Author: jitendra
Date: Thu Nov 24 02:07:57 2011
New Revision: 1205704
URL: http://svn.apache.org/viewvc?rev=1205704&view=rev
Log:
HADOOP-7853. multiple javax security configurations cause conflicts.
Contributed by Daryn Sharp.
Modified:
hadoop/common/branches/branch-0.20-security/CHANGES.txt
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java
Modified: hadoop/common/branches/branch-0.20-security/CHANGES.txt
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/CHANGES.txt?rev=1205704&r1=1205703&r2=1205704&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.20-security/CHANGES.txt Thu Nov 24 02:07:57
2011
@@ -217,6 +217,9 @@ Release 0.20.205.1 - unreleased
HDFS-611. Heartbeats times from Datanodes increase when there are plenty of
blocks to delete. (Zheng Shao via jitendra)
+ HADOOP-7853. multiple javax security configurations cause conflicts.
+ (Daryn via jitendra)
+
Release 0.20.205.0 - 2011.10.06
NEW FEATURES
Modified:
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java?rev=1205704&r1=1205703&r2=1205704&view=diff
==============================================================================
---
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java
(original)
+++
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/SecurityUtil.java
Thu Nov 24 02:07:57 2011
@@ -92,7 +92,7 @@ public class SecurityUtil {
if (isOriginalTGT(t.getServer().getName()))
return t;
}
- throw new IOException("Failed to find TGT from current Subject");
+ throw new IOException("Failed to find TGT from current Subject:"+current);
}
// Original TGT must be of form "krbtgt/FOO@FOO". Verify this
Modified:
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1205704&r1=1205703&r2=1205704&view=diff
==============================================================================
---
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java
(original)
+++
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/UserGroupInformation.java
Thu Nov 24 02:07:57 2011
@@ -93,18 +93,30 @@ public class UserGroupInformation {
@Override
public boolean commit() throws LoginException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("hadoop login commit");
+ }
// if we already have a user, we are done.
if (!subject.getPrincipals(User.class).isEmpty()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("using existing subject:"+subject.getPrincipals());
+ }
return true;
}
Principal user = null;
// if we are using kerberos, try it out
if (useKerberos) {
user = getCanonicalUser(KerberosPrincipal.class);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("using kerberos user:"+user);
+ }
}
// if we don't have a kerberos user, use the OS user
if (user == null) {
user = getCanonicalUser(OS_PRINCIPAL_CLASS);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("using local user:"+user);
+ }
}
// if we found the user, add our principal
if (user != null) {
@@ -123,11 +135,17 @@ public class UserGroupInformation {
@Override
public boolean login() throws LoginException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("hadoop login");
+ }
return true;
}
@Override
public boolean logout() throws LoginException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("hadoop logout");
+ }
return true;
}
}
@@ -179,11 +197,6 @@ public class UserGroupInformation {
if (!(groups instanceof TestingGroups)) {
groups = Groups.getUserToGroupsMappingService(conf);
}
- // Set the configuration for JAAS to be the Hadoop configuration.
- // This is done here rather than a static initializer to avoid a
- // circular dependence.
- javax.security.auth.login.Configuration.setConfiguration
- (new HadoopConfiguration());
// give the configuration on how to translate Kerberos names
try {
KerberosName.setConfiguration(conf);
@@ -356,6 +369,11 @@ public class UserGroupInformation {
}
}
+ private static LoginContext
+ newLoginContext(String appName, Subject subject) throws LoginException {
+ return new LoginContext(appName, subject, null, new HadoopConfiguration());
+ }
+
private LoginContext getLogin() {
return user.getLogin();
}
@@ -407,9 +425,9 @@ public class UserGroupInformation {
Subject subject = new Subject();
LoginContext login;
if (isSecurityEnabled()) {
- login = new
LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, subject);
+ login =
newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, subject);
} else {
- login = new LoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME,
subject);
+ login = newLoginContext(HadoopConfiguration.SIMPLE_CONFIG_NAME,
subject);
}
login.login();
loginUser = new UserGroupInformation(subject);
@@ -432,6 +450,9 @@ public class UserGroupInformation {
} catch (LoginException le) {
throw new IOException("failure to login", le);
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("UGI loginUser:"+loginUser);
+ }
}
return loginUser;
}
@@ -556,7 +577,7 @@ public class UserGroupInformation {
}
try {
login =
- new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
subject);
+ newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
subject);
start = System.currentTimeMillis();
login.login();
metrics.addLoginSuccess(System.currentTimeMillis() - start);
@@ -602,7 +623,7 @@ public class UserGroupInformation {
//login and also update the subject field of this instance to
