t...

tgraves Thu, 31 Jan 2013 14:38:57 -0800

Author: tgraves
Date: Thu Jan 31 22:38:32 2013
New Revision: 1441236

URL: http://svn.apache.org/viewvc?rev=1441236&view=rev
Log:
HADOOP-8878. uppercase namenode hostname causes hadoop dfs calls with webhdfs 
filesystem and fsck to fail when security is on  (Arpit Gupta via tgraves)


Added:
    
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosUtil.java
Modified:
    
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
    
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
    
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt

Modified: 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java?rev=1441236&r1=1441235&r2=1441236&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
 (original)
+++ 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
 Thu Jan 31 22:38:32 2013
@@ -194,7 +194,8 @@ public class KerberosAuthenticator imple
           GSSContext gssContext = null;
           try {
             GSSManager gssManager = GSSManager.getInstance();
-            String servicePrincipal = "HTTP/" + 
KerberosAuthenticator.this.url.getHost();
+            String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
+                KerberosAuthenticator.this.url.getHost());
             Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
             GSSName serviceName = gssManager.createName(servicePrincipal,
                                                         oid);

Modified: 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java?rev=1441236&r1=1441235&r2=1441236&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
 (original)
+++ 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
 Thu Jan 31 22:38:32 2013
@@ -20,6 +20,9 @@ package org.apache.hadoop.security.authe
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Locale;
 
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.Oid;
@@ -65,4 +68,33 @@ public class KerberosUtil {
          new Class[0]);
     return (String)getDefaultRealmMethod.invoke(kerbConf, new Object[0]);
   }
+  
+  /* Return fqdn of the current host */
+  static String getLocalHostName() throws UnknownHostException {
+    return InetAddress.getLocalHost().getCanonicalHostName();
+  }
+  
+  /**
+   * Create Kerberos principal for a given service and hostname. It converts
+   * hostname to lower case. If hostname is null or "0.0.0.0", it uses
+   * dynamically looked-up fqdn of the current host instead.
+   * 
+   * @param service
+   *          Service for which you want to generate the principal.
+   * @param hostname
+   *          Fully-qualified domain name.
+   * @return Converted Kerberos principal name.
+   * @throws UnknownHostException
+   *           If no IP address for the local host could be found.
+   */
+  public static final String getServicePrincipal(String service, String 
hostname)
+      throws UnknownHostException {
+    String fqdn = hostname;
+    if (null == fqdn || fqdn.equals("") || fqdn.equals("0.0.0.0")) {
+      fqdn = getLocalHostName();
+    }
+    // convert hostname to lowercase as kerberos does not work with hostnames
+    // with uppercase characters.
+    return service + "/" + fqdn.toLowerCase(Locale.US);
+  }
 }

Added: 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosUtil.java
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosUtil.java?rev=1441236&view=auto
==============================================================================
--- 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosUtil.java
 (added)
+++ 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosUtil.java
 Thu Jan 31 22:38:32 2013
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations 
under
+ * the License.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
+import org.junit.Test;
+
+public class TestKerberosUtil {
+
+  @Test
+  public void testGetServerPrincipal() throws IOException {
+    String service = "TestKerberosUtil";
+    String localHostname = KerberosUtil.getLocalHostName();
+    String testHost = "FooBar";
+
+    // send null hostname
+    assertEquals("When no hostname is sent",
+        service + "/" + localHostname.toLowerCase(),
+        KerberosUtil.getServicePrincipal(service, null));
+    // send empty hostname
+    assertEquals("When empty hostname is sent",
+        service + "/" + localHostname.toLowerCase(),
+        KerberosUtil.getServicePrincipal(service, ""));
+    // send 0.0.0.0 hostname
+    assertEquals("When 0.0.0.0 hostname is sent",
+        service + "/" + localHostname.toLowerCase(),
+        KerberosUtil.getServicePrincipal(service, "0.0.0.0"));
+    // send uppercase hostname
+    assertEquals("When uppercase hostname is sent",
+        service + "/" + testHost.toLowerCase(),
+        KerberosUtil.getServicePrincipal(service, testHost));
+    // send lowercase hostname
+    assertEquals("When lowercase hostname is sent",
+        service + "/" + testHost.toLowerCase(),
+        KerberosUtil.getServicePrincipal(service, testHost.toLowerCase()));
+  }
+}
\ No newline at end of file

Modified: 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1441236&r1=1441235&r2=1441236&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
 (original)
+++ 
hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
 Thu Jan 31 22:38:32 2013
@@ -46,6 +46,10 @@ Release 0.23.7 - UNRELEASED
     HADOOP-8251. Fix SecurityUtil.fetchServiceTicket after HADOOP-6941 (todd
     via tgraves)
 
+    HADOOP-8878. uppercase namenode hostname causes hadoop dfs calls with 
+    webhdfs filesystem and fsck to fail when security is on  (Arpit Gupta
+    via tgraves)
+
 Release 0.23.6 - UNRELEASED
 
   INCOMPATIBLE CHANGES

svn commit: r1441236 - in /hadoop/common/branches/branch-0.23/hadoop-common-project: hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/ hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/ hadoop-auth/src/t...

Reply via email to