This is an automated email from the ASF dual-hosted git repository. xyao pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push: new f41f938 HADOOP-16199. KMSLoadBlanceClientProvider does not select token correctly. Contributed by Xiaoyu Yao. f41f938 is described below commit f41f938b2e498161da96bfad77410871a3a85728 Author: Xiaoyu Yao <x...@apache.org> AuthorDate: Thu Mar 28 21:55:31 2019 -0700 HADOOP-16199. KMSLoadBlanceClientProvider does not select token correctly. Contributed by Xiaoyu Yao. This closes #642. --- .../key/kms/LoadBalancingKMSClientProvider.java | 3 ++ .../kms/TestLoadBalancingKMSClientProvider.java | 35 ++++++++++++++++++---- 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java index 6cb2cdc..ee2295c 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java @@ -148,6 +148,9 @@ public class LoadBalancingKMSClientProvider extends KeyProvider implements selectDelegationToken(Credentials creds) { Token<? extends TokenIdentifier> token = KMSClientProvider.selectDelegationToken(creds, canonicalService); + if (token == null) { + token = KMSClientProvider.selectDelegationToken(creds, dtService); + } // fallback to querying each sub-provider. if (token == null) { for (KMSClientProvider provider : getProviders()) { diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java index 259feda..7804c73 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/kms/TestLoadBalancingKMSClientProvider.java @@ -916,10 +916,7 @@ public class TestLoadBalancingKMSClientProvider { } } - @Test - public void testGetActualUGI() throws Exception { - // enable security - final Configuration conf = new Configuration(); + private void testTokenSelectionWithConf(Configuration conf) throws Exception { conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); @@ -927,6 +924,9 @@ public class TestLoadBalancingKMSClientProvider { "foo", new String[] {"hadoop"}); String providerUriString = "kms://http@host1;host2;host3:9600/kms/foo"; + conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, + providerUriString); + final URI kmsUri = URI.create(providerUriString); // create a fake kms dt final Token token = new Token(); @@ -951,7 +951,30 @@ public class TestLoadBalancingKMSClientProvider { }); // make sure getActualUgi() returns the current user, not login user. assertEquals( - "getActualUgi() should return the current user, not login user", - ugi, actualUgi); + "testTokenSelectionWithConf() should return the" + + " current user, not login user", ugi, actualUgi); + } + + @Test + public void testTokenSelectionWithKMSUriInConf() throws Exception { + final Configuration conf = new Configuration(); + conf.set("hadoop.security.authentication", "kerberos"); + + // test client with hadoop.security.key.provider.path configured. + String providerUriString = "kms://http@host1;host2;host3:9600/kms/foo"; + conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, + providerUriString); + + testTokenSelectionWithConf(conf); + } + + @Test + public void testGetActualUGI() throws Exception { + final Configuration conf = new Configuration(); + conf.set("hadoop.security.authentication", "kerberos"); + UserGroupInformation.setConfiguration(conf); + + // test client without hadoop.security.key.provider.path configured. + testTokenSelectionWithConf(conf); } } \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org