Author: kihwal Date: Thu Aug 8 15:03:12 2013 New Revision: 1511823 URL: http://svn.apache.org/r1511823 Log: HADOOP-9850. RPC kerberos errors don't trigger relogin. Contributed by Daryn Sharp.
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1511823&r1=1511822&r2=1511823&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt Thu Aug 8 15:03:12 2013 @@ -699,6 +699,8 @@ Release 2.1.0-beta - 2013-08-06 HADOOP-9816. RPC Sasl QOP is broken (daryn) + HADOOP-9850. RPC kerberos errors don't trigger relogin. (daryn via kihwal) + BREAKDOWN OF HADOOP-8562 SUBTASKS AND RELATED JIRAS HADOOP-8924. Hadoop Common creating package-info.java must not depend on Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java?rev=1511823&r1=1511822&r2=1511823&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java Thu Aug 8 15:03:12 2013 @@ -713,6 +713,7 @@ public class Client { } }); } catch (Exception ex) { + authMethod = saslRpcClient.getAuthMethod(); if (rand == null) { rand = new Random(); } Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java?rev=1511823&r1=1511822&r2=1511823&view=diff ============================================================================== --- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java (original) +++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java Thu Aug 8 15:03:12 2013 @@ -83,6 +83,7 @@ public class SaslRpcClient { private final Configuration conf; private SaslClient saslClient; + private AuthMethod authMethod; private static final RpcRequestHeaderProto saslHeader = ProtoUtil .makeRpcRequestHeader(RpcKind.RPC_PROTOCOL_BUFFER, @@ -113,6 +114,18 @@ public class SaslRpcClient { return (saslClient != null) ? saslClient.getNegotiatedProperty(key) : null; } + + // the RPC Client has an inelegant way of handling expiration of TGTs + // acquired via a keytab. any connection failure causes a relogin, so + // the Client needs to know what authMethod was being attempted if an + // exception occurs. the SASL prep for a kerberos connection should + // ideally relogin if necessary instead of exposing this detail to the + // Client + @InterfaceAudience.Private + public AuthMethod getAuthMethod() { + return authMethod; + } + /** * Instantiate a sasl client for the first supported auth type in the * given list. The auth type must be defined, enabled, and the user @@ -319,8 +332,9 @@ public class SaslRpcClient { DataOutputStream outStream = new DataOutputStream(new BufferedOutputStream( outS)); - // redefined if/when a SASL negotiation completes - AuthMethod authMethod = AuthMethod.SIMPLE; + // redefined if/when a SASL negotiation starts, can be queried if the + // negotiation fails + authMethod = AuthMethod.SIMPLE; sendSaslMessage(outStream, negotiateRequest); @@ -357,6 +371,7 @@ public class SaslRpcClient { case NEGOTIATE: { // create a compatible SASL client, throws if no supported auths SaslAuth saslAuthType = selectSaslClient(saslMessage.getAuthsList()); + // define auth being attempted, caller can query if connect fails authMethod = AuthMethod.valueOf(saslAuthType.getMethod()); byte[] responseToken = null;