HDFS-2924. Standby checkpointing fails to authenticate in secure cluster. Contributed by Todd Lipcon.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/HDFS-1623@1242439 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Todd Lipcon 2012-02-09 18:22:02 +00:00
parent bad0a2a4a1
commit 5e26de982b
5 changed files with 43 additions and 28 deletions

View File

@ -23,6 +23,7 @@
import java.net.URL; import java.net.URL;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import java.security.AccessController; import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import java.util.ServiceLoader; import java.util.ServiceLoader;
@ -448,6 +449,27 @@ public static Text buildTokenService(URI uri) {
return buildTokenService(NetUtils.createSocketAddr(uri.getAuthority())); return buildTokenService(NetUtils.createSocketAddr(uri.getAuthority()));
} }
/**
* Perform the given action as the daemon's login user. If the login
* user cannot be determined, this will log a FATAL error and exit
* the whole JVM.
*/
public static <T> T doAsLoginUserOrFatal(PrivilegedAction<T> action) {
if (UserGroupInformation.isSecurityEnabled()) {
UserGroupInformation ugi = null;
try {
ugi = UserGroupInformation.getLoginUser();
} catch (IOException e) {
LOG.fatal("Exception while getting login user", e);
e.printStackTrace();
Runtime.getRuntime().exit(-1);
}
return ugi.doAs(action);
} else {
return action.run();
}
}
/** /**
* Resolves a host subject to the security requirements determined by * Resolves a host subject to the security requirements determined by
* hadoop.security.token.service.use_ip. * hadoop.security.token.service.use_ip.

View File

@ -186,3 +186,5 @@ HDFS-2905. HA: Standby NN NPE when shared edits dir is deleted. (Bikas Saha via
HDFS-2579. Starting delegation token manager during safemode fails. (todd) HDFS-2579. Starting delegation token manager during safemode fails. (todd)
HDFS-2510. Add HA-related metrics. (atm) HDFS-2510. Add HA-related metrics. (atm)
HDFS-2924. Standby checkpointing fails to authenticate in secure cluster. (todd)

View File

@ -307,25 +307,14 @@ public void shutdown() {
} }
public void run() { public void run() {
if (UserGroupInformation.isSecurityEnabled()) { SecurityUtil.doAsLoginUserOrFatal(
UserGroupInformation ugi = null; new PrivilegedAction<Object>() {
try {
ugi = UserGroupInformation.getLoginUser();
} catch (IOException e) {
LOG.error("Exception while getting login user", e);
e.printStackTrace();
Runtime.getRuntime().exit(-1);
}
ugi.doAs(new PrivilegedAction<Object>() {
@Override @Override
public Object run() { public Object run() {
doWork(); doWork();
return null; return null;
} }
}); });
} else {
doWork();
}
} }
// //
// The main work loop // The main work loop

View File

@ -20,6 +20,7 @@
import java.io.IOException; import java.io.IOException;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.security.PrivilegedAction;
import java.util.Collection; import java.util.Collection;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
@ -40,6 +41,7 @@
import org.apache.hadoop.hdfs.server.namenode.NameNode; import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.hdfs.server.protocol.NamenodeProtocol; import org.apache.hadoop.hdfs.server.protocol.NamenodeProtocol;
import org.apache.hadoop.ipc.RPC; import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.security.SecurityUtil;
import static org.apache.hadoop.hdfs.server.common.Util.now; import static org.apache.hadoop.hdfs.server.common.Util.now;
@ -284,6 +286,17 @@ private void setShouldRun(boolean shouldRun) {
@Override @Override
public void run() { public void run() {
SecurityUtil.doAsLoginUserOrFatal(
new PrivilegedAction<Object>() {
@Override
public Object run() {
doWork();
return null;
}
});
}
private void doWork() {
while (shouldRun) { while (shouldRun) {
try { try {
// There's no point in triggering a log roll if the Standby hasn't // There's no point in triggering a log roll if the Standby hasn't

View File

@ -35,6 +35,7 @@
import org.apache.hadoop.hdfs.server.namenode.SaveNamespaceCancelledException; import org.apache.hadoop.hdfs.server.namenode.SaveNamespaceCancelledException;
import org.apache.hadoop.hdfs.server.namenode.TransferFsImage; import org.apache.hadoop.hdfs.server.namenode.TransferFsImage;
import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import static org.apache.hadoop.hdfs.server.common.Util.now; import static org.apache.hadoop.hdfs.server.common.Util.now;
@ -212,26 +213,14 @@ private void setShouldRun(boolean shouldRun) {
public void run() { public void run() {
// We have to make sure we're logged in as far as JAAS // We have to make sure we're logged in as far as JAAS
// is concerned, in order to use kerberized SSL properly. // is concerned, in order to use kerberized SSL properly.
// This code copied from SecondaryNameNode - TODO: refactor SecurityUtil.doAsLoginUserOrFatal(
// to a utility function. new PrivilegedAction<Object>() {
if (UserGroupInformation.isSecurityEnabled()) {
UserGroupInformation ugi = null;
try {
ugi = UserGroupInformation.getLoginUser();
} catch (IOException e) {
LOG.error("Exception while getting login user", e);
Runtime.getRuntime().exit(-1);
}
ugi.doAs(new PrivilegedAction<Object>() {
@Override @Override
public Object run() { public Object run() {
doWork(); doWork();
return null; return null;
} }
}); });
} else {
doWork();
}
} }
/** /**