HDFS-3083. Cannot run an MR job with HA and security enabled when second-listed NN active. Contributed by Aaron T. Myers.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1303098 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Aaron Myers 2012-03-20 19:00:56 +00:00
parent a24d12bdec
commit 4ceca97606
5 changed files with 29 additions and 1 deletions

View File

@ -1131,6 +1131,7 @@ private void saslReadAndProcess(byte[] saslToken) throws IOException,
throw new AccessControlException(
"Server is not configured to do DIGEST authentication.");
}
secretManager.checkAvailableForRead();
saslServer = Sasl.createSaslServer(AuthMethod.DIGEST
.getMechanismName(), null, SaslRpcServer.SASL_DEFAULT_REALM,
SaslRpcServer.SASL_PROPS, new SaslDigestCallbackHandler(

View File

@ -29,6 +29,7 @@
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.ipc.StandbyException;
/**
@ -72,6 +73,17 @@ public InvalidToken(String msg) {
* @return the newly created empty token identifier
*/
public abstract T createIdentifier();
/**
* No-op if the secret manager is available for reading tokens, throw a
* StandbyException otherwise.
*
* @throws StandbyException if the secret manager is not available to read
* tokens
*/
public void checkAvailableForRead() throws StandbyException {
// Default to being available for read.
}
/**
* The name of the hashing algorithm.

View File

@ -318,6 +318,9 @@ Release 0.23.3 - UNRELEASED
HDFS-3062. Fix bug which prevented MR job submission from creating
delegation tokens on an HA cluster. (Mingjie Lai via todd)
HDFS-3083. Cannot run an MR job with HA and security enabled when
second-listed NN active. (atm)
BREAKDOWN OF HDFS-1623 SUBTASKS
HDFS-2179. Add fencing framework and mechanisms for NameNode HA. (todd)

View File

@ -30,7 +30,9 @@
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.hdfs.server.namenode.FSNamesystem;
import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.hdfs.server.namenode.NameNode.OperationCategory;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.StandbyException;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
@ -73,6 +75,16 @@ public DelegationTokenSecretManager(long delegationKeyUpdateInterval,
public DelegationTokenIdentifier createIdentifier() {
return new DelegationTokenIdentifier();
}
@Override //SecretManager
public void checkAvailableForRead() throws StandbyException {
namesystem.readLock();
try {
namesystem.checkOperation(OperationCategory.READ);
} finally {
namesystem.readUnlock();
}
}
/**
* Returns expiry time of a token given its identifier.

View File

@ -646,7 +646,7 @@ void stopStandbyServices() throws IOException {
}
void checkOperation(OperationCategory op) throws StandbyException {
public void checkOperation(OperationCategory op) throws StandbyException {
if (haContext != null) {
// null in some unit tests
haContext.checkOperation(op);