Author: harsh Date: Tue Sep 25 10:17:11 2012 New Revision: 1389783 URL: http://svn.apache.org/viewvc?rev=1389783&view=rev Log: HADOOP-7930. Kerberos relogin interval in UserGroupInformation should be configurable. Contributed by Robert Kanter. (harsh)
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1389783&r1=1389782&r2=1389783&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt Tue Sep 25 10:17:11 2012 @@ -108,6 +108,9 @@ Trunk (Unreleased) NullPointerException if the serializations list is empty. (Sho Shimauchi via harsh) + HADOOP-7930. Kerberos relogin interval in UserGroupInformation + should be configurable (Robert Kanter via harsh) + BUG FIXES HADOOP-8177. MBeans shouldn't try to register when it fails to create MBeanName. Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java?rev=1389783&r1=1389782&r2=1389783&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java Tue Sep 25 10:17:11 2012 @@ -242,5 +242,11 @@ public class CommonConfigurationKeysPubl public static final String HADOOP_SSL_ENABLED_KEY = "hadoop.ssl.enabled"; public static final boolean HADOOP_SSL_ENABLED_DEFAULT = false; + /** See <a href="{@docRoot}/../core-default.html">core-default.xml</a> */ + public static final String HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN = + "hadoop.kerberos.min.seconds.before.relogin"; + /** Default value for HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN */ + public static final int HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN_DEFAULT = + 60; } Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java?rev=1389783&r1=1389782&r2=1389783&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java Tue Sep 25 10:17:11 2012 @@ -18,6 +18,8 @@ package org.apache.hadoop.security; import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION; +import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN; +import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN_DEFAULT; import java.io.IOException; import java.lang.reflect.UndeclaredThrowableException; @@ -192,13 +194,12 @@ public class UserGroupInformation { private static boolean useKerberos; /** Server-side groups fetching service */ private static Groups groups; + /** Min time (in seconds) before relogin for Kerberos */ + private static long kerberosMinSecondsBeforeRelogin; /** The configuration to use */ private static Configuration conf; - /** Leave 10 minutes between relogin attempts. */ - private static final long MIN_TIME_BEFORE_RELOGIN = 10 * 60 * 1000L; - /**Environment variable pointing to the token cache file*/ public static final String HADOOP_TOKEN_FILE_LOCATION = "HADOOP_TOKEN_FILE_LOCATION"; @@ -245,6 +246,16 @@ public class UserGroupInformation { HADOOP_SECURITY_AUTHENTICATION + " of " + value); } + try { + kerberosMinSecondsBeforeRelogin = 1000L * conf.getLong( + HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN, + HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN_DEFAULT); + } + catch(NumberFormatException nfe) { + throw new IllegalArgumentException("Invalid attribute value for " + + HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN + " of " + + conf.get(HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN)); + } // If we haven't set up testing groups, use the configuration to find it if (!(groups instanceof TestingGroups)) { groups = Groups.getUserToGroupsMappingService(conf); @@ -729,7 +740,7 @@ public class UserGroupInformation { return; } nextRefresh = Math.max(getRefreshTime(tgt), - now + MIN_TIME_BEFORE_RELOGIN); + now + kerberosMinSecondsBeforeRelogin); } catch (InterruptedException ie) { LOG.warn("Terminating renewal thread"); return; @@ -964,10 +975,10 @@ public class UserGroupInformation { } private boolean hasSufficientTimeElapsed(long now) { - if (now - user.getLastLogin() < MIN_TIME_BEFORE_RELOGIN ) { + if (now - user.getLastLogin() < kerberosMinSecondsBeforeRelogin ) { LOG.warn("Not attempting to re-login since the last re-login was " + - "attempted less than " + (MIN_TIME_BEFORE_RELOGIN/1000) + " seconds"+ - " before."); + "attempted less than " + (kerberosMinSecondsBeforeRelogin/1000) + + " seconds before."); return false; } return true; Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml?rev=1389783&r1=1389782&r2=1389783&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml Tue Sep 25 10:17:11 2012 @@ -251,6 +251,14 @@ </property> <property> + <name>hadoop.kerberos.min.seconds.before.relogin</name> + <value>60</value> + <description>The minimum time between relogin attempts for Kerberos, in + seconds. + </description> +</property> + +<property> <name>hadoop.security.auth_to_local</name> <value></value> <description>Maps kerberos principals to local user names</description> Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1389783&r1=1389782&r2=1389783&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java Tue Sep 25 10:17:11 2012 @@ -24,6 +24,7 @@ import static org.mockito.Mockito.*; import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; +import java.lang.reflect.Method; import java.security.PrivilegedExceptionAction; import java.util.Collection; import java.util.LinkedHashSet; @@ -49,6 +50,7 @@ public class TestUserGroupInformation { final private static String GROUP3_NAME = "group3"; final private static String[] GROUP_NAMES = new String[]{GROUP1_NAME, GROUP2_NAME, GROUP3_NAME}; + private static Configuration conf; /** * UGI should not use the default security conf, else it will collide @@ -68,7 +70,7 @@ public class TestUserGroupInformation { /** configure ugi */ @BeforeClass public static void setup() { - Configuration conf = new Configuration(); + conf = new Configuration(); conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL, "RULE:[2:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" + "RULE:[1:$1@$0](.*@HADOOP.APACHE.ORG)s/@.*//" @@ -537,4 +539,39 @@ public class TestUserGroupInformation { } }); } + + /** Test hasSufficientTimeElapsed method */ + @Test + public void testHasSufficientTimeElapsed() throws Exception { + // Make hasSufficientTimeElapsed public + Method method = UserGroupInformation.class + .getDeclaredMethod("hasSufficientTimeElapsed", long.class); + method.setAccessible(true); + + UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); + User user = ugi.getSubject().getPrincipals(User.class).iterator().next(); + long now = System.currentTimeMillis(); + + // Using default relogin time (1 minute) + user.setLastLogin(now - 2 * 60 * 1000); // 2 minutes before "now" + assertTrue((Boolean)method.invoke(ugi, now)); + user.setLastLogin(now - 30 * 1000); // 30 seconds before "now" + assertFalse((Boolean)method.invoke(ugi, now)); + + // Using relogin time of 10 minutes + Configuration conf2 = new Configuration(conf); + conf2.setLong( + CommonConfigurationKeysPublic.HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN, + 10 * 60); + UserGroupInformation.setConfiguration(conf2); + user.setLastLogin(now - 15 * 60 * 1000); // 15 minutes before "now" + assertTrue((Boolean)method.invoke(ugi, now)); + user.setLastLogin(now - 6 * 60 * 1000); // 6 minutes before "now" + assertFalse((Boolean)method.invoke(ugi, now)); + // Restore original conf to UGI + UserGroupInformation.setConfiguration(conf); + + // Restore hasSufficientTimElapsed back to private + method.setAccessible(false); + } }