selectedAuthType.getMethod() +
" authentication for protocol " + protocol.getSimpleName());
}
return selectedAuthType;
}
private boolean isValidAuthType(SaslAuth authType) {
AuthMethod authMethod;
try {
@ -218,7 +218,9 @@ public class SaslRpcClient {
case TOKEN: {
Token<?> token = getServerToken(authType);
if (token == null) {
return null; // tokens aren't supported or user doesn't have one
LOG.debug("tokens aren't supported for this protocol" +
" or user doesn't have one");
return null;
}
saslCallback = new SaslClientCallbackHandler(token);
break;
@ -226,11 +228,13 @@ public class SaslRpcClient {
case KERBEROS: {
if (ugi.getRealAuthenticationMethod().getAuthMethod() !=
AuthMethod.KERBEROS) {
return null; // client isn't using kerberos
LOG.debug("client isn't using kerberos");
return null;
}
String serverPrincipal = getServerPrincipal(authType);
if (serverPrincipal == null) {
return null; // protocol doesn't use kerberos
LOG.debug("protocol doesn't use kerberos");
return null;
}
if (LOG.isDebugEnabled()) {
LOG.debug("RPC Server's Kerberos principal name for protocol="
@ -256,22 +260,20 @@ public class SaslRpcClient {
* Try to locate the required token for the server.
*
* @param authType of the SASL client
* @return Token<?> for server, or null if no token available
* @return Token for server, or null if no token available
* @throws IOException - token selector cannot be instantiated
*/
private Token<?> getServerToken(SaslAuth authType) throws IOException {
TokenInfo tokenInfo = SecurityUtil.getTokenInfo(protocol, conf);
LOG.debug("Get token info proto:"+protocol+" info:"+tokenInfo);
LOG.debug("Get token info proto:" + protocol + " info:" + tokenInfo);
if (tokenInfo == null) { // protocol has no support for tokens
return null;
}
TokenSelector<?> tokenSelector = null;
try {
tokenSelector = tokenInfo.value().newInstance();
} catch (InstantiationException e) {
throw new IOException(e.toString());
} catch (IllegalAccessException e) {
throw new IOException(e.toString());
} catch (InstantiationException | IllegalAccessException e) {
throw new IOException(e.toString(), e);
}
return tokenSelector.selectToken(
SecurityUtil.buildTokenService(serverAddr), ugi.getTokens());
@ -288,7 +290,7 @@ public class SaslRpcClient {
@VisibleForTesting
String getServerPrincipal(SaslAuth authType) throws IOException {
KerberosInfo krbInfo = SecurityUtil.getKerberosInfo(protocol, conf);
LOG.debug("Get kerberos info proto:"+protocol+" info:"+krbInfo);
LOG.debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
if (krbInfo == null) { // protocol has no support for kerberos
return null;
}
@ -337,7 +339,6 @@ public class SaslRpcClient {
return serverPrincipal;
}
/**
* Do client side SASL authentication with server via the given InputStream
* and OutputStream
@ -510,7 +511,7 @@ public class SaslRpcClient {
String qop = (String) saslClient.getNegotiatedProperty(Sasl.QOP);
// SASL wrapping is only used if the connection has a QOP, and
// the value is not auth. ex. auth-int & auth-priv
return qop != null && !"auth".equalsIgnoreCase(qop);
return qop != null && !"auth".toLowerCase(Locale.ENGLISH).equals(qop);
}
/**
@ -534,8 +535,8 @@ public class SaslRpcClient {
* otherwise return original stream. Can be called only after
* saslConnect() has been called.
*
* @param in - InputStream used to make the connection
* @return InputStream that may be using SASL unwrap
* @param out - OutputStream used to make the connection
* @return OutputStream that may be using wrapping
* @throws IOException
*/
public OutputStream getOutputStream(OutputStream out) throws IOException {