This is an automated email from the ASF dual-hosted git repository. inigoiri pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push: new 60f3a2b1019 HDFS-17138 RBF: We changed the hadoop.security.auth_to_local configur… (#5921) 60f3a2b1019 is described below commit 60f3a2b1019373599c25bc09704bafa0884e4a2d Author: 章锡平 <40832063+zhangxipi...@users.noreply.github.com> AuthorDate: Tue Sep 19 00:40:22 2023 +0800 HDFS-17138 RBF: We changed the hadoop.security.auth_to_local configur… (#5921) --- .../AbstractDelegationTokenSecretManager.java | 7 ++++- .../hadoop/hdfs/security/TestDelegationToken.java | 32 ++++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java index cafa5135e68..8378a47cedd 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java @@ -81,7 +81,12 @@ extends AbstractDelegationTokenIdentifier> = DelegationTokenSecretManagerMetrics.create(); private String formatTokenId(TokenIdent id) { - return "(" + id + ")"; + try { + return "(" + id + ")"; + } catch (Exception e) { + LOG.warn("Exception in formatTokenId", e); + } + return "( SequenceNumber=" + id.getSequenceNumber() + " )"; } /** diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java index 077b10320fd..d905609a1cb 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/security/TestDelegationToken.java @@ -20,6 +20,7 @@ package org.apache.hadoop.hdfs.security; +import static org.apache.hadoop.security.authentication.util.KerberosName.setRules; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -29,6 +30,10 @@ import java.io.DataInputStream; import java.io.IOException; import java.net.URI; import java.security.PrivilegedExceptionAction; +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.hadoop.conf.Configuration; @@ -54,6 +59,7 @@ import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.SecretManager.InvalidToken; import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager; import org.apache.hadoop.test.GenericTestUtils; import org.slf4j.event.Level; import org.junit.After; @@ -376,4 +382,30 @@ public class TestDelegationToken { " for SomeUser with renewer JobTracker", dtId.toStringStable()); } + + @Test + public void testLogExpireTokensWhenChangeRules() throws IOException { + setRules("RULE:[2:$1@$0](SomeUser.*)s/.*/SomeUser/"); + DelegationTokenIdentifier dtId = new DelegationTokenIdentifier( + new Text("SomeUser/h...@example.com"), + new Text("SomeUser/h...@example.com"), + new Text("SomeUser/h...@example.com")); + Set<DelegationTokenIdentifier> expiredTokens = new HashSet(); + expiredTokens.add(dtId); + setRules("RULE:[2:$1@$0](OtherUser.*)s/.*/OtherUser/"); + //rules was modified, causing the existing tokens + //(May be loaded from other storage systems like zookeeper) to fail to match the kerberos rules, + //return an exception that cannot be handled + new AbstractDelegationTokenSecretManager<DelegationTokenIdentifier>(10 * 1000, 10 * 1000, + 10 * 1000, 10 * 1000) { + @Override + public DelegationTokenIdentifier createIdentifier() { + return null; + } + public void logExpireTokens(Collection<DelegationTokenIdentifier> expiredTokens) + throws IOException { + super.logExpireTokens(expiredTokens); + } + }.logExpireTokens(expiredTokens); + } } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org