diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java index 5f642c4f69..21d5c0ab02 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java @@ -1131,6 +1131,7 @@ private void saslReadAndProcess(byte[] saslToken) throws IOException, throw new AccessControlException( "Server is not configured to do DIGEST authentication."); } + secretManager.checkAvailableForRead(); saslServer = Sasl.createSaslServer(AuthMethod.DIGEST .getMechanismName(), null, SaslRpcServer.SASL_DEFAULT_REALM, SaslRpcServer.SASL_PROPS, new SaslDigestCallbackHandler( diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java index 80e7b1ae82..cda36fe659 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java @@ -29,6 +29,7 @@ import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; +import org.apache.hadoop.ipc.StandbyException; /** @@ -72,6 +73,17 @@ public InvalidToken(String msg) { * @return the newly created empty token identifier */ public abstract T createIdentifier(); + + /** + * No-op if the secret manager is available for reading tokens, throw a + * StandbyException otherwise. + * + * @throws StandbyException if the secret manager is not available to read + * tokens + */ + public void checkAvailableForRead() throws StandbyException { + // Default to being available for read. + } /** * The name of the hashing algorithm. diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt index 42d373a987..91bd312f08 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt @@ -318,6 +318,9 @@ Release 0.23.3 - UNRELEASED HDFS-3062. Fix bug which prevented MR job submission from creating delegation tokens on an HA cluster. (Mingjie Lai via todd) + HDFS-3083. Cannot run an MR job with HA and security enabled when + second-listed NN active. (atm) + BREAKDOWN OF HDFS-1623 SUBTASKS HDFS-2179. Add fencing framework and mechanisms for NameNode HA. (todd) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java index ba62a2c225..a25ba5b52f 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/delegation/DelegationTokenSecretManager.java @@ -30,7 +30,9 @@ import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.hdfs.server.namenode.FSNamesystem; import org.apache.hadoop.hdfs.server.namenode.NameNode; +import org.apache.hadoop.hdfs.server.namenode.NameNode.OperationCategory; import org.apache.hadoop.io.Text; +import org.apache.hadoop.ipc.StandbyException; import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; @@ -73,6 +75,16 @@ public DelegationTokenSecretManager(long delegationKeyUpdateInterval, public DelegationTokenIdentifier createIdentifier() { return new DelegationTokenIdentifier(); } + + @Override //SecretManager + public void checkAvailableForRead() throws StandbyException { + namesystem.readLock(); + try { + namesystem.checkOperation(OperationCategory.READ); + } finally { + namesystem.readUnlock(); + } + } /** * Returns expiry time of a token given its identifier. diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java index 193d9e8684..9d647f2353 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java @@ -646,7 +646,7 @@ void stopStandbyServices() throws IOException { } - void checkOperation(OperationCategory op) throws StandbyException { + public void checkOperation(OperationCategory op) throws StandbyException { if (haContext != null) { // null in some unit tests haContext.checkOperation(op);