Repository: hadoop Updated Branches: refs/heads/branch-2 894521673 -> e84588eb0 refs/heads/trunk 4f3ca0396 -> 8b5f2c372
HADOOP-14351. Azure: RemoteWasbAuthorizerImpl and RemoteSASKeyGeneratorImpl should not use Kerberos interactive user cache. Contributed by Santhosh G Nayak Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/8b5f2c37 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/8b5f2c37 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/8b5f2c37 Branch: refs/heads/trunk Commit: 8b5f2c372e70999f3ee0a0bd685a494e06bc3652 Parents: 4f3ca03 Author: Mingliang Liu <lium...@apache.org> Authored: Wed Apr 26 13:46:59 2017 -0700 Committer: Mingliang Liu <lium...@apache.org> Committed: Wed Apr 26 13:47:18 2017 -0700 ---------------------------------------------------------------------- .../hadoop/fs/azure/NativeAzureFileSystem.java | 3 --- .../fs/azure/RemoteSASKeyGeneratorImpl.java | 26 ++++++-------------- .../fs/azure/RemoteWasbAuthorizerImpl.java | 22 +++++------------ .../fs/azure/security/WasbTokenRenewer.java | 6 ----- 4 files changed, 14 insertions(+), 43 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/8b5f2c37/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java ---------------------------------------------------------------------- diff --git a/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java b/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java index e06522b..8f6dd4b 100644 --- a/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java +++ b/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java @@ -2987,9 +2987,6 @@ public class NativeAzureFileSystem extends FileSystem { if (connectUgi == null) { connectUgi = ugi; } - if (!connectUgi.hasKerberosCredentials()) { - connectUgi = UserGroupInformation.getLoginUser(); - } connectUgi.checkTGTAndReloginFromKeytab(); return connectUgi.doAs(new PrivilegedExceptionAction<Token<?>>() { @Override http://git-wip-us.apache.org/repos/asf/hadoop/blob/8b5f2c37/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteSASKeyGeneratorImpl.java ---------------------------------------------------------------------- diff --git a/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteSASKeyGeneratorImpl.java b/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteSASKeyGeneratorImpl.java index aab62a1..387d911 100644 --- a/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteSASKeyGeneratorImpl.java +++ b/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteSASKeyGeneratorImpl.java @@ -97,7 +97,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl { private static final String RELATIVE_PATH_QUERY_PARAM_NAME = "relative_path"; - private String delegationToken = ""; + private String delegationToken; private String credServiceUrl = ""; private WasbRemoteCallHelper remoteCallHelper = null; private boolean isSecurityEnabled; @@ -110,14 +110,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl { public void initialize(Configuration conf) throws IOException { LOG.debug("Initializing RemoteSASKeyGeneratorImpl instance"); - try { - delegationToken = SecurityUtils.getDelegationTokenFromCredentials(); - } catch (IOException e) { - final String msg = "Error in fetching the WASB delegation token"; - LOG.error(msg, e); - throw new IOException(msg, e); - } - + setDelegationToken(); try { credServiceUrl = SecurityUtils.getCredServiceUrls(conf); } catch (UnknownHostException e) { @@ -146,6 +139,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl { try { LOG.debug("Generating Container SAS Key for Container {} " + "inside Storage Account {} ", container, storageAccount); + setDelegationToken(); URIBuilder uriBuilder = new URIBuilder(credServiceUrl); uriBuilder.setPath("/" + CONTAINER_SAS_OP); uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME, @@ -166,10 +160,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl { } else { uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName()); } - - if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) { - connectUgi = UserGroupInformation.getLoginUser(); - } return getSASKey(uriBuilder.build(), connectUgi); } catch (URISyntaxException uriSyntaxEx) { throw new SASKeyGenerationException("Encountered URISyntaxException " @@ -188,6 +178,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl { LOG.debug("Generating RelativePath SAS Key for relativePath {} inside" + " Container {} inside Storage Account {} ", relativePath, container, storageAccount); + setDelegationToken(); URIBuilder uriBuilder = new URIBuilder(credServiceUrl); uriBuilder.setPath("/" + BLOB_SAS_OP); uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME, @@ -212,10 +203,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl { } else { uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName()); } - - if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) { - connectUgi = UserGroupInformation.getLoginUser(); - } return getSASKey(uriBuilder.build(), connectUgi); } catch (URISyntaxException uriSyntaxEx) { throw new SASKeyGenerationException("Encountered URISyntaxException" @@ -231,7 +218,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl { throws URISyntaxException, SASKeyGenerationException { final RemoteSASKeyGenerationResponse sasKeyResponse; try { - connectUgi.checkTGTAndReloginFromKeytab(); sasKeyResponse = connectUgi.doAs( new PrivilegedExceptionAction<RemoteSASKeyGenerationResponse>() { @Override @@ -311,6 +297,10 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl { + "accessing remote service to retrieve SAS Key", ioEx); } } + + private void setDelegationToken() throws IOException { + this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials(); + } } /** http://git-wip-us.apache.org/repos/asf/hadoop/blob/8b5f2c37/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.java ---------------------------------------------------------------------- diff --git a/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.java b/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.java index 8576377..ea08b2b 100644 --- a/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.java +++ b/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.java @@ -31,8 +31,6 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.client.AuthenticatedURL; import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.Authenticator; -import org.apache.hadoop.security.token.Token; -import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticator; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.utils.URIBuilder; @@ -42,7 +40,6 @@ import org.slf4j.LoggerFactory; import java.io.IOException; import java.net.URISyntaxException; import java.security.PrivilegedExceptionAction; -import java.util.Iterator; import static org.apache.hadoop.fs.azure.WasbRemoteCallHelper.REMOTE_CALL_SUCCESS_CODE; @@ -104,15 +101,7 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface { public void init(Configuration conf) throws WasbAuthorizationException, IOException { LOG.debug("Initializing RemoteWasbAuthorizerImpl instance"); - Iterator<Token<? extends TokenIdentifier>> tokenIterator = null; - try { - delegationToken = SecurityUtils.getDelegationTokenFromCredentials(); - } catch (IOException e) { - final String msg = "Error in fetching the WASB delegation token"; - LOG.error(msg, e); - throw new IOException(msg, e); - } - + setDelegationToken(); remoteAuthorizerServiceUrl = SecurityUtils .getRemoteAuthServiceUrls(conf); @@ -140,6 +129,7 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface { return true; } + setDelegationToken(); URIBuilder uriBuilder = new URIBuilder(remoteAuthorizerServiceUrl); uriBuilder.setPath("/" + CHECK_AUTHORIZATION_OP); uriBuilder.addParameter(WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME, @@ -159,10 +149,6 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface { } else { uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName()); } - if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) { - connectUgi = UserGroupInformation.getLoginUser(); - } - connectUgi.checkTGTAndReloginFromKeytab(); try { responseBody = connectUgi @@ -218,6 +204,10 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface { throw new WasbAuthorizationException(ex); } } + + private void setDelegationToken() throws IOException { + this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials(); + } } /** http://git-wip-us.apache.org/repos/asf/hadoop/blob/8b5f2c37/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/security/WasbTokenRenewer.java ---------------------------------------------------------------------- diff --git a/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/security/WasbTokenRenewer.java b/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/security/WasbTokenRenewer.java index 642f56a..7994bde 100644 --- a/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/security/WasbTokenRenewer.java +++ b/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/security/WasbTokenRenewer.java @@ -81,9 +81,6 @@ public class WasbTokenRenewer extends TokenRenewer { if (connectUgi == null) { connectUgi = ugi; } - if (!connectUgi.hasKerberosCredentials()) { - connectUgi = UserGroupInformation.getLoginUser(); - } connectUgi.checkTGTAndReloginFromKeytab(); final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token(); authToken @@ -123,9 +120,6 @@ public class WasbTokenRenewer extends TokenRenewer { if (connectUgi == null) { connectUgi = ugi; } - if (!connectUgi.hasKerberosCredentials()) { - connectUgi = UserGroupInformation.getLoginUser(); - } connectUgi.checkTGTAndReloginFromKeytab(); final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token(); authToken --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
