[jira] [Commented] (HADOOP-11934) Use of JavaKeyStoreProvider in LdapGroupsMapping causes infinite loop

Wed, 27 May 2015 10:18:18 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14561312#comment-14561312
 ] 

Chris Nauroth commented on HADOOP-11934:
----------------------------------------

{{FileUtil#setPermission}} is a static method that's implemented entirely in 
terms of JDK classes like {{java.io.File}}.  It doesn't interact with a Hadoop 
{{FileSystem}}, so I don't expect it to trigger the Hadoop group lookup 
machinery.

I think using {{AclFileAttributeView}} implies that we'd need to reimplement 
the mapping of POSIX permissions onto NTFS ACLs.  As per the following quote, 
the special OWNER, GROUP and EVERYONE users that would map directly to POSIX 
permissions are only applicable if the file system also supports 
{{PosixFileAttributeView}}, which Windows doesn't.

bq. When both the AclFileAttributeView and the PosixFileAttributeView are 
supported then these special user identities may be included in ACL entries 
that are read or written.

This mapping is a non-trivial piece of logic.  We already have that logic down 
in the JNI layer inside libwinutils.c, functions {{GetWindowsDACLs}} and 
{{ChangeFileModeByMask}}.  I'm going to play around with this a bit more and 
come back with a recommendation for the simplest way this code can call into 
that logic.

> Use of JavaKeyStoreProvider in LdapGroupsMapping causes infinite loop
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-11934
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11934
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Mike Yoder
>            Assignee: Larry McCay
>         Attachments: HADOOP-11934-11.patch, HADOOP-11934.001.patch, 
> HADOOP-11934.002.patch, HADOOP-11934.003.patch, HADOOP-11934.004.patch, 
> HADOOP-11934.005.patch, HADOOP-11934.006.patch, HADOOP-11934.007.patch, 
> HADOOP-11934.008.patch, HADOOP-11934.009.patch, HADOOP-11934.010.patch
>
>
> I was attempting to use the LdapGroupsMapping code and the 
> JavaKeyStoreProvider at the same time, and hit a really interesting, yet 
> fatal, issue.  The code goes into what ought to have been an infinite loop, 
> were it not for it overflowing the stack and Java ending the loop.  Here is a 
> snippet of the stack; my annotations are at the bottom.
> {noformat}
>       at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
>       at org.apache.hadoop.fs.Path.getFileSystem(Path.java:296)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:88)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:65)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:291)
>       at 
> org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:58)
>       at 
> org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:1863)
>       at 
> org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:1843)
>       at 
> org.apache.hadoop.security.LdapGroupsMapping.getPassword(LdapGroupsMapping.java:386)
>       at 
> org.apache.hadoop.security.LdapGroupsMapping.setConf(LdapGroupsMapping.java:349)
>       at 
> org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:73)
>       at 
> org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133)
>       at org.apache.hadoop.security.Groups.<init>(Groups.java:70)
>       at org.apache.hadoop.security.Groups.<init>(Groups.java:66)
>       at 
> org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:280)
>       at 
> org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:283)
>       at 
> org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:260)
>       at 
> org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:804)
>       at 
> org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:774)
>       at 
> org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:647)
>       at 
> org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2753)
>       at 
> org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2745)
>       at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2611)
>       at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
>       at org.apache.hadoop.fs.Path.getFileSystem(Path.java:296)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:88)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider.<init>(JavaKeyStoreProvider.java:65)
>       at 
> org.apache.hadoop.security.alias.JavaKeyStoreProvider$Factory.createProvider(JavaKeyStoreProvider.java:291)
>       at 
> org.apache.hadoop.security.alias.CredentialProviderFactory.getProviders(CredentialProviderFactory.java:58)
>       at 
> org.apache.hadoop.conf.Configuration.getPasswordFromCredentialProviders(Configuration.java:1863)
>       at 
> org.apache.hadoop.conf.Configuration.getPassword(Configuration.java:1843)
>       at 
> org.apache.hadoop.security.LdapGroupsMapping.getPassword(LdapGroupsMapping.java:386)
>       at 
> org.apache.hadoop.security.LdapGroupsMapping.setConf(LdapGroupsMapping.java:349)
>       at 
> org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:73)
>       at 
> org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:133)
>       at org.apache.hadoop.security.Groups.<init>(Groups.java:70)
>       at org.apache.hadoop.security.Groups.<init>(Groups.java:66)
>       at 
> org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:280)
>       at 
> org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:283)
>       at 
> org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:260)
>       at 
> org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:804)
>       at 
> org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:774)
>       at 
> org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:647)
>       at 
> org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2753)
>       at 
> org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2745)
>       at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2611)
>       at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
>       at org.apache.hadoop.fs.Path.getFileSystem(Path.java:296){noformat}
> Here's my annotation, going from bottom to top.
> * Somehow we enter Path.getFileSystem()
> * This goes to FileSystem cache stuff, and then it wants the current user
> * So we get to UserGroupInformation.getCurrentUser(), which as you can 
> imagine gets to
> * getUserToGroupsMappingService and thence to LdapGroupsMapping.setConf().
> * That code gets the needed passwords, and we're using the 
> CredentialProvider, so unsurprisingly we get to
> * getPasswordFromCredentialProviders() - which chooses the 
> JavaKeyStoreProvider like I told it to.
> * The JavaKeyStoreProvider, in its constructor, does "fs = 
> path.getFileSystem(conf);"
> * And guess what, we're back in Path.getFileSystem, where we started at the 
> beginning.
> Please let me know if I've somehow configured something incorrectly, but if I 
> have I can't figure out what it is...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to