[jira] [Commented] (HADOOP-11934) Use of JavaKeyStoreProvider in LdapGroupsMapping causes infinite loop

Thu, 14 May 2015 08:48:00 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14543882#comment-14543882
 ] 

Larry McCay commented on HADOOP-11934:
--------------------------------------

Great to hear about the infinite loop - that is all we really need to ensure!
Actual group lookup won't be affected by this feature and the provider is 
generally tested in the TestCredentialProviderFactory test.
There was no real way to unit test the infinite look issue.

Your two comments are reasonable.
The default of 700 matches the default for credential store creation from the 
CLI.
I don't recall why it required execute permissions but I believe that it did.
Given that this isn't a configurable argument, I think it is fine the way it is.
I'll look at changing it though.

I agree - all that code for getting to the PosixFilePermissions is annoying.
I'll see what I can do there as well.

Thanks for the testing and the review, Mike!
Much appreciated.



> Use of JavaKeyStoreProvider in LdapGroupsMapping causes infinite loop
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-11934
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11934
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Mike Yoder
>            Assignee: Larry McCay
>         Attachments: HADOOP-11934.001.patch, HADOOP-11934.002.patch, 
> HADOOP-11934.003.patch, HADOOP-11934.004.patch, HADOOP-11934.005.patch
>
>
> I was attempting to use the LdapGroupsMapping code and the 
> JavaKeyStoreProvider at the same time, and hit a really interesting, yet 
> fatal, issue.  The code goes into what ought to have been an infinite loop, 
> were it not for it overflowing the stack and Java ending the loop.  Here is a 
> snippet of the stack; my annotations are at the bottom.
> {noformat}
>       at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
>       at org.apache.hadoop.fs.Path.getFileSystem(Path.java:296)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:88)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:65)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:291)
>       at 
> org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:58)
>       at 
> org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:1863)
>       at 
> org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:1843)
>       at 
> org.apache.hadoop.security.LdapGroupsMapping.getPassword(LdapGroupsMapping.java:386)
>       at 
> org.apache.hadoop.security.LdapGroupsMapping.setConf(LdapGroupsMapping.java:349)
>       at 
> org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:73)
>       at 
> org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133)
>       at org.apache.hadoop.security.Groups.<init>(Groups.java:70)
>       at org.apache.hadoop.security.Groups.<init>(Groups.java:66)
>       at 
> org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:280)
>       at 
> org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:283)
>       at 
> org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:260)
>       at 
> org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:804)
>       at 
> org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:774)
>       at 
> org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:647)
>       at 
> org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2753)
>       at 
> org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2745)
>       at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2611)
>       at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
>       at org.apache.hadoop.fs.Path.getFileSystem(Path.java:296)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:88)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:65)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:291)
>       at 
> org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:58)
>       at 
> org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:1863)
>       at 
> org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:1843)
>       at 
> org.apache.hadoop.security.LdapGroupsMapping.getPassword(LdapGroupsMapping.java:386)
>       at 
> org.apache.hadoop.security.LdapGroupsMapping.setConf(LdapGroupsMapping.java:349)
>       at 
> org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:73)
>       at 
> org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133)
>       at org.apache.hadoop.security.Groups.<init>(Groups.java:70)
>       at org.apache.hadoop.security.Groups.<init>(Groups.java:66)
>       at 
> org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:280)
>       at 
> org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:283)
>       at 
> org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:260)
>       at 
> org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:804)
>       at 
> org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:774)
>       at 
> org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:647)
>       at 
> org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2753)
>       at 
> org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2745)
>       at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2611)
>       at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
>       at org.apache.hadoop.fs.Path.getFileSystem(Path.java:296){noformat}
> Here's my annotation, going from bottom to top.
> * Somehow we enter Path.getFileSystem()
> * This goes to FileSystem cache stuff, and then it wants the current user
> * So we get to UserGroupInformation.getCurrentUser(), which as you can 
> imagine gets to
> * getUserToGroupsMappingService and thence to LdapGroupsMapping.setConf().
> * That code gets the needed passwords, and we're using the 
> CredentialProvider, so unsurprisingly we get to
> * getPasswordFromCredentialProviders() - which chooses the 
> JavaKeyStoreProvider like I told it to.
> * The JavaKeyStoreProvider, in its constructor, does "fs = 
> path.getFileSystem(conf);"
> * And guess what, we're back in Path.getFileSystem, where we started at the 
> beginning.
> Please let me know if I've somehow configured something incorrectly, but if I 
> have I can't figure out what it is...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to