Author: jitendra Date: Thu Nov 24 02:07:57 2011 New Revision: 1205704 URL: http://svn.apache.org/viewvc?rev=1205704&view=rev Log: HADOOP-7853. multiple javax security configurations cause conflicts. Contributed by Daryn Sharp.
Modified: hadoop/common/branches/branch-0.20-security/CHANGES.txt hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java Modified: hadoop/common/branches/branch-0.20-security/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/CHANGES.txt?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/CHANGES.txt (original) +++ hadoop/common/branches/branch-0.20-security/CHANGES.txt Thu Nov 24 02:07:57 2011 @@ -217,6 +217,9 @@ Release 0.20.205.1 - unreleased HDFS-611. Heartbeats times from Datanodes increase when there are plenty of blocks to delete. (Zheng Shao via jitendra) + HADOOP-7853. multiple javax security configurations cause conflicts. + (Daryn via jitendra) + Release 0.20.205.0 - 2011.10.06 NEW FEATURES Modified: hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java (original) +++ hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java Thu Nov 24 02:07:57 2011 @@ -92,7 +92,7 @@ public class SecurityUtil { if (isOriginalTGT(t.getServer().getName())) return t; } - throw new IOException("Failed to find TGT from current Subject"); + throw new IOException("Failed to find TGT from current Subject:"+current); } // Original TGT must be of form "krbtgt/FOO@FOO". Verify this Modified: hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java (original) +++ hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java Thu Nov 24 02:07:57 2011 @@ -93,18 +93,30 @@ public class UserGroupInformation { @Override public boolean commit() throws LoginException { + if (LOG.isDebugEnabled()) { + LOG.debug("hadoop login commit"); + } // if we already have a user, we are done. if (!subject.getPrincipals(User.class).isEmpty()) { + if (LOG.isDebugEnabled()) { + LOG.debug("using existing subject:"+subject.getPrincipals()); + } return true; } Principal user = null; // if we are using kerberos, try it out if (useKerberos) { user = getCanonicalUser(KerberosPrincipal.class); + if (LOG.isDebugEnabled()) { + LOG.debug("using kerberos user:"+user); + } } // if we don't have a kerberos user, use the OS user if (user == null) { user = getCanonicalUser(OS_PRINCIPAL_CLASS); + if (LOG.isDebugEnabled()) { + LOG.debug("using local user:"+user); + } } // if we found the user, add our principal if (user != null) { @@ -123,11 +135,17 @@ public class UserGroupInformation { @Override public boolean login() throws LoginException { + if (LOG.isDebugEnabled()) { + LOG.debug("hadoop login"); + } return true; } @Override public boolean logout() throws LoginException { + if (LOG.isDebugEnabled()) { + LOG.debug("hadoop logout"); + } return true; } } @@ -179,11 +197,6 @@ public class UserGroupInformation { if (!(groups instanceof TestingGroups)) { groups = Groups.getUserToGroupsMappingService(conf); } - // Set the configuration for JAAS to be the Hadoop configuration. - // This is done here rather than a static initializer to avoid a - // circular dependence. - javax.security.auth.login.Configuration.setConfiguration - (new HadoopConfiguration()); // give the configuration on how to translate Kerberos names try { KerberosName.setConfiguration(conf); @@ -356,6 +369,11 @@ public class UserGroupInformation { } } + private static LoginContext + newLoginContext(String appName, Subject subject) throws LoginException { + return new LoginContext(appName, subject, null, new HadoopConfiguration()); + } + private LoginContext getLogin() { return user.getLogin(); } @@ -407,9 +425,9 @@ public class UserGroupInformation { Subject subject = new Subject(); LoginContext login; if (isSecurityEnabled()) { - login = new LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, subject); + login = newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, subject); } else { - login = new LoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME, subject); + login = newLoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME, subject); } login.login(); loginUser = new UserGroupInformation(subject); @@ -432,6 +450,9 @@ public class UserGroupInformation { } catch (LoginException le) { throw new IOException("failure to login", le); } + if (LOG.isDebugEnabled()) { + LOG.debug("UGI loginUser:"+loginUser); + } } return loginUser; } @@ -556,7 +577,7 @@ public class UserGroupInformation { } try { login = - new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); + newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); start = System.currentTimeMillis(); login.login(); metrics.addLoginSuccess(System.currentTimeMillis() - start); @@ -602,7 +623,7 @@ public class UserGroupInformation { //login and also update the subject field of this instance to //have the new credentials (pass it to the LoginContext constructor) login = - new LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, + newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, getSubject()); LOG.info("Initiating re-login for " + getUserName()); login.login(); @@ -639,7 +660,7 @@ public class UserGroupInformation { Subject subject = new Subject(); LoginContext login = - new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); + newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject); start = System.currentTimeMillis(); login.login(); @@ -713,7 +734,7 @@ public class UserGroupInformation { //login and also update the subject field of this instance to //have the new credentials (pass it to the LoginContext constructor) login = - new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, + newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject()); LOG.info("Initiating re-login for " + keytabPrincipal); start = System.currentTimeMillis(); @@ -976,11 +997,10 @@ public class UserGroupInformation { */ @Override public String toString() { - if (getRealUser() != null) { - return getUserName() + " via " + getRealUser().toString(); - } else { - return getUserName(); - } + String me = (getRealUser() != null) + ? getUserName() + " via " + getRealUser().toString() + : getUserName(); + return me + " (auth:"+getAuthenticationMethod()+")"; } /** @@ -1039,6 +1059,7 @@ public class UserGroupInformation { * @return the value from the run method */ public <T> T doAs(PrivilegedAction<T> action) { + logPriviledgedAction(subject, action); return Subject.doAs(subject, action); } @@ -1056,9 +1077,11 @@ public class UserGroupInformation { public <T> T doAs(PrivilegedExceptionAction<T> action ) throws IOException, InterruptedException { try { + logPriviledgedAction(subject, action); return Subject.doAs(subject, action); } catch (PrivilegedActionException pae) { Throwable cause = pae.getCause(); + LOG.error("PriviledgedActionException as:"+this+" cause:"+cause); if (cause instanceof IOException) { throw (IOException) cause; } else if (cause instanceof Error) { @@ -1073,6 +1096,14 @@ public class UserGroupInformation { } } + private void logPriviledgedAction(Subject subject, Object action) { + if (LOG.isDebugEnabled()) { + // would be nice if action included a descriptive toString() + String where = new Throwable().getStackTrace()[2].toString(); + LOG.debug("PriviledgedAction as:"+this+" from:"+where); + } + } + private void print() throws IOException { System.out.println("User: " + getUserName()); System.out.print("Group Ids: "); Modified: hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java (original) +++ hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java Thu Nov 24 02:07:57 2011 @@ -110,10 +110,6 @@ public class KerberosAuthenticator imple } } - static { - javax.security.auth.login.Configuration.setConfiguration(new KerberosConfiguration()); - } - private URL url; private HttpURLConnection conn; private Base64 base64; @@ -187,7 +183,8 @@ public class KerberosAuthenticator imple Subject subject = Subject.getSubject(context); if (subject == null) { subject = new Subject(); - LoginContext login = new LoginContext("", subject); + LoginContext login = new LoginContext("", subject, + null, new KerberosConfiguration()); login.login(); } Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { Modified: hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1205704&r1=1205703&r2=1205704&view=diff ============================================================================== --- hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java (original) +++ hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java Thu Nov 24 02:07:57 2011 @@ -31,6 +31,9 @@ import java.security.PrivilegedException import java.util.ArrayList; import java.util.Collection; import java.util.List; + +import javax.security.auth.login.AppConfigurationEntry; + import junit.framework.Assert; import org.apache.hadoop.conf.Configuration; @@ -49,7 +52,22 @@ public class TestUserGroupInformation { final private static String[] GROUP_NAMES = new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME}; + // UGI should not use the default security conf, else it will collide + // with other classes that may change the default conf. Using this dummy + // class that simply throws an exception will ensure that the tests fail + // if UGI uses the static default config instead of its own config + private static class DummyLoginConfiguration extends + javax.security.auth.login.Configuration + { + @Override + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + throw new RuntimeException("UGI is not using its own security conf!"); + } + } + static { + javax.security.auth.login.Configuration.setConfiguration( + new DummyLoginConfiguration()); Configuration conf = new Configuration(); conf.set("hadoop.security.auth_to_local", "RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +