HDFS-13682. Cannot create encryption zone after KMS auth token expires.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/32f867a6 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/32f867a6 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/32f867a6 Branch: refs/heads/HDDS-4 Commit: 32f867a6a907c05a312657139d295a92756d98ef Parents: b089a06 Author: Xiao Chen <x...@apache.org> Authored: Wed Jun 20 15:58:01 2018 -0700 Committer: Xiao Chen <x...@apache.org> Committed: Wed Jun 20 15:58:26 2018 -0700 ---------------------------------------------------------------------- .../crypto/key/kms/KMSClientProvider.java | 9 ++++-- .../hadoop/security/UserGroupInformation.java | 4 ++- .../hdfs/TestSecureEncryptionZoneWithKMS.java | 34 ++++++++++++++++++-- 3 files changed, 41 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/32f867a6/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index 08787a5..edbf897 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -32,7 +32,9 @@ import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.ProviderUtils; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authentication.client.AuthenticatedURL; import org.apache.hadoop.security.authentication.client.ConnectionConfigurator; +import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; import org.apache.hadoop.security.ssl.SSLFactory; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; @@ -543,7 +545,9 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, String requestMethod = conn.getRequestMethod(); URL url = conn.getURL(); conn = createConnection(url, requestMethod); - conn.setRequestProperty(CONTENT_TYPE, contentType); + if (contentType != null && !contentType.isEmpty()) { + conn.setRequestProperty(CONTENT_TYPE, contentType); + } return call(conn, jsonOutput, expectedResponse, klass, authRetryCount - 1); } @@ -1087,8 +1091,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, actualUgi = currentUgi.getRealUser(); } if (UserGroupInformation.isSecurityEnabled() && - !containsKmsDt(actualUgi) && - !actualUgi.hasKerberosCredentials()) { + !containsKmsDt(actualUgi) && !actualUgi.shouldRelogin()) { // Use login user is only necessary when Kerberos is enabled // but the actual user does not have either // Kerberos credential or KMS delegation token for KMS operations http://git-wip-us.apache.org/repos/asf/hadoop/blob/32f867a6/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 3872810..29b9fea 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -831,7 +831,9 @@ public class UserGroupInformation { return start + (long) ((end - start) * TICKET_RENEW_WINDOW); } - private boolean shouldRelogin() { + @InterfaceAudience.Private + @InterfaceStability.Unstable + public boolean shouldRelogin() { return hasKerberosCredentials() && isHadoopLogin(); } http://git-wip-us.apache.org/repos/asf/hadoop/blob/32f867a6/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java index 7c4763c..db97c02 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java @@ -107,6 +107,8 @@ public class TestSecureEncryptionZoneWithKMS { // MiniKMS private static MiniKMS miniKMS; private final String testKey = "test_key"; + private static boolean testKeyCreated = false; + private static final long AUTH_TOKEN_VALIDITY = 1; // MiniDFS private MiniDFSCluster cluster; @@ -128,7 +130,7 @@ public class TestSecureEncryptionZoneWithKMS { } @Rule - public Timeout timeout = new Timeout(30000); + public Timeout timeout = new Timeout(120000); @BeforeClass public static void init() throws Exception { @@ -215,6 +217,9 @@ public class TestSecureEncryptionZoneWithKMS { "HTTP/localhost"); kmsConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT"); kmsConf.set("hadoop.kms.acl.GENERATE_EEK", "hdfs"); + // set kms auth token expiration low for testCreateZoneAfterAuthTokenExpiry + kmsConf.setLong("hadoop.kms.authentication.token.validity", + AUTH_TOKEN_VALIDITY); Writer writer = new FileWriter(kmsFile); kmsConf.writeXml(writer); @@ -260,7 +265,10 @@ public class TestSecureEncryptionZoneWithKMS { cluster.waitActive(); // Create a test key - DFSTestUtil.createKey(testKey, cluster, conf); + if (!testKeyCreated) { + DFSTestUtil.createKey(testKey, cluster, conf); + testKeyCreated = true; + } } @After @@ -307,4 +315,26 @@ public class TestSecureEncryptionZoneWithKMS { } }); } + + @Test + public void testCreateZoneAfterAuthTokenExpiry() throws Exception { + final UserGroupInformation ugi = UserGroupInformation + .loginUserFromKeytabAndReturnUGI(hdfsPrincipal, keytab); + LOG.info("Created ugi: {} ", ugi); + + ugi.doAs((PrivilegedExceptionAction<Object>) () -> { + final Path zone = new Path("/expire1"); + fsWrapper.mkdir(zone, FsPermission.getDirDefault(), true); + dfsAdmin.createEncryptionZone(zone, testKey, NO_TRASH); + + final Path zone1 = new Path("/expire2"); + fsWrapper.mkdir(zone1, FsPermission.getDirDefault(), true); + final long sleepInterval = (AUTH_TOKEN_VALIDITY + 1) * 1000; + LOG.info("Sleeping {} seconds to wait for kms auth token expiration", + sleepInterval); + Thread.sleep(sleepInterval); + dfsAdmin.createEncryptionZone(zone1, testKey, NO_TRASH); + return null; + }); + } } \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org