Author: atm Date: Wed Mar 5 22:36:03 2014 New Revision: 1574702 URL: http://svn.apache.org/r1574702 Log: HDFS-5898. Allow NFS gateway to login/relogin from its kerberos keytab. Contributed by Abin Shahab.
Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java?rev=1574702&r1=1574701&r2=1574702&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java (original) +++ hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/mount/RpcProgramMountd.java Wed Mar 5 22:36:03 2014 @@ -16,6 +16,8 @@ * limitations under the License. */ package org.apache.hadoop.hdfs.nfs.mount; +import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NFS_KEYTAB_FILE_KEY; +import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NFS_USER_NAME_KEY; import java.io.IOException; import java.net.InetAddress; @@ -46,6 +48,8 @@ import org.apache.hadoop.oncrpc.RpcRespo import org.apache.hadoop.oncrpc.RpcUtil; import org.apache.hadoop.oncrpc.XDR; import org.apache.hadoop.oncrpc.security.VerifierNone; +import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; import org.jboss.netty.buffer.ChannelBuffer; import org.jboss.netty.buffer.ChannelBuffers; import org.jboss.netty.channel.ChannelHandlerContext; @@ -83,6 +87,9 @@ public class RpcProgramMountd extends Rp Nfs3Constant.EXPORT_POINT_DEFAULT)); this.hostsMatcher = NfsExports.getInstance(config); this.mounts = Collections.synchronizedList(new ArrayList<MountEntry>()); + UserGroupInformation.setConfiguration(config); + SecurityUtil.login(config, DFS_NFS_KEYTAB_FILE_KEY, + DFS_NFS_USER_NAME_KEY); this.dfsClient = new DFSClient(NameNode.getAddress(config), config); } Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java?rev=1574702&r1=1574701&r2=1574702&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java (original) +++ hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/DFSClientCache.java Wed Mar 5 22:36:03 2014 @@ -17,6 +17,8 @@ */ package org.apache.hadoop.hdfs.nfs.nfs3; +import org.apache.commons.logging.LogFactory; + import java.io.IOException; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; @@ -28,7 +30,6 @@ import java.util.concurrent.TimeUnit; import com.google.common.base.Preconditions; import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FSDataInputStream; import org.apache.hadoop.hdfs.DFSClient; @@ -192,6 +193,8 @@ class DFSClientCache { throws IOException { Preconditions.checkNotNull(effectiveUser); Preconditions.checkNotNull(realUser); + realUser.checkTGTAndReloginFromKeytab(); + UserGroupInformation ugi = UserGroupInformation.createProxyUser(effectiveUser, realUser); if (LOG.isDebugEnabled()){ Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java?rev=1574702&r1=1574701&r2=1574702&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java (original) +++ hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/main/java/org/apache/hadoop/hdfs/nfs/nfs3/RpcProgramNfs3.java Wed Mar 5 22:36:03 2014 @@ -121,6 +121,8 @@ import org.apache.hadoop.oncrpc.security import org.apache.hadoop.oncrpc.security.Verifier; import org.apache.hadoop.oncrpc.security.VerifierNone; import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; import org.jboss.netty.buffer.ChannelBuffer; import org.jboss.netty.buffer.ChannelBuffers; import org.jboss.netty.channel.Channel; @@ -128,6 +130,9 @@ import org.jboss.netty.channel.ChannelHa import com.google.common.annotations.VisibleForTesting; +import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NFS_KEYTAB_FILE_KEY; +import static org.apache.hadoop.hdfs.DFSConfigKeys.DFS_NFS_USER_NAME_KEY; + /** * RPC program corresponding to nfs daemon. See {@link Nfs3}. */ @@ -187,6 +192,10 @@ public class RpcProgramNfs3 extends RpcP Nfs3Constant.FILE_DUMP_DIR_DEFAULT); boolean enableDump = config.getBoolean(Nfs3Constant.ENABLE_FILE_DUMP_KEY, Nfs3Constant.ENABLE_FILE_DUMP_DEFAULT); + UserGroupInformation.setConfiguration(config); + SecurityUtil.login(config, DFS_NFS_KEYTAB_FILE_KEY, + DFS_NFS_USER_NAME_KEY); + if (!enableDump) { writeDumpDir = null; } else { Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java?rev=1574702&r1=1574701&r2=1574702&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java (original) +++ hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs-nfs/src/test/java/org/apache/hadoop/hdfs/nfs/nfs3/TestDFSClientCache.java Wed Mar 5 22:36:03 2014 @@ -17,6 +17,7 @@ */ package org.apache.hadoop.hdfs.nfs.nfs3; +import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.KERBEROS; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -53,14 +54,35 @@ public class TestDFSClientCache { } @Test + public void testGetUserGroupInformationSecure() throws IOException { + String userName = "user1"; + String currentUser = "test-user"; + + + Configuration conf = new Configuration(); + UserGroupInformation currentUserUgi + = UserGroupInformation.createRemoteUser(currentUser); + currentUserUgi.setAuthenticationMethod(KERBEROS); + UserGroupInformation.setLoginUser(currentUserUgi); + + DFSClientCache cache = new DFSClientCache(conf); + UserGroupInformation ugiResult + = cache.getUserGroupInformation(userName, currentUserUgi); + + assertThat(ugiResult.getUserName(), is(userName)); + assertThat(ugiResult.getRealUser(), is(currentUserUgi)); + assertThat( + ugiResult.getAuthenticationMethod(), + is(UserGroupInformation.AuthenticationMethod.PROXY)); + } + + @Test public void testGetUserGroupInformation() throws IOException { String userName = "user1"; String currentUser = "currentUser"; UserGroupInformation currentUserUgi = UserGroupInformation .createUserForTesting(currentUser, new String[0]); - currentUserUgi.setAuthenticationMethod( - UserGroupInformation.AuthenticationMethod.KERBEROS); Configuration conf = new Configuration(); conf.set(FileSystem.FS_DEFAULT_NAME_KEY, "hdfs://localhost"); DFSClientCache cache = new DFSClientCache(conf); Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt?rev=1574702&r1=1574701&r2=1574702&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt (original) +++ hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt Wed Mar 5 22:36:03 2014 @@ -286,6 +286,9 @@ Release 2.4.0 - UNRELEASED HDFS-5857. TestWebHDFS#testNamenodeRestart fails intermittently with NPE. (Mit Desai via wheat9) + HDFS-5898. Allow NFS gateway to login/relogin from its kerberos keytab. + (Abin Shahab via atm) + BREAKDOWN OF HDFS-5698 SUBTASKS AND RELATED JIRAS HDFS-5717. Save FSImage header in protobuf. (Haohui Mai via jing9) Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java?rev=1574702&r1=1574701&r2=1574702&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java (original) +++ hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSConfigKeys.java Wed Mar 5 22:36:03 2014 @@ -609,4 +609,6 @@ public class DFSConfigKeys extends Commo public static final String DFS_DFSCLIENT_HEDGED_READ_THREADPOOL_SIZE = "dfs.client.hedged.read.threadpool.size"; public static final int DEFAULT_DFSCLIENT_HEDGED_READ_THREADPOOL_SIZE = 0; + public static final String DFS_NFS_KEYTAB_FILE_KEY = "dfs.nfs.keytab.file"; + public static final String DFS_NFS_USER_NAME_KEY = "dfs.nfs.kerberos.principal"; } Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml?rev=1574702&r1=1574701&r2=1574702&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml (original) +++ hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml Wed Mar 5 22:36:03 2014 @@ -1252,6 +1252,26 @@ non-zero integer. </description> </property> +<property> + <name>dfs.nfs.keytab.file</name> + <value></value> + <description> + *Note*: Advanced property. Change with caution. + This is the path to the keytab file for the hdfs-nfs gateway. + This is required when the cluster is kerberized. + </description> +</property> + +<property> + <name>dfs.nfs.kerberos.principal</name> + <value></value> + <description> + *Note*: Advanced property. Change with caution. + This is the name of the kerberos principal. This is required when + the cluster is kerberized.It must be of this format: + nfs-gateway-user/nfs-gateway-host@kerberos-realm + </description> +</property> <property> <name>dfs.webhdfs.enabled</name> Modified: hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm?rev=1574702&r1=1574701&r2=1574702&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm (original) +++ hadoop/common/branches/branch-2.4/hadoop-hdfs-project/hadoop-hdfs/src/site/apt/HdfsNfsGateway.apt.vm Wed Mar 5 22:36:03 2014 @@ -46,8 +46,38 @@ HDFS NFS Gateway * {Configuration} - NFS gateway can work with its default settings in most cases. However, it's - strongly recommended for the users to update a few configuration properties based on their use + The user running the NFS-gateway must be able to proxy all the users using the NFS mounts. + For instance, if user 'nfsserver' is running the gateway, and users belonging to the groups 'nfs-users1' + and 'nfs-users2' use the NFS mounts, then in core-site.xml of the namenode, the following must be set: +---- +<property> + <name>hadoop.proxyuser.nfsserver.groups</name> + <value>nfs-users1,nfs-users2</value> + <description> + The 'nfsserver' user is allowed to proxy all members of the 'nfs-users1' and 'nfs-users2' groups. Set this to '*' to allow nfsserver user to proxy any group. + </description> +</property> +<property> + <name>hadoop.proxyuser.nfsserver.hosts</name> + <value>nfs-client-host1.com</value> + <description> + This is the host where the nfs gateway is running. Set this to '*' to allow requests from any hosts to be proxied. + </description> +</property> +---- + The above are the only required configuration for the NFS gateway in non-secure mode. For Kerberized + hadoop clusters, the following configurations need to be added to hdfs-site.xml: +---- +<property> + <name>dfs.nfsgateway.keytab.file</name> + <value>/etc/hadoop/conf/nfsserver.keytab</value> <!-- path to the nfs gateway keytab --> +</property> +<property> + <name>dfs.nfsgateway.kerberos.principal</name> + <value>nfsserver/_h...@your-realm.com</value> +</property> +---- + It's strongly recommended for the users to update a few configuration properties based on their use cases. All the related configuration properties can be added or updated in hdfs-site.xml. * If the client mounts the export with access time update allowed, make sure the following