//have the new credentials (pass it to the LoginContext constructor)
login =
- new LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
+ newLoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME,
getSubject());
LOG.info("Initiating re-login for " + getUserName());
login.login();
@@ -639,7 +660,7 @@ public class UserGroupInformation {
Subject subject = new Subject();
LoginContext login =
- new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
subject);
+ newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
subject);
start = System.currentTimeMillis();
login.login();
@@ -713,7 +734,7 @@ public class UserGroupInformation {
//login and also update the subject field of this instance to
//have the new credentials (pass it to the LoginContext constructor)
login =
- new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
+ newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME,
getSubject());
LOG.info("Initiating re-login for " + keytabPrincipal);
start = System.currentTimeMillis();
@@ -976,11 +997,10 @@ public class UserGroupInformation {
*/
@Override
public String toString() {
- if (getRealUser() != null) {
- return getUserName() + " via " + getRealUser().toString();
- } else {
- return getUserName();
- }
+ String me = (getRealUser() != null)
+ ? getUserName() + " via " + getRealUser().toString()
+ : getUserName();
+ return me + " (auth:"+getAuthenticationMethod()+")";
}
/**
@@ -1039,6 +1059,7 @@ public class UserGroupInformation {
* @return the value from the run method
*/
public <T> T doAs(PrivilegedAction<T> action) {
+ logPriviledgedAction(subject, action);
return Subject.doAs(subject, action);
}
@@ -1056,9 +1077,11 @@ public class UserGroupInformation {
public <T> T doAs(PrivilegedExceptionAction<T> action
) throws IOException, InterruptedException {
try {
+ logPriviledgedAction(subject, action);
return Subject.doAs(subject, action);
} catch (PrivilegedActionException pae) {
Throwable cause = pae.getCause();
+ LOG.error("PriviledgedActionException as:"+this+" cause:"+cause);
if (cause instanceof IOException) {
throw (IOException) cause;
} else if (cause instanceof Error) {
@@ -1073,6 +1096,14 @@ public class UserGroupInformation {
}
}
+ private void logPriviledgedAction(Subject subject, Object action) {
+ if (LOG.isDebugEnabled()) {
+ // would be nice if action included a descriptive toString()
+ String where = new Throwable().getStackTrace()[2].toString();
+ LOG.debug("PriviledgedAction as:"+this+" from:"+where);
+ }
+ }
+
private void print() throws IOException {
System.out.println("User: " + getUserName());
System.out.print("Group Ids: ");
Modified:
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java?rev=1205704&r1=1205703&r2=1205704&view=diff
==============================================================================
---
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
(original)
+++
hadoop/common/branches/branch-0.20-security/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
Thu Nov 24 02:07:57 2011
@@ -110,10 +110,6 @@ public class KerberosAuthenticator imple
}
}
- static {
- javax.security.auth.login.Configuration.setConfiguration(new
KerberosConfiguration());
- }
-
private URL url;
private HttpURLConnection conn;
private Base64 base64;
@@ -187,7 +183,8 @@ public class KerberosAuthenticator imple
Subject subject = Subject.getSubject(context);
if (subject == null) {
subject = new Subject();
- LoginContext login = new LoginContext("", subject);
+ LoginContext login = new LoginContext("", subject,
+ null, new KerberosConfiguration());
login.login();
}
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
Modified:
hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1205704&r1=1205703&r2=1205704&view=diff
==============================================================================
---
hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java
(original)
+++
hadoop/common/branches/branch-0.20-security/src/test/org/apache/hadoop/security/TestUserGroupInformation.java
Thu Nov 24 02:07:57 2011
@@ -31,6 +31,9 @@ import java.security.PrivilegedException
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+
+import javax.security.auth.login.AppConfigurationEntry;
+
import junit.framework.Assert;
import org.apache.hadoop.conf.Configuration;
@@ -49,7 +52,22 @@ public class TestUserGroupInformation {
final private static String[] GROUP_NAMES =
new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME};
+ // UGI should not use the default security conf, else it will collide
+ // with other classes that may change the default conf. Using this dummy
+ // class that simply throws an exception will ensure that the tests fail
+ // if UGI uses the static default config instead of its own config
+ private static class DummyLoginConfiguration extends
+ javax.security.auth.login.Configuration
+ {
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ throw new RuntimeException("UGI is not using its own security conf!");
+ }
+ }
+
static {
+ javax.security.auth.login.Configuration.setConfiguration(
+ new DummyLoginConfiguration());
Configuration conf = new Configuration();
conf.set("hadoop.security.auth_to_local",
"RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" +